Photographer: Simon Dawson/Bloomberg

Pentagon ‘Rebel Alliance’ Uses Hacking to Find Cyber Skywalkers

October 26, 2018 Chris Cornillie

The Defense Department’s digital team is launching a series of new hacking-centric initiatives in the hopes of recruiting skilled cybersecurity professionals – from both outside the Pentagon and among its active-duty members.

The Defense Digital Service, or DDS, opened a new office at the Georgia Cyber Center in Augusta, Ga., on Oct. 25. The facility, which puts DDS in close proximity of Army Cyber Command, based at Fort Gordon, Ga, and leading universities such as the Georgia Institute of Technology, is “designed to house tiger teams, cultivate talent, and promote innovative ways to solve mission challenges,” according to a DDS statement.

In keeping with its Star Wars-themed naming conventions, DDS dubbed the office “Tatooine” – the desert planet where the Rebel Alliance found its new hope, Luke Skywalker.

“Tatooine will be a beacon for technical talent across the military – a place for nerds to write code and solve problems of impact,” said DDS Director Chris Lynch in a statement. “Through this partnership, we are setting our best technical warfighters against our toughest problems with support and training from our DDS software engineers and experts.”

To commemorate its first day in operation, DDS hosted a Digital Service Day bringing together active-duty personnel, hackers, industry professionals, and students from local universities for an all-day “Hack the Army” challenge. Participants competed to uncover vulnerabilities in the Army’s public-facing websites, with winners receiving awards at the end of the day’s events. Though the biggest award of all might be an offer to “join the Rebel Alliance” – Lynch’s nickname for DDS.

Hacking the Talent Pool

Hackathons like these serve two purposes: first, they’re a way for the Pentagon to cheaply “crowdsource” security testing of its websites and software. Second, for an organization facing a persistent shortage of information security experts, they offer an opportunity to identify prospective “cyber soldiers.”

According to a 2017 Bloomberg report, for years the private sector has turned to hackathons as a way to attract interest among coders – some as young as high school or college age. The Pentagon is starting to catch on as well. But in addition to students, DDS is looking for cybersecurity skills among another highly sought-after group: the active-duty military.

Since early 2017, Lynch and his team have launched a series of initiatives – codenamed “JYN” for the Star Wars “Rogue One” heroine – aimed at identifying top-tier cyber talent within the Pentagon’s own ranks. Active-duty personnel can apply for temporary rotations with the JYN program to solve technical challenges, which in the past included developing drone detection technology, hunting adversaries on Pentagon networks, and securing commercial airspace, according to a job listing on Google Hire.

As part of the latest JYN initiative, DDS partnered with Army Cyber Command and coding boot camp General Assembly to design a 12-week intensive learning program to teach intermediate offensive and defensive cybersecurity skills. DDS’s current goal is to incorporate the lessons learned from this pilot into the way Army Cyber Command trains its cyber soldiers in general, Lynch told FedScoop in June.

“It has never been more important for the U.S. military to rapidly evolve technical capabilities to outpace adversarial threats,” DDS said in its Oct. 25 statement. “However, recruiting, supporting, and retaining technical talent in the military can present unique challenges.”

Bug Bounties

DDS’s Georgia hackathon is only the latest in a series of “Hack the Pentagon” challenges dating back to 2016, when it began paying ethical hackers – the “white hats” – to scour its systems in search of vulnerabilities. Since fiscal 2016, the Defense Department has paid out over $4 million in bug bounties under a contract called Crowdsourced Vulnerability Discovery and Disclosure, or CVDD.

Three civilian agencies, the Treasury and Homeland Security departments and the General Services Administration, have paid out a combined $2.67 million since fiscal 2016.

To date, the Pentagon has worked with two companies to manage its bug bounty program: San Francisco-based HackerOne Inc. and Redwood City, Calif.-based Synack Inc. These companies provide the Pentagon a single point of contact (rather than working with each hacker individually), and screen prospective bug hunters to keep dangerous “black hat” hackers off government networks.

On Oct. 24, the Pentagon announced its intent to expand its bug bounty programs, awarding a $34 million follow-on contract to HackerOne, Synack, and a third company, San Francisco-based Bugcrowd Inc.

“When something works tremendously well, you do more of it,” HackerOne CEO Marten Mickos said in an Oct. 24 statement.

Nearly 200 Vendors Win Slots on $37B Army Tech Services Contract