Army networks are more secure now, thanks to Hack the Army 3.0, the third iteration of the Army bug bounty program led by U.S. Army Cyber Command (ARCYBER) in partnership with HackerOne and the Defense Digital Service (DDS).
The program enlists civilian security researchers – commonly known as hackers – to join with Army and Department of Defense security professionals in safeguarding DoD and Army networks, systems and data by performing specific techniques against select public-facing websites, to find vulnerabilities in those sites.
Hack the Army 3.0 saw military researchers invited to participate in the bug hunt for the first time. More than 50 military-affiliated personnel registered, and seven eventually accepted invitations to take part alongside civilian counterparts.
“This is especially exciting, because this is what I envision future success looking like: both external and internal-to-department researchers working toward the same goal, and also the military providing space for internal talent to develop their skill sets,” said Maya Kuang, Army Product Manager for DDS.
“What makes these crowdsourced events a success is the diversity within the researcher population. Different methods and thought processes are crucial when we simulate what real adversaries would do.”
Hack the Army 3.0 lasted six weeks, beginning in January 2021. During that time, HackerOne reported, 11 assets were in in scope and 40 unique, top-tier researchers focused their efforts on identifying vulnerabilities within DDS and Army’s range of scope in two applications. The final tally showed that participants had identified 238 vulnerabilities, including 102 rated high or critical and designated for immediate remediation. More than $150,000 was awarded to eligible civilian hackers in bounties during Hack the Army 3.0.
Johann Wallace, Compliance Division Chief for the Army Network Enterprise Technology Command, served as ARCYBER’s technical subject-matter expert and interface between the Hack the Army 3.0 researchers and Army website owners. Working closely with DDS and HackerOne, Wallace said, he evaluated the researchers’ reports, verified their criticality, and helped to evaluate any proposed resolutions or fixes.
“It’s always interesting to see what vulnerabilities and weaknesses are hiding in plain sight … and an engagement like Hack the Army allows us to leverage additional subject-matter expertise to look at more assets faster than we do with our internal vulnerability assessment teams alone,” Wallace said.
“Automated tools can never replace the effectiveness of the human mind; our ability to adapt,” he added, “and the special skill set it takes to follow the white rabbit. Success (in cybersecurity) means prevention through education, not knowledge through reaction.”
“By inviting skilled hackers to test the U.S. military’s digital assets, the DDS and the U.S. Army demonstrate that hacker-powered security has become a mainstream best practice for organizations requiring continuous security testing,” said Alex Rice, HackerOne’s co-founder and Chief Technical Officer. “It’s been an exciting journey to chart the successes of the three Hack The Army initiatives and watching the hacking community help strengthen the nation’s cybersecurity defenses.”
Corben Leo is a computer science student at Dakota State University who was the top civilian researchers participating in Hack the Army 3.0. He agreed that taking part helps build his skills while also serving a higher purpose.
“I enjoy how large the scope (of military bug bounty programs) is and how responsive the team is,” he said. “Furthermore, I feel like I can make a difference and improve the security of our military.”
“There is always room for improvement, there will always be vulnerabilities, and you might not be as secure as you may think. Be proactive about it!”
The Army’s bug bounties began in late 2016, following the successful launch of DoD’s Hack the Pentagon initiative facilitated by DDS earlier that year. DoD and DDS have since executed more than a dozen public bounties on external-facing websites and applications, as well as private bounties on a range of sensitive, internal DoD systems such as logistics, physical hardware and personnel systems. In late 2019 the Army conducted Hack The Army 2.0.
DDS works with the agencies whose digital assets are being examined and a trusted private sector partner to recruit highly skilled researchers to conduct crowdsourced penetration tests. These registered participants are given legal consent to hack a variety of DoD assets to uncover and help fix vulnerabilities. All DoD bounties require these researchers to undergo background checks. Private bounties, or those testing internal systems, require background checks and citizenship verification before researchers gain privileged access to DoD systems and information. Most private bounties mandate the use of a virtual private network to monitor and
log researcher activity for system owner transparency and deconfliction.
Read more about Hack the Army 3.0 on the HackerOne blog at https://www.hackerone.com/blog/announcing-hack-army-30-results-conversation-defense-digital-service-us-army-and-hack-army-0
ABOUT ARCYBER: U.S. Army Cyber Command integrates and conducts cyberspace, electronic warfare, and information operations, ensuring decision dominance and freedom of action for friendly forces in and through the cyber domain and the information environment, while denying the same to our adversaries.
ARCYBER ON THE WEB: https://www.arcyber.army.mil
ARCYBER TWITTER: https://twitter.com/ARCYBER
ARCYBER LINKEDIN: https://www.linkedin.com/us-army-cyber-command
Interested in the challenge of joining the Army Cyber team? Check out military and civilian cyber career and employment opportunities by clicking on the "Careers" tab at www.arcyber.army.mil