{"id":33946,"date":"2018-11-13T17:30:25","date_gmt":"2018-11-13T22:30:25","guid":{"rendered":"https:\/\/digital.hbs.edu\/platform-rctom\/submission\/the-government-wants-you-to-hack-it\/"},"modified":"2018-11-13T17:30:25","modified_gmt":"2018-11-13T22:30:25","slug":"the-government-wants-youto-hack-it","status":"publish","type":"hck-submission","link":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/","title":{"rendered":"The government wants you\u2026to hack it?"},"content":{"rendered":"

As personalized data and digital IP become competitive advantages for companies across all industries, security breaches have grown more frequent and costly (increasing 27% and 23%, respectively, within the last year1<\/sup>), resulting in catastrophic reputation and financial consequences.<\/p>\n

Traditionally, computer\/ network security was handled in-house, with teams of developers, researchers, and QA personnel carefully testing a system to discover and repair exploitable flaws. However, as digital attacks have become more sophisticated, they have outstripped the internal security capabilities of most companies. This need has given rise to \u2018bug bounties\u2019, contests where organizations sponsor prizes for the developer community to stress test their systems in order to find vulnerabilities (\u2018bugs\u2019). This use of open innovation to discover security flaws has been a “widely understood best practice in the private sector\u201d2<\/sup>, but recently, the federal government has also adopted this crowdsourcing approach to help secure its own systems. Government agencies, already facing a cybersecurity talent shortage3<\/sup>, have realized that the magnitude of the security problems requires them to utilize open innovation as a vital weapon to combat digital threats.<\/p>\n

Cybersecurity efforts benefit greatly from distributed innovation. The field is moving too quickly for any individual or group to fully keep up with all of the developments, and open innovation provides the creativity, objectivity, and scale needed to attack these issues from multiple angles, supplementing the government\u2019s native security efforts. It enables the government to capitalize on the collective wisdom of the tech community, by leveraging participants with diverse expertise to strengthen their security development process.<\/p>\n

In 2016, the Pentagon hosted the first \u2018Hack the Pentagon\u2019 program, inviting hackers to discover vulnerabilities in public facing Department of Defense websites. This was a landmark event for several reasons:<\/p>\n

    \n
  1. This was the first bug bounty contest sponsored by a federal agency, reflecting an increasing willingness to use open innovation and \u201callow private citizens to offer their diverse range of talent to contribute and strengthen our nation\u2019s security\u201d4<\/sup><\/li>\n
  2. It supported hacking as a valuable tool to assess and improve security, sharply contrasting the prevailing legal restrictions on these types of activities<\/li>\n<\/ol>\n

    Since that program\u2019s successful resolution of 138 security issues, comparable contests have been conducted for the Army, the Air Force, and the Defense Travel System, all with similarly successful outcomes [Exhibit 1<\/strong>]. Not only have these events produced substantial technical results, but they have also won over the support of leaders within these organizations [Exhibit 3<\/strong>] who recognize both the intellectual value-add of these open source efforts, as well as financial benefits, noting \u201ca security audit and vulnerability assessment, [\u2026] would have cost us more than $1 million [compared to $150,000]\u201d5<\/sup>.<\/p>\n

    Longer term, these programs are growing rapidly, with bipartisan legislation in place to commence similar projects at the Department of Homeland Security6<\/sup> and the State Department7 <\/sup>[Exhibit 2<\/strong>], and more generalized recommendations being made through the Executive branch8<\/sup>. In parallel, this has also stimulated conversations on updating existing cybercrime legislation, such as the Computer Fraud and Abuse Act, which could empower the open source community by easing strict punishments for hacking-related actions. The Department of Justice has already recommended adoption of \u201cvulnerability disclosure policies\u201d (VDPs)9<\/sup>, which allow interested parties to find and report security risks without fear of civil penalties, and ensuring that government will work \u201copenly and in good faith with researchers\u201d10<\/sup>.<\/p>\n

    As cybersecurity evolves alongside technology, there are tremendous opportunities available to better utilize open innovation to tackle future security issues:<\/p>\n

