Conference Coverage

RSA Conference 2016 special coverage: News and analysis

Reporting and analysis from IT events

DOD announces 'Hack the Pentagon' bug bounty program

Defense Secretary Ashton Carter announces the 'Hack the Pentagon' bug bounty program and new Defense Innovation Advisory Board to be headed by Eric Schmidt.

SAN FRANCISCO -- To announce the unprecedented "Hack the Pentagon" initiative, the United States government's first...

ever bug bounty program, Secretary of Defense Ashton Carter joined Ted Schlein, general partner at Kleiner Perkins Caufield & Byers, for what was billed at RSA Conference 2016 as "A Conversation on Collaboration Between Silicon Valley and the Department of Defense."

Hack the Pentagon

Asking Carter about the Hack the Pentagon program, Schlein elicited laughter when he noted it's a program the Russians and Chinese are also running.

"There are black hats out there, and this is white hats. We're trying to adopt a best practice [by] crowdsourcing the expertise [and gaining access to] good people, rather than bad people," Carter said. It's better to have the good people find the vulnerabilities in the network than have them found "the other way -- pilferage."

Noting that the program will be restricted to U.S. citizens, Carter said, "We need to make sure the right hats" will be able to participate in the program, with winners gaining both "the reward of having won, but also the reward."

New Defense Innovation Advisory Board

Carter also announced the creation of the Defense Innovation Advisory Board, headed by former Google CEO Eric Schmidt.

Carter said he wanted people to "think outside the five-sided box," a reference to the Pentagon, and the DIAB would be giving advice to the defense secretary on how to do things in an innovative way.

Schmidt, Carter said, is the "perfect chairman" for the board for two reasons: "First, he's brilliant; and second, he's willing to do it."

Building bridges

Carter garnered applause when he responded to Schlein's question on the Apple-FBI conflict by saying, "Data security, including encryption, is absolutely essential to us" in the DOD, adding that he is "firmly behind strong encryption."

"I'm not a believer in backdoors, or a single technical approach to what is a complex question," he said. "The reality is that the problems of data security are many." Because of the complexity, he said there would not a single answer, and that a single case -- Apple versus the FBI -- shouldn't "drive the solution."

"The only way we're going to get to a real solution is to work together," Carter said. "It's not like there's something out there we just have to pick."

Schlein later asked why consumers seem to "be OK with" companies, such as Google or Facebook, having all their data, but not the government. "It's a good question," Carter said. "I regard us as having a solemn trust" to hold to a high standard. "As the government has powers over the people, it's important that information be used in an appropriate and lawful way."

A call for volunteers

Carter, recalling his own path to the post of defense secretary, said when he was young, there was a sense that "if you have knowledge, you have a responsibility to serve the country."

"The greatest thing in the world is to work on a problem that's important, and to know that you can make a contribution," Carter said in an effort to convince cyberprofessionals to consider putting in some time with the government.

"We can't remain the best in the world if we are not the best," Carter said, adding that "the way to stay the best is to innovate." He also repeated a call to build a bridge between the government and the private sector, urging people from the private sector to consider connecting with the Defense Digital Service and to "come in, work with us."

"You don't have to become part of the government," he said, adding that he would welcome people to "come in and work for a year or two [and] see how you like it." He called that form of service a "people bridge" between the innovative sector and government.

"It's called experimental, because we're still experimenting with it," Carter said.

Schlein asked, "How will you know it's successful?"

"First of all, if there are companies in the Valley who are doing work of consequence for security," because they were introduced through government programs in some way, Carter said, "that is one metric we use."

Another metric he said he would use is the people. "If there are [a] couple of tens or hundreds of people who have come in to the DOD and made a difference," Carter said. "Very few people can make an enormous difference."

Next Steps

More companies are adopting invitation-only bug bounty programs

Examining the positives and negatives of bug bounty programs

Learn more about the Wassenaar Arrangement controversy

PRO+

Content

Find more PRO+ content and other member only offers, here.

Conference Coverage

RSA Conference 2016 special coverage: News and analysis
Related Discussions

Peter Loshin asks:

Do the benefits of bug bounty programs outweigh the risks? Why or why not?

0  Responses So Far

Join the Discussion

2 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close