Digital Security Lead, Defense Digital Service, Department of Defense
The successes of the Defense Department’s “Hack the Pentagon” bug-bounty experiment have been well documented: more than 1,400 participating hackers, 138 bounties paid for confirmed vulnerabilities, nearly 1,200 bug reports across five DOD websites and a total cost of just $150,000.
Less well known is all the back-end work that made the program possible.
Lisa Wiswell, the Defense Digital Service’s digital security lead, managed the initiative, which was the first bug-bounty program run by a federal agency. And because DOD’s traditional response to outsiders poking around in its systems is to threaten prosecution, getting Hack the Pentagon off the ground required significant planning and persuasion.
“We spent a tremendous amount of time with our legal team and all of the stakeholders across the departments to make sure that we defined our rules and restrictions down to a T,” Wiswell told FCW. “You have to make sure that you tell folks what they can do and, almost even more importantly, what they cannot do.”
She managed communications and expectations throughout the initiative, ensuring that DOD stakeholders, participating hackers and the contractors that helped manage the process knew what to expect.
The results impressed Defense Secretary Ashton Carter, who said the experiment illustrated the Defense Digital Service’s ability to “drill tunnels through the walls that too often separate the Pentagon from America’s wonderful and innovative technology base, one of our nation’s greatest sources of strength.”
DOD issued a request for proposals in August to secure contractor support for a permanent bug-bounty program.
NEXT STORY: CTOs can't agree on what CTOs do