      \n
    1. Mandatory bug bounty programs\u2014every government agency has a heavy digital presence, and there should be a requirement for open bounty programs to ensure ongoing security<\/li>\n
    2. Update cybercrime legislation\u2014Archaic legislation do not prevent sophisticated, international cyber terrorists from committing digital crimes. While VDP adoption is a crucial first step, the government should update the laws to loosen restrictions and stimulate digital creativity to keep pace with global security needs. This will reinforce the growth of open innovation communities, and their ability to experiment in this space<\/li>\n
    3. Use open innovation to develop new software systems\u2014the current use of open innovation has focused on remediating vulnerabilities in existing, legacy systems. Going forward, the government can leverage the knowledge base of the open source community to build new systems from scratch. Starting with a transparent codebase will allow greater feedback on security best practices throughout the creation and implementation process.<\/li>\n<\/ol>\n

      However, major questions still surround the role of open innovation in federal cybersecurity:<\/p>\n

        \n
      1. What security risks are associated with providing transparency into digital government systems, and do these projects meaningfully prevent cyberattacks?<\/li>\n
      2. If the government over relies on these bounty programs as a core facet of its security development, and the open source community loses interest, how would the government keep pace? How does the government maintain scalable interest in their projects?<\/li>\n<\/ol>\n

        (796 words)<\/p>\n

        Exhibit 1:<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n
        Agency<\/strong><\/td>\nDate<\/strong><\/td>\nContest days<\/strong><\/td>\n# Verified vulnerabilities<\/strong><\/td>\nTotal prize money<\/strong><\/td>\n<\/tr>\n
        Pentagon11<\/sup><\/td>\n2016<\/td>\n25<\/td>\n138<\/td>\n$75,000<\/td>\n<\/tr>\n
        Army12<\/sup><\/td>\n2016<\/td>\n22<\/td>\n118<\/td>\n$100,000<\/td>\n<\/tr>\n
        Air Force13<\/sup><\/td>\n2017<\/td>\n25<\/td>\n207<\/td>\n$130,000<\/td>\n<\/tr>\n
        Air Force 2.014<\/sup><\/td>\n2017<\/td>\n20<\/td>\n106<\/td>\n$103,883<\/td>\n<\/tr>\n
        Defense Travel System15<\/sup><\/td>\n2018<\/td>\n29<\/td>\n65<\/td>\n$78,650<\/td>\n<\/tr>\n
        Marine Corps16<\/sup><\/td>\n2018<\/td>\n20<\/td>\n150<\/td>\n$150,000<\/td>\n<\/tr>\n
        Total17<\/sup><\/td>\n<\/td>\n<\/td>\n650+<\/td>\n$500,000+<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

         <\/p>\n

        Exhibit 2:7<\/sup><\/strong><\/p>\n

        \"\"<\/a><\/p>\n

        Exhibit 3:17<\/sup><\/strong><\/p>\n

        \"\"<\/a><\/p>\n

        Citations:<\/strong><\/p>\n

          \n
        1. 2017 Cost of Cyber Crime Study<\/em>. Accenture, 2017, pp. 3\u20134, 2017 Cost of Cyber Crime Study<\/em>, https:\/\/www.accenture.com\/t20171006T095146Z__w__\/us-en\/_acnmedia\/PDF-62\/Accenture-2017CostCybercrime-US-FINAL.pdf<\/a>.<\/li>\n
        2. United States, Congress, Cong., Department of Defense. \u201cHacking the Pentagon.\u201d Hacking the Pentagon<\/em>, US Digital Service, 2017. 115th Congress, report, https:\/\/www.usds.gov\/report-to-congress\/2017\/fall\/hack-the-pentagon\/<\/a>.<\/li>\n
        3. \u201cCyber In-Security II: Closing the Federal Talent Gap.\u201d Booz Allen Hamilton, Apr. 2015, federalnewsradio.com\/wp-content\/uploads\/pdfs\/pps_cyber.pdf<\/a>.<\/li>\n
        4. United States, Congress, Cong., Department of Defense. \u201cHacking the Pentagon.\u201d Hacking the Pentagon<\/em>, US Digital Service, 2017. 115th Congress, report, https:\/\/www.usds.gov\/report-to-congress\/2017\/fall\/hack-the-pentagon\/<\/a>.<\/li>\n
        5. \u201cCarter Announces ‘Hack the Pentagon’ Program Results.\u201d US Department of Defense<\/em>, 17 June 2016, dod.defense.gov\/News\/Article\/Article\/802828\/carter-announces-hack-the-pentagon-program-results\/.<\/li>\n
        6. Hack the Department of Homeland Security Act of 2017, S. 1281, 115th Cong. (2018).<\/li>\n
        7. Hack Your State Department Act, H.R.5433, 115th Cong. (2018).<\/li>\n
        8. Report to the President on Federal IT Modernization<\/em>. CIO Council, 2017, p. 7, https:\/\/itmodernization.cio.gov\/assets\/report\/Report%20to%20the%20President%20on%20IT%20Modernization%20-%20Final.pdf<\/a>.<\/li>\n
        9. \u201cA Framework for a Vulnerability Disclosure Program for Online Systems.\u201d Department of Defense<\/em>, July 2017, justice.gov\/criminal-ccips\/page\/file\/983996\/download<\/a>.<\/li>\n
        10. \u201cDOD Announces Digital Vulnerability Disclosure Policy and \u2018Hack the Army\u2019 Kick-Off.\u201d US Department of Defense<\/em>, 21 Nov. 2016, dod.defense.gov\/News\/News-Releases\/News-Release-View\/Article\/1009956\/dod-announces-digital-vulnerability-disclosure-policy-and-hack-the-army-kick-off\/.<\/li>\n
        11. \u201cHack the Pentagon.\u201d HackerOne<\/em>, 2016, hackerone.com\/resources\/hack-the-pentagon<\/a>.<\/li>\n
        12. \u201cHack The Army Results Are In.\u201d HackerOne<\/em>, 19 Jan. 2017, hackerone.com\/blog\/Hack-The-Army-Results-Are-In<\/a>.<\/li>\n
        13. \u201cAim High…Find! Fix! Win!\u201d HackerOne<\/em>, 10 Aug. 2017, hackerone.com\/blog\/hack-the-air-force-results<\/a>.<\/li>\n
        14. \u201cU.S. Air Force Boosts Security With Second Bug Bounty Challenge on HackerOne.\u201d BusinessWire<\/em>, 15 Feb. 2018, businesswire.com\/news\/home\/20180215005220\/en\/U.S.-Air-Force-Boosts-Security-Bug-Bounty<\/a>.<\/li>\n
        15. \u201cU.S. Department of Defense Secures the DTS With Help From Hackers on HackerOne.\u201d BusinessWire<\/em>, 30 May 2018, businesswire.com\/news\/home\/20180530005149\/en\/U.S.-Department-Defense-Secures-DTS-Hackers-HackerOne<\/a>.<\/li>\n
        16. \u201cHack the Marine Corps Bug Bounty Challenge Concludes.\u201d BusinessWire<\/em>, 3 Oct. 2018, businesswire.com\/news\/home\/20181003005605\/en\/Hack-Marine-Corps-Bug-Bounty-Challenge-Concludes<\/a>.<\/li>\n
        17. Mickos, Marten. \u201cThe Best Is Yet To Come.\u201d HackerOne<\/em>, 24 Oct. 2018, hackerone.com\/blog\/Best-Yet-Come-DOD-Awards-New-Hack-Pentagon-Contract-HackerOne<\/a>.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

          How the US government is relying on open innovation to combat cyberterrorism<\/p>\n","protected":false},"author":11847,"featured_media":33947,"comment_status":"open","ping_status":"closed","template":"","categories":[845,2727,2309,4239,2297],"class_list":["post-33946","hck-submission","type-hck-submission","status-publish","has-post-thumbnail","hentry","category-cybersecurity","category-governement","category-hacking","category-open-innovation","category-security","hck-taxonomy-organization-us-government","hck-taxonomy-industry-technology","hck-taxonomy-country-united-states"],"connected_submission_link":"https:\/\/d3.harvard.edu\/platform-rctom\/assignment\/rc-tom-challenge-2018\/","yoast_head":"\nThe government wants you\u2026to hack it? - Technology and Operations Management<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The government wants you\u2026to hack it? - Technology and Operations Management\" \/>\n<meta property=\"og:description\" content=\"How the US government is relying on open innovation to combat cyberterrorism\" \/>\n<meta property=\"og:url\" content=\"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/\" \/>\n<meta property=\"og:site_name\" content=\"Technology and Operations Management\" \/>\n<meta property=\"og:image\" content=\"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/Cybersecurity_cover.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"849\" \/>\n\t<meta property=\"og:image:height\" content=\"566\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/the-government-wants-youto-hack-it\\\/\",\"url\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/the-government-wants-youto-hack-it\\\/\",\"name\":\"The government wants you\u2026to hack it? - Technology and Operations Management\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/the-government-wants-youto-hack-it\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/the-government-wants-youto-hack-it\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/wp-content\\\/uploads\\\/sites\\\/4\\\/2018\\\/11\\\/Cybersecurity_cover.jpg\",\"datePublished\":\"2018-11-13T22:30:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/the-government-wants-youto-hack-it\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/the-government-wants-youto-hack-it\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/the-government-wants-youto-hack-it\\\/#primaryimage\",\"url\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/wp-content\\\/uploads\\\/sites\\\/4\\\/2018\\\/11\\\/Cybersecurity_cover.jpg\",\"contentUrl\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/wp-content\\\/uploads\\\/sites\\\/4\\\/2018\\\/11\\\/Cybersecurity_cover.jpg\",\"width\":849,\"height\":566},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/the-government-wants-youto-hack-it\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Submissions\",\"item\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"The government wants you\u2026to hack it?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/#website\",\"url\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/\",\"name\":\"Technology and Operations Management\",\"description\":\"MBA Student Perspectives\",\"potentialAction\":[{\"@type\":\"性视界Action\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The government wants you\u2026to hack it? - Technology and Operations Management","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/","og_locale":"en_US","og_type":"article","og_title":"The government wants you\u2026to hack it? - Technology and Operations Management","og_description":"How the US government is relying on open innovation to combat cyberterrorism","og_url":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/","og_site_name":"Technology and Operations Management","og_image":[{"width":849,"height":566,"url":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/Cybersecurity_cover.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/","url":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/","name":"The government wants you\u2026to hack it? - Technology and Operations Management","isPartOf":{"@id":"https:\/\/d3.harvard.edu\/platform-rctom\/#website"},"primaryImageOfPage":{"@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/#primaryimage"},"image":{"@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/#primaryimage"},"thumbnailUrl":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/Cybersecurity_cover.jpg","datePublished":"2018-11-13T22:30:25+00:00","breadcrumb":{"@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/#primaryimage","url":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/Cybersecurity_cover.jpg","contentUrl":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/Cybersecurity_cover.jpg","width":849,"height":566},{"@type":"BreadcrumbList","@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/the-government-wants-youto-hack-it\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/d3.harvard.edu\/platform-rctom\/"},{"@type":"ListItem","position":2,"name":"Submissions","item":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/"},{"@type":"ListItem","position":3,"name":"The government wants you\u2026to hack it?"}]},{"@type":"WebSite","@id":"https:\/\/d3.harvard.edu\/platform-rctom\/#website","url":"https:\/\/d3.harvard.edu\/platform-rctom\/","name":"Technology and Operations Management","description":"MBA Student Perspectives","potentialAction":[{"@type":"性视界Action","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/d3.harvard.edu\/platform-rctom\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/hck-submission\/33946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/hck-submission"}],"about":[{"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/types\/hck-submission"}],"author":[{"embeddable":true,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/users\/11847"}],"replies":[{"embeddable":true,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/comments?post=33946"}],"version-history":[{"count":0,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/hck-submission\/33946\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/media\/33947"}],"wp:attachment":[{"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/media?parent=33946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/categories?post=33946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}