White Hat, Black Hat, Red Team, Blue Team

U.S. Pentagon press secretary Peter Cook announced on Mar. 3 a pilot program inviting white hat hackers to attempt to penetrate the cyber defense of one of the most guarded government facilities in the U.S.: the Pentagon.

While it seems the U.S. Department of Defense’s intentions are in the right place, the fact that all interested hackers require thorough vetting by the U.S. will likely be a deterrent in attracting the talent truly needed to make this program successful.

From the beginning, this seems very similar to the CNAP program, which sought a federal CISO. Unfortunately, this legacy behavior results in yet another unneeded level of bureaucracy headed by an official that is put into a position of power, yet doesn’t own any agencies.

Vetting hackers to go after these systems is going to be similar to the relationship they have with current Red Teams, which work within the Pentagon to test DOD networks and consist primarily of military individuals and select government contractors (e.g., Lockheed, Raytheon, etc.).

Now that the new “Hack the Pentagon” program is open, the DOD will invite vetted white hats who will be investigated by the very government that did a stellar job of protecting the OPM database. The DOD wants these highly skilled hackers to give the government all of their personal information to be vetted and entered into legacy databases just so they can test the real-world systems that the government can’t defend. The word ridiculous comes to mind.

This is nothing but a checkmark in the box for the administration, which wants to prove to the American people that at least something is being done to strengthen current cybersecurity measures.

Legitimate white hat hackers — and others who have the exploits and skills that can actually get through the Pentagon’s systems — won’t want to be involved thanks to their fear of the government, much less their fear of being identified. In the end, neither party will get what they truly need: open collaboration between the best of private and government sectors to protect the nation’s critical networks.

This will result in a several government contracts and will eventually work its way into a federally funded RFP. Most likely, a large and very well known military contractor will win the bid and build their own team to do exactly what the Red Team is already doing within the Pentagon. But it will justify the President’s mission and the money that congress is allotting for “cyber” defenses. Ironically, they will only end up testing against themselves. As it’s written, it’s a pointless endeavor.

This is nothing but a check mark in the box for the administration, which wants to prove to the American people that at least something is being done to strengthen current cybersecurity measures. That’s not to say that they won’t find some vulnerabilities. But they’re not going about it the right way.

In order for the program to be successful, any and everyone should be invited to try and infiltrate a closely mirrored virtual environment, for 90 days, that allows for zero knowledge and completely anonymous testing. The DOD should log the information and give the findings to the Pentagon’s Blue Team with 90 days to fix the issues. This is not the only way, but it is a progressive method to truly move forward on the issue and generate real interest with the experts who are best suited to find vulnerabilities that must be corrected.

However, there’s a major flaw with with these kinds of engagements. The government doesn’t want to look bad in the public or know how big the flaws are. They’ll challenge hackers with something to test that they KNOW they can’t break. From there, the real issues and vulnerabilities are never tested or fixed and we’re right back where we started: old-school government that still can’t openly collaborate or trust the private sector.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals