23 November 2016

DISA's behind-the-scenes role in hacking the Pentagon

November 17, 2016 

The Defense Department has touted its "hack the Pentagon" bug bounty program, which is also the first in the federal government, as a wide success in appealing to the public to find network vulnerabilities. While led by the Defense Digital Service within the Pentagon, the Defense Information Systems Agency played a role in the success of this first-ever initiative as well and will continue to do so, officials said. 

And expect more of the bug-bounty programs, Maj. Gen. Sarah Zabel, vice director of DISA, said in an opening keynote before an audience at DISA’s annual Forecast to Industry event in Baltimore Nov. 17. 

Top DISA officials later told reporters that DISA was heavily involved in the program from the start, something that was not well known. “From a defensive standpoint, the Pentagon had the lead, we were in support with Cyber Command,” said John Hickey, DISA c yber development executive. 

As DoD is expanding its bug bounty effort to the services, Hickey said DISA will continue its support. “What you’ll see next…is the Army has the next version,” he stated. “They’re going to let government people participate in the program. We’ll be part of that because obviously we have the enterprise part of the network." 

DISA’s role as the enterprise network provider means that while the Army will be looking at other data, such as personally identifiable information, DISA personnel will be looking at how this other information filters back into the enterprise. 

Along the bug bounty lines, Zabel, also offered that DISA will be looking to publish some source code to solicit input from industry or white hat hackers to comment, offer feedback or suggest improvements. 

“We’re looking at where we can take advantage of open-source technologies using open-source capabilities,” Alfred Rivera, principal director of enterprise services at DISA, told reporters, offering the Defense Collaboration System as an example. The concept here is if DISA takes advantage of existing open source, they can add that to an open-source repository. This helps not only from a cybersecurity perspective in terms of evaluating source code, but can help from a functionality perspective, he said.. 

Referencing Zabel’s comments, Rivera said the open-source/white hat concept can be used as a tool to evaluate source code for malware or other deficiencies. “I think that’s where we’re trying to go,” he said. In this space, DISA also is looking at some large development efforts such as command and control.

No comments: