Hacking The Feds

Paying outside hackers to identify vulnerabilities in federal systems is worth every penny.

Late last year, the Department of Homeland Security (DHS) reached out to the hackers of the world with an unusual invitation: Hack me! Please!

The premise was simple. Hackers were asked to find security vulnerabilities across DHS systems. Those who succeeded were paid a bounty of $500 to $5000, depending on the severity of the bug they discovered. Thus began the Hack DHS program, which kicked off just as the public and private sectors were fighting the fallout from a vulnerability in Log4j, a widely used open-source Apache logging framework.

By the time it was done, hackers had found 122 security vulnerabilities, 27 of which were “critically severe.” There have been similar programs launched by the U.S. government over the past five years, but Hack DHS stands out in its success.

These “bug bounty” programs have become the most visible—and fruitful—examples of public/private sector cybersecurity partnerships. These partnerships will likely proliferate as more people realize the importance of public and private sector partnerships in mitigating cybercrime. As Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency at DHS, said,“We will only minimize potential impacts through collaborative efforts between government and the private sector.”

Flipping the script

The public sector—which includes the U.S. government and armed forces, but also critical infrastructure such as the power grid and public transportation—still has a long way to go in building resilience against cyber threats.

Cyber criminals are becoming more sophisticated every day, often using the same tools and tactics as nation-states. Finding and prosecuting attackers is incredibly difficult, so threat actors have little reason to stop committing attacks.

“All economic incentives favor the attackers. The technology they need to carry out their attacks is cheap and easy to acquire,” says Larry Clinton, president of the Internet Security Alliance. Often, hackers exploit vulnerabilities that already exist on…