Why companies and the Feds hack each other all the time
For no cost, the Department of Homeland Security will test the digital defenses of local, state and federal bodies, as well as private businesses.
BY KEITH WAGSTAFF, NBC News
(NBC News) - Not only is the government trying to break through the online security of private businesses, it's also inviting hackers to attack its own systems.
For no cost, the Department of Homeland Security will test the digital defenses of local, state and federal bodies, as well as private businesses including "finance, power, gas, water, and chemicals companies" and universities, an agency spokesperson told NBC News via email.
So far, the National Cybersecurity Assessment and Technical Services Team has tested more than 60 private sector companies, DHS said.
And the agency that wants to be hacked? That would be the Department of Defense. In March, the government announced it was inviting hackers to probe the Pentagon's systems as part of a bug-bounty program called Hack the Pentagon.
This comes after several embarrassing security lapses for the federal government, including the breach of the Office of Personnel Management in 2015 that exposed data belonging to more than 21 million people, and the February hacking of CIA Director John Brennan's personal email by a self-identified teenager.
Why the government started hacking
The NCATS program isn't a secret. But it wasn't widely publicized until cyber expert Brian Krebs wrote about it on his popular security blog in December.
The program provides a "no-cost," "objective third-party perspective" on the state of an organization's computer networks, according to the DHS website. That could be very helpful for other government agencies, as well as local and state offices, because they don't always have the resources to hire top security firms.
For private companies, the DHS "could certainly provide a service that has value," Tim Erlin, director of IT security for Tripwire, told NBC News.
At the very least, the tests "should give them a sense of their overall risk," he said, so they can decide to order more comprehensive tests. The government is offering both penetration testing and vulnerability scanning.
The latter, Erlin said, is "like wandering around your house, looking for open doors and windows. A penetration test is a targeted effort to break into the house."
In general, penetration tests can cost anywhere from tens of thousands of dollars to hundreds of thousands, he said.
Why would the government spend money on these tests? It's all about the data, according to Morey Haber, vice president of technology at security firm BeyondTrust.
He told NBC News that he has talked to several people at the DHS about the NCATS program. The government, according to Haber, wants to know how secure its private-sector partners are. Free testing gives it access to data that would otherwise be unavailable.
The hope is to create a win-win proposition for companies looking to beef up their security.
"Hey, it's free!" Haber said. "You just have to know that your data is being used by the government."
Not every cybersecurity expert thinks that hiring the government would be the best move.
"Did I hear OPM?" joked Steve Morgan, founder and CEO at Cybersecurity Ventures, in an email to NBC News.
His point: The federal government doesn't have a great track record when it comes to protecting against breaches. But his opinion isn't universally shared.
"I applaud the government for doing this," Haber said. "They are really trying to make a difference, even if some of the motives are self-serving."
Hunting for bugs
When the hacker community first heard about Hack the Pentagon, some were understandably suspicious. The bug-bounty program asks hackers to look for weak spots in the Department of Defense's computer networks — if they find one, they get paid a bounty from a total pool of $150,000.
It's common practice for tech companies, but this is a federal agency with the power to hit people with serious legal repercussions.
"Hackers tend to think about all the potential things that could go wrong, no matter how unlikely," Alex Rice, co-founder and CTO of HackerOne, told NBC News.
Eventually, he said, people got over the fear of getting in trouble and the program is "off to a great start" since it launched on March 31. Not everyone can participate. Hackers have to register for the program, be lawfully allowed to work in the U.S., and not have a felony on their record.
"This initiative will put the department's cybersecurity to the test in an innovative but responsible way," said U.S. Secretary of Defense Ashton Carter in a statement announcing the program. "I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot."
Why partner with hackers in the first place? First of all, Rice said, a hacker isn't someone who breaks the law. He or she is simply someone who knows how to break code, something more programmers should learn, according to Rice.
"If you're a locksmith, you have to understand all the ways locks can be broken and all of the ways they can be fixed," he said. "We don't question whether or not a locksmith is a criminal because they have that knowledge.
Ultimately, having 1,000 people look at your code is better than only a few hired professionals on a security team, Rice said. The Pentagon, however, does need the resources to interpret the resulting data. He believes that the DoD will be up to the task, noting that it has "been dealing with cybersecurity problems for longer than just about anybody."
Hackers hoping to claim some government funds better get moving. Registration for Hack the Pentagon ends on May 12