Can Feds and Hackers Work Together?


Agencies are trying to entice hackers to share vulnerabilities with them.

Some federal agencies are working toward a vision in which citizen hackers can boost federal cybersecurity instead of exploiting its vulnerabilities.

Programs including the Defense Department's Hack the Pentagon—the federal government's first cyber bug hunt open to vetted security specialists—attempt to bridge a cultural gap between the public sector and private sector technology talent. But historically, hackers and cybersecurity researchers may have avoided pointing out vulnerabilities they discovered for fear of being sued or prosecuted, Charley Snyder, a senior cyber policy adviser at the Pentagon, said at a recent Christian Science Monitor event in Washington.

At DOD, "we're getting ready to kind of clarify our policy on submitting vulnerabilities to us," he said, adding more cyber professionals "trust us" enough to submit reports because of programs like the bug bounty.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Hack the Pentagon, held in April, followed a period in which "people in the policy community ... could go for quite a long time working in cyber policy without actually meeting practitioners or hackers," Snyder said. He emphasized how the two communities could benefit from their humanizing their relationship rather than "view each other with suspicion."

Snyder was deployed to the Office of Personnel Management last year when an outward-facing application was found to have vulnerabilities. He and his colleagues "would hear from friends [in the cyber research community] we made ... who say we could have helped with that," he said.

Too often, he said, the government tries to "wall itself off from the internet ... that doesn't logically work."

The Justice Department is working on its own efforts to connect with the hacker community, said Leonard Bailey, DOJ's special counsel for national security, computer crime and intellectual property. While it's a "work in progress," DOJ is also trying to understand if hackers have communitywide standards for how they test vulnerabilities, Bailey said.

Bailey said there seems to be fairly strong disagreement in the hacker and cyber research community about whether certain activities are responsible or irresponsible.

"The fact that there isn't a sort of communitywide understanding ... makes it more challenging [for DOJ] to say, 'We think you've got this, we can simply allow without concerns these activities to just unspool.'"

And hackers don't have anywhere in government to go to ask about which of their research activities would be acceptable, Bailey said. For DOJ, "to the extent that we want to provide that sort of information, we're not sure where to go to discuss the issue," he said.