Hack the Pentagon: How the US government used cheap labour to find 100 cybersecurity flaws

Top officials at the US Department of Defense (DoD) have praised the work of a 1,400-strong pool of white-hat (ethical) hackers that took part in the Pentagon's bug bounty programme, while boasting the cost of the audit was "essentially free".

Speaking during a technology forum in Washington DC, and first reported by the Washington Times, Defense Secretary Ashton Carter said the so-called Hack the Pentagon initiative, which ran from April to May this year, exceeded the US government's expectations by finding roughly 100 security flaws in non-classified computer systems.

"It's essentially free," Carter said. "You get all this talent and they're having a great time and you're getting a security audit for free. It's like, 'Wow, pretty good deal.'" He added that the hackers who registered were "helping us be more secure at a fraction of the cost".

"Why hasn't anybody in the federal government done that?" Carter reportedly asked the conference,referring to bug reporting. "There's not a really good answer to that, right? It's a pretty successful thing."

For many large technology firms such as Google, Facebook and Microsoft, bug bounties are common practice and routinely help to uncover and responsibly disclose security vulnerabilities in exchange for a financial reward.

When the Hack the Pentagon scheme was first launched, Carter said: "I am confident that this innovative initiative will strengthen our digital defences and ultimately enhance our national security." It initially planned to offer white-hats up to $15,000 (£10,600) to uncover security problems, however a detailed summary of how much has been paid out to date is yet to be released.

The federal government has long employed the use of so-called Red Teams to test its sensitive computer networks for security concerns, however Hack the Pentagon, marked the first time the opportunity was opened up to academics and the cybersecurity industry.

The US government has long been aware of the need for strong online protections. Indeed, the launch came amid rising tension after a number of high-profile cyberattacks targeting major US government departments – including one major incident that impacted the DoD, FBI and Homeland Security all at once.