Ever since Matthew Broderick broke into the Department of Defense in 1983's WarGames ("Shall we play a game?"), hacking the Pentagon has been a hacker's dream.
This year, the hackers got paid to do it.
As explained in a press release from HackerOne, from April 18 to May 12, the Department of Defense ran a "Hack the Pentagon" pilot program inviting a select group of hackers to attempt to break into DoD websites. Anyone who succeeded had the chance to win a "bounty" for reporting previously unknown vulnerabilities in Pentagon computers.
And a lot of them succeeded.
According to the final tally, a total of 1,410 hackers attempted to hack the Pentagon during the exercise, and on average they found nearly one bug per participant.
A total of 1,189 "reports" of vulnerabilities were submitted over the course of the exercise. Of these, 138 vulnerabilities were determined to be both "valid" and "unique" (i.e., multiple hackers identified some vulnerabilitie). The top three most common vulnerabilities found:
- Cross-site scripting (XSS), a vulnerability that allows a hacker to inject malicious code into a website.
- Information disclosure (of the unauthorized kind).
- Cross-site request forgery (CSRF), whereby a trusted user is able to issue unauthorized commands to a website.
According to HackerOne, "the most severe vulnerability submitted and the highest awarded was a SQL Injection," which can permit a hacker to change or destroy data in a database, disclose it publicly, or even take over as the administrator of the database.
Money well spent
In exchange for this wealth of information on its vulnerabilities, the Pentagon paid out a mere $71,200 in bounties.
That total cost of the program was approximately 100 times below the standard for materiality of $7 million that triggers a Pentagon obligation to report contract awards on its own contract website. That makes "Hack the Pentagon" one of the most cost-effective government programs in recorded history.
What it means to investors
Now contrast the effectiveness -- and the cost -- of Hack the Pentagon with the government's current business practice. In his recent book @War: The Rise of the Military-Internet Complex, Foreign Policy magazine writer Shane Harris explains the complicated web of hacking, sale to defense contractors including Harris Corporation (NYSE:LHX) and Raytheon (NYSE:RTN), and resale to the Pentagon, of so-called "zero day" exploits (i.e., not widely known computer vulnerabilities).
Hackers such as privately held Endgame compile and sell such hacks for up to $100,000 per vulnerability. Defense contractors such as Raytheon and Harris, who hold lucrative cybersecurity contracts with the Pentagon, then resell these vulnerabilities to the Department of Homeland Security and the Pentagon's own National Security Agency (NSA) -- presumably at a nice profit margin. (According to data from S&P Global Market Intelligence, Raytheon's Forcepoint cybersecurity division earns operating profit margins of 9.1%, while Harris' Government Communications Systems division earns 15.7%).
Uncovering, selling, and reselling computer hacks turns out to be big business. Harris' research reveals that while an ordinary zero-day exploit might start out at as low as $50,000 or as high as $100,000 (before mark-up), particularly valuable hacks can cost "half a million dollars."
According to Harris, the NSA alone spends $25 million annually buying hacks. What's more, while Hack the Pentagon's vulnerabilities were revealed directly to the Pentagon, Harris notes that in the hacking-for-profit world, commercially marketed hacks are routinely sold "to multiple clients, including government agencies in different countries" -- so the Pentagon is paying through the nose for these hacks, and not even getting exclusive access to the knowledge.
The Hack the Pentagon results suggest there may be a better way -- cut out the middleman, and buy direct from the hacker.