Hackers Find Dozens of Ways Into Pentagon Servers—With Permission

hack the pentagon bug bounty program
U.S. Defense Secretary Ash Carter, right, is briefed on the capabilities of the National Guard Cyber Unit at Joint Base Lewis-McChord, Washington, on March 4. Tim D. Godbee/DoD photo/Handout via Reuters

The Pentagon asked hackers to take a crack at its servers, and in response 1,400 hackers found 90 ways in, according to a tweet from the CEO of HackerOne on Friday. “Hack the Pentagon” was a test run of a bug bounty program, which allow hackers and the public at large to find and report problems with servers and websites.

The U.S. government and the tech world often don’t get along. This year’s showdown between the FBI and Apple over iPhone encryption in a terrorism case didn’t ease the tension—not to mention the ongoing fallout of the disclosures of National Security Agency spying by Edward Snowden. But lately, the Pentagon wants to prove it’s on the same side as the tech industry, launching an initiative to reach out to Silicon Valley companies with the bug bounty program.

"This initiative will put the department's cybersecurity to the test in an innovative but responsible way," said Secretary of Defense Ash Carter when the program was announced at the end of March. "I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot."

Alex Rice, co-founder and CTO at HackerOne, the company that helped run the program with the Defense Department, praised the Pentagon for its work with the security community on the program. “I’ve been pleasantly surprised at the responsiveness; they’ve moved very quickly," Rice tells Newsweek. “They’ve been more innovative than I was expecting going into this. I had some biases on what to expect, and it’s been clear that the stereotypes are dangerous.”

U.S. laws around computer intrusion are vague and harsh, and bounty programs create ground rules that give security professionals and amateur tinkerers a way to test and report security problems on private servers without incurring any legal penalties. Companies rely on the programs as a final security step and pay hackers when vulnerabilities are discovered. These can be anything from a poorly configured server to a means of accessing vast amounts of data.

The bug bounty program was a first for any government agency and came with many caveats. Hackers had to be able to legally work in the U.S., couldn’t appear on any watch list and had to submit to a background check to get paid. The program also excluded “critical, mission-facing computer systems.” Those rules may seem onerous for a community with a reputation of being very skeptical of government, but Rice says the program was actually quite open for a test run.

“It’s important to keep in mind that this is a pilot, and they were far more open and permissive than most private programs,” he says of working with the Pentagon.