SECRETARY OF DEFENSE ASH CARTER: Good afternoon.
It's great to be here this afternoon with a few of the dedicated people who defend our networks every day, as well as some of the technologists and hackers who have contributed to our defense mission by taking part in Hack the Pentagon, the first bug bounty of its kind in the Department of Defense [sic: in the federal government].
Hack the Pentagon is a direct result of one of the first initiatives I announced as part of the Force of the Future. When I created the Defense Digital Service, or DDS, I charged Chris Lynch -- right here -- with bringing in talent from America's most innovative sectors for a tour of duty to help us solve some of our most complex problems.
They've helped us drill tunnels through the walls that too often separate the Pentagon from America's wonderful and innovative technology base, one of our nation's greatest sources of strength.
The team of technologists at DDS has helped address some really important problems, like improving data sharing between the DOD and V.A. to make sure our veterans get access to their benefits. Over the past several months, DDS has worked closely with Defense Media Activity and several other dedicated components within the Pentagon to achieve another important milestone, our first successful bug bounty.
Now, bug bounties are a widespread practice in the outside world, and the concept is relatively simple: a company offers incentives to outside researchers, what most of us would call white-hat hackers, to test the security of its networks and applications, and report what they find, so the company can fix the vulnerabilities.
It's a challenge for the white-hat hackers -- which they like -- and it's a whole lot better for the company than learning the hard way, after the fact. And that is, that a black-hat hacker or a nation-state has exploited vulnerabilities to steal data or destroy data, or accomplish some other nefarious purpose.
While companies like Microsoft, and Google and Facebook have used this approach to crowdsource security for several years, no federal agency had ever offered a bug bounty.
So we asked the question, why couldn't we use this tool to complement our -- the terrific work of our own, in-house cybersecurity experts? And we face a competitive world, one that requires us at the Pentagon to think, as I always like to say, outside of our five-sided box, and constantly challenge ourselves to do things differently.
Through this pilot, we found a cost-effective way to supplement and support what our dedicated people do every day to defend our systems and networks, and we've done it securely, and we've done it effectively and cost effectively, in this case.
All told, more than 1,400 eligible hackers were invited to participate in Hack the Pentagon, and more than 250 of them found and submitted at least one vulnerability report.
As these reports arrived, we worked to remediate them in real time with support from a contractor, HackerOne.
Of all the submissions we received, 138 of them were determined to be legitimate, unique and eligible for a bounty. To -- by -- and otherwise, would have been trouble, said differently. That's why they're eligible for a reward.
Today, a little more than a month after the pilot finished, we've remediated each and every one of these vulnerabilities found. In total now, this pilot cost $150,000. It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million.
Also, by allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend more time fixing them than finding them.The pilot showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly.
My focus on making our operations more efficient and cost-effective at DOD is one of the reasons why we're aggressive -- investing so aggressively innovation. From innovation to people, to innovative practices, to innovative technologies and through Hack the Pentagon, we've combined all three of those elements and to considerable success.
Beyond the security fixes we've made, we've built stronger bridges to innovative citizens who want to make a difference to our defense mission. Individuals from across 44 states joined the bug bounty and submitted reports, and I'm pleased that two of our bug bounty participants have joined us today;Craig Arendt right here -- this guy -- and David Dworkin , that guy right there. There's two of our bounty men.
Craig is a prolific security researcher who helped us identify a number of vulnerabilities and David is a high school student who lives right here in the Washington area. For them and many others, this was about more than a reward or a bounty, it was about an opportunity to contribute to making our country safer.
Wherever I go around the innovative hubs of this country, I find that people in the most innovative parts of our economy and society and there because they want to do things that truly matter -- and they know that national security really matters. They want to spend their energies on issues of consequence and we have plenty of them.
There's also a sense of responsibility they have that comes with their knowledge and technical expertise. That's a lesson that was imparted to me, in my own career, by many of my older scientists and a lesson that many technologists and innovators appreciate today.
But while many of our nation's innovators are motivated by this spirit, they too often lack avenues to channel it. For instance, when it comes to the security of DOD networks and systems, there's no reporting mechanism, no standing reporting mechanism or pathway for them to tell us where we might be vulnerable, and sometimes there are legal hurdles to that.
This bug bounty provides one such pathway, but as another way to build on Hack the Pentagon's success, we're doing something else. First, creating a central point of contact – a standing point of contact for researchers and technologists to safely and securely submit information about DOD security gaps that they come upon.
And second, we're working to expand bug bounty programs to other parts of the department so that the security benefits DMA has worked to achieve through this pilot can be replicated in other parts of our enterprise. I'm directing all DOD components to review where bug bounties can be used by them as a valuable tool in their own security tool kit.
And third, we're going to include incentives in our acquisition guidance and policies so that contractors who work on DOD systems can also take advantage of innovative approaches to cybersecurity testing. For example, in some circumstances, we will encourage contractors to make their technologies available for independent security reviews such as bug bounties before they deliver them to us. This will help them make their code more secure from the start, and before it's installed on our system.
