Bug bounty programs have long been used by private corporations, especially those in the technology sector, as a cost-effective way to fix product issues and improve product security. In these programs, outside hackers are paid by organizations to legally expose cybersecurity vulnerabilities, which are then addressed internally. However, until recently, the U.S. Department of Defense (DoD) was not open to crowdsourced improvements to its cybersecurity infrastructure, strictly enforcing the Computer Fraud and Abuse Act against those attempting to hack its websites and systems. This changed in 2016, when the DoD stopped relying solely on internal personnel for its information security initiatives by experimenting with controlled bug bounty programs in which civilians were invited to expose vulnerabilities in public-facing DoD websites. Since then, the DoD has paid out over $350,000 to “ethical hackers” through its growing bug bounty programs, which are facilitated by private sector vulnerability coordination platforms such as HackerOne and Synack.
This method of open innovation is now becoming important to the DoD for three reasons. First, cultivating and maintaining cybersecurity talent is difficult. An October 2018 GAO report cited the DoD’s challenges with “[hiring and retaining] cybersecurity personnel, particularly those with weapon systems cybersecurity expertise,” as well as the tendency for DoD cybersecurity professionals to leave for better paying private sector jobs after gaining enough experience. The DoD also recognizes that sourcing more minds and expanding creativity to identify problems and solutions to cybersecurity challenges is crucial. As the director of the Defensive Digital Service has said, “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative.”  Finally, the DoD recognizes the cost-effectiveness of bug bounties, having paid $150,000 to hackers for verified results in its pilot program, compared to an estimated $1 million had the Department gone through the “normal process of hiring an outside firm to do a security audit and vulnerability assessment.” 
In the short term, following the success of its “Hack the Pentagon” pilot program, the DoD has continued to replicate such time-bound bug bounty programs throughout its branches (Army, Air Force, etc) . The Department is also running and refining its Vulnerability Disclosure Policy (VDP), its ongoing policy and process for security researchers to report vulnerabilities in any DoD public-facing website or web application, which is separate from the bug bounty programs. As ideas to improve the DoD’s web security flow in from citizen hackers, the Department needs to learn to effectively manage this feedback loop. Given the lack of monetary incentives tied to the VDP, the DoD will need to react to discovered vulnerabilities in a timely manner, communicate action(s) taken on the submissions, and reasonably communicate the impact and outcomes of the process in order to attract future participation (and further scale) at very little cost.
In the medium term, the DoD seeks to elevate the capabilities and influence of the Defensive Digital Service agency beyond its current role of administering ad hoc bug bounty programs and the VDP. The agency’s mandate is to help the DoD close its technology talent and capability gap relative to the private sector in building its critical systems, which requires openness to both external innovation and better sharing of innovative solutions internally. To achieve this, it will need to sustainably build a shared culture of appreciation and acceptance of the idea that the DoD benefits from dramatically expanding the number of ideas originating from both civilian outsiders and other teams within the DoD. This will prove challenging for an organization that has traditionally (and understandably) been insular, secretive, and uncooperative with outsiders and even across branches. To bring the DoD’s technology talent and capabilities more in line with the private sector, the DoD needs to transition toward a more fast-moving, iterative systems improvement process that can increase output and attract talent. Again, this will be a major operational and cultural undertaking within a slow-moving, highly conservative bureaucracy.
Moving forward, the Department will inevitably move closer to addressing the most sensitive question of all – will crowdsourced ethical hackers have any role to play in the improvement of our nation’s most critical defense information and weapons systems? If so, how should the DoD define the scope and boundaries of the problems to be solved and who can solve them without jeopardizing national security, while still addressing cybersecurity challenges of critical impact? And as these programs expand in scope and sensitivity, will the current system of working with private sector cybersecurity coordination platforms such as HackerOne need to change in order to adequately source the volume, level of expertise, and security clearances that this new frontier of DoD cybersecurity problems require? (772 words)