Source: Politico, Morning Cybersecurity | Tim Sparks | March 24, 2016

HOW TO HACK THE PENTAGON — The Defense Department this month announced the first-ever bug bounty program for a federal agency, saying that “Hack the Pentagon” would help it discover vulnerabilities in its websites. It’s a pilot, but if the program works, it might lead to bug bounties in other agencies — so there’s a lot riding on how it goes, beyond just the security of DoD networks.

The key to its success, says former PwC “ethical hacker” Todd Feinman, is narrowly defining what the Pentagon is trying to achieve. In this case, that’s protecting reams of sensitive and confidential information, Feinman told MC. It also happens to be why the Pentagon is the first agency to launch a bug bounty program, considered a success at tech companies like Google and Facebook and increasingly other companies — Uber this week just launched its own bug bounty initiative. “There was originally a stigma for these as if you’re asking for trouble,” said Feinman, CEO of data management company Identity Finder. The narrow definition goes down to even what kind of bugs DoD is willing to reward hackers for discovering — not doing so could lead to a never-ending spiral of payouts.
Other agencies will have different needs and goals, based on their mission. At, for instance, Feinman said the goal would be making sure the site is reliably available to customers who need regular access. At the National Institutes of Health, the concern should be making sure data isn’t manipulated, potentially skewing research. “Figure out what it’s worth to you, get a good assessment of how much to spend commensurate with risk and decide what could be stolen that could hurt you,” Feinman advised.
Read more: