Public-facing websites and services used by the Marine Corps were targeted by hackers over the weekend – but that was part of the plan. To help identify vulnerabilities In the Marine Corps Enterprise Network, the Department of Defense and HackerOne, a service that runs crowd-sourced security testing, launched Hack the Marine Corps, a “bug bounty program” that pays hackers to identify and report vulnerabilities. As the United States faces increasing cybersecurity threats, programs such as Hack the Marine Corps are a great way to identify and fix potential problems before they really do become damaging security breaches.
Hack the Marine Corps has already been successful. The program kicked off with a live event in Las Vegas with nearly 100 ethical hackers who, during the nine-hour event, identified 75 unique security vulnerabilities. True to the idea of “bug bounty,” the Marine Corps shelled out more than $80,000 to those who had identified problems.
The program will continue until Aug. 26, and is part of the larger Hack the Pentagon program run by the DoD’s Defense Digital Service and HackerOne and started in 2016. Previously, hackers have been invited to target Army, Airforce, Pentagon and Defense Travel systems, finding more than 5,000 vulnerabilities.
These programs and their success are a reminder of the ongoing cybersecurity challenges facing the U.S. They also help to emphasize why digital security is critical to national security as Secretary of Homeland Security Kirstjen Nielsen explained earlier this summer, saying, “Cyberattacks collectively now exceed the danger of physical attacks.”
Heading off that threat proactively with “bug bounty” events is a step in the right direction. Given its success with helping the U.S. armed forces bolster its cyberdefenses, similar programs should be used for other vulnerable infrastructure critical to national security, such as infrastructure for elections.
Lawmakers have introduced bipartisan bills in both 2017 and 2018 that would allow DHS to set up “bug bounty” programs in a “Hack the Election” competition. Undoubtedly, this would be a good idea as hacker conventions have proved that a range of infrastructure used in elections is susceptible to attacks including voting machines and election websites which were hacked this year by kids.
Unfortunately, there has not yet been enough congressional support to bring those proposals to fruition. That means that instead of potential security breaches being identified and fixed prior to ballots being cast, the infrastructure that modern democracy rests on likely remains unsecured.
With primaries underway, the November midterm elections fast approaching, and a high likelihood of attempted attacks, we would do well to learn from the success of the military and try to head off potential breaches with expanded use of bug bounty programs.
