Silicon valley could upend cybersecurity paradigm.

• Author: Harper, Jon

As the Defense Department turns to crowdsourcing to help protect its information networks, Silicon Valley is in a position to revolutionize the way the Pentagon promotes cybersecurity.

The Defense Department recently established a vulnerability disclosure program with the assistance of HackerOne, a Silicon Valley-based cybersecurity firm that manages "white hat" hacking initiatives for private sector companies and other organizations.

The program created a legal framework and mechanisms for friendly hackers outside of the department to volunteer their time and find vulnerabilities in Pentagon IT systems.

HackerOne provides the platform for taking an external vulnerability report and tracking it all the way down to remediation, Alex Rice, the company's chief technology officer, said in an interview with National Defense.

"It's really a 'see something, say something' policy that is very common in Silicon Valley companies," he said, noting that the Pentagon was the first national defense agency to adopt a similar approach.

By encouraging friendly hackers to probe for and identify vulnerabilities, defense officials hope to better secure U.S. military networks from intrusions.

"If there's a vulnerability there we want to know about it. We want to know about it before the adversary knows about it," said Lisa Wiswell, the digital security lead at the Pentagon's Defense Digital Service. "When you've got folks that are willing to help we ... [need to use them] to the best of our ability."

Embracing the Silicon Valley crowdsourcing model required a change in mindset for a defense establishment that previously viewed all hackers warily, she noted at a CyberCon gathering of government and industry officials in Washington, D.C.

"The cultural shift that has started to happen within the department is pretty impressive," she said. "Having folks understand that the same kind of communities that we've sort of demonized for a long time ... are now sort of our friends and we want to benefit from skill sets no matter where they come from, is a tremendously different approach than what we've done in the past."

Although participants in the vulnerability disclosure program typically won't receive any financial reward for their efforts, success can still be a career booster, Rice said. The Defense Department created an acknowledgment page to recognize outside cyber experts who help identify and remediate vulnerabilities, he noted.

"There is value in getting an official thanks from the DoD," he said. "It's certainly a compelling thing for security professionals to put on their resume."

But the Pentagon isn't going to simply rely on those who are willing to donate their time and expertise. Working with partners in Silicon Valley, the...