You are currently viewing DoD hires hackers to find contractor vulnerabilities and plug holes

DoD hires hackers to find contractor vulnerabilities and plug holes

It’s impossible to stop all cyberattacks, but a strong defense can help mitigate some of the worst threats. Cybersecurity researchers, working under the Department of Defense’s (DoD) pilot program designed to eliminate digital vulnerabilities among government contractors, recently uncovered some 400 issues at dozens of companies.

The HackerOne Bug Bounty program, which appeals to the hacker community, was able to find the issues during the recent Defense Industrial Base Vulnerability Disclosure Program (DIB-VIP), which was coordinated by the DoD Cyber ​​Crime Center (DC3) DoD Vulnerability Disclosure Program. (VDP), DoD DIB Collaborative Information Sharing Environment (DCISE), and the Defense Counterintelligence and Security Agency (DCSA), as a free benefit for voluntary DIB participants.

It reached the one-year milestone and its conclusion at the end of April.

The number of contractors involved in the recent bug bounty was not disclosed. When the campaign launched in April 2021, it included some 14 participating companies and 141 publicly available assets, which could be examined by hackers. Interest was so great that it exploded to 41 companies, while almost 350 workers were eventually admitted.

“DC3’s DoD VDP has long recognized the benefits of using outsourced ethical hackers to add defense-in-depth protection to DoD Information Networks (DoDINs),” said Melissa Vice, Acting Director of VDP. , in a press release. “The pilot project was designed to identify whether similar critical and high-severity vulnerabilities existed on small to medium-sized, cleared and uncleared DIB Company assets with potential risks to critical infrastructure and the U.S. supply chain. .”

Vice added that when comparing the monthly results of its VDP Bug Bytes and DIB-VDP Pilot Myte Bytes reports, similar trends emerged. Analysis of the DIB Vulnerability Reporting Management Network (VRMN) will take place following the conclusion of the pilot to document lessons learned from the DIB-VDP pilot and inform the way forward for a funded program.

“The initiative and teamwork between VDP, DCISE, DCSA and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes about the continued commitment of DC3 and partner agencies to finding new ways to better support their customers and the DoD’s cyber strategy,” said Joshua Black, Acting Executive Director, DC3.

fill the holes

Since 2016, VDP has received over 40,000 vulnerability reports, discovered by over 3,200 outsourced cybersecurity researchers in 45 countries, resulting in approximately 70% of vulnerabilities being validated as exploitable and processed for remediation by DODIN components.

“Every organization should prioritize securing their software supply chain, but it’s even more critical for federal agencies that protect national security,” said HackerOne co-founder and chief technology officer, Alex Rice.

“With CISA now mandating vulnerability disclosure for government agencies and federal contractors, the DIB-VDP takes a leap forward in demonstrating the effectiveness of VDPs in the real world,” Rice noted. “We should all be grateful to the DoD for creating this innovative operating model, proving it works effectively at scale, and then making it available to other organizations to replicate.”

Bug bounties, which employ white hat hackers — the good guys — can be an inexpensive method of closing security holes before black hat hackers find the vulnerabilities.

“This type of initiative, where experts from different parts of the cyber ecosystem share information, is vital to our security,” said David Stewart, CEO of cybersecurity research firm Approov.

“You might think there’s a lot of cyberattack data already in the news, but those stories usually only cover ‘what’ was the outcome of a given cyberattack,” Stewart told ClearanceJobs per E-mail. “The important information, rarely revealed, is the detail of how it was done. Sharing the ‘how’ among experts is a great way to spread the proper knowledge needed to bolster our defenses quickly and effectively.”

Nor is it enough to do it on an ad hoc basis. Some experts suggest that regular penetration testing should be regular and ongoing.

“These types of activities are critical to our success as defenders against attack,” said Dave Cundiff, chief information security officer at cyber research firm Cyvatar. “Attackers only need to be right once, defenders always have to be right.”

The more information flowing between the groups, the better it is to be able to respond more effectively against emerging attacks, Cundiff continued.

“The only downsides are the ability to misdirect, or sidesteps creating noise that’s hard to reduce once created,” Cundiff told ClearanceJobs. “As long as the program takes into consideration data curation as well as information sharing, this could be a wonderfully useful approach between the two groups.”

Leave a Reply