So, by offering U.S. researchers an avenue, albeit with important safeguards, for reporting vulnerabilities and gaps, we've done more with this pilot than make our networks more secure for the short term. We've built relationships of trust for the long term. We've provided a road map for other government departments and agencies to crowd-source their own security.
When it comes to information and technology, the defense establishment usually relies on closed systems. But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters.
We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer.
I want to take a moment now to personally thank -- congratulate the two individuals who participated in the bug bounty, thank all the folks from the department who created Hack the Pentagon, and then I'll take a few questions from you all before I get a chance to take David and Craig back once again and chat a little bit more in my office.
So with that, where are we here?
(CROSSTALK)
SEC. CARTER: Okay. Look at this guy. Look at this guy. Did you own a suit like that in high school?
(Laughter.)
(APPLAUSE)
It's not a suit, but it's still pretty sharp looking.
And Chris never wears a suit.
(CROSSTALK)
STAFF: All right. The secretary's got time for two questions -- (inaudible) -- wrap up.
(CROSSTALK)
STAFF: Mr. Secretary -- (inaudible).
STAFF: Tara's got the first question.
SEC. CARTER: Okay. Tara?
Q: Mr. Secretary, on Hack the Pentagon, would you please tell us what kind of vulnerabilities you found and what kind of risks they posed to the Pentagon?
And then on Fallujah, could you confirm for us that ISF has entered and retaken Fallujah? And give us a little bit of a detail on what sort of role U.S. advisers had in supporting this operation?
SEC. CARTER: Sure. And I can actually give you a better answer to the second part than the first part. You've got the right people here. I'll let Chris answer the first part a little bit later, Tara.
But it's a wide range of vulnerabilities, and he can sort of spell them out. But the good thing about this is they're reported to us. These are ones we weren't aware of. And now we have the opportunity to fix them. And again, it's a lot better than either hiring somebody to do that for you, or finding out the hard way. But I'll let Chris talk about the variety of bugs.
With respect to Fallujah, ISF forces have entered the city. They are in control of a portion of the city. I think it's too early to say all of the city. They have done that under the command of Prime Minister Abadi, and with the support of the United States, including -- and to -- in response to your question, all kinds of support.
But advice and assistance, and air support, and all the other enablers that were -- we provide for the Iraqi Security Forces, or at least the ones that they requested in this particular case.
So, this is an important objective, and it's important that it was accomplished by the Iraqi Security Forces under the command of Prime Minister Abadi, because that's an important principle for us, for Iraq to be -- put itself back together as a whole in the long run.
But they -- it will -- their -- I can't tell you that the entire city is under the control of the ISF. This -- there's still some fighting to be done, I'm sure. But there is a -- a portion of the city, and I think that that has been reported by the Iraqi government who are commanding the operation.
STAFF: Mr. -- (inaudible).
Q: (off-mic)
STAFF: Go ahead.
Q: Mr. Secretary, tell us what you know about this Russian attack on a U.S.-backed group of opposition fighters in Southern Syria. And do you think it was deliberate? And what do you plan to do about it?
SEC. CARTER: We have. I -- we -- I can tell you what we -- I know on the basis of the reports that we've received so far.
This was an attack on forces, first of all, that were fighting ISIL. And obviously, that's the first thing that's problematic about this Russian conduct, because if you go back, remember, the Russians initially said that they were coming in to fight ISIL.
And that's not what they did. Now, this -- they mostly supported Assad and fueled the civil war. But here's a case where they actually attacked forces that were -- were fighting ISIL.
And if that's the -- their -- it was their intention, that's the opposite of what they said they were going to do. If not, then it's -- says something about the quality of the information upon which they make airstrikes.
And the other thing is that the channel that we have to communicate with them in instances like this wasn't professionally used. So, we're trying to (inaudible) clarify the facts and use that channel with the Russians to understand what went on there.
But that's what we know at this time.
(CROSSTALK)
Q: Mr. Secretary, yesterday, the CIA director testified that despite some 13,000 coalition airstrikes over the past two years against ISIS, denying them territory and constraining their finances, ISIS has become more connected as a global organization. Its terror capacity remains undiminished.
(Inaudible) -- 13,000 airstrikes, the very feature -- excuse me, 13,000 airstrikes hadn't diminished the very feature that -- of the group that most Americans find concerning, its terrorism capability
shouldn't the coalition strategy be seen as fundamentally failing?
SEC. CARTER: Well, the -- the strategy has three parts to it, of which the campaign in Iraq and Syria, which is showing results is necessary but not sufficient.
It is essential that we destroy ISIL in Iraq and Syria, but that's not going to constitute the end of ISIL and the terrorist threat it poses to the United States. That's absolutely right. There are other places around the world to which ISIL has spread and then we have to protect our own homeland as well, which is mostly a law enforcement and intelligence matter, but we try to support where we can.
So one has to do all of those things, that's absolutely right, in order to protect us from ISIL, and those are the -- the -- the part of the campaign plan that we outlined some year ago or so.
Thank you all very much. Appreciate it.