Pentagon contractors go looking for software flaws as foreign hacking threats loom

Pentagon contractors go looking for software flaws as foreign hacking threats loom

The goal of the “Vulnerability Disclosure Program” (VDP) is to find and fix flaws in the email programs, mobile devices and industrial software used by Pentagon contractors before malicious hackers can take advantage of the vulnerabilities.

“We really wanted to focus on those smaller defense contractors that may not have all the budgets and resources,” said Melissa Vice, interim director of the Department of Defense Cyber Crime Center’s DOD Vulnerability Disclosure Program. The Pentagon declined to identify the participating contractors, or the exact software that was probed.

VDPs, in which vetted cyber specialists scour systems for flaws and report them internally, are common practice in the private sector. The Pentagon has been running a VDP since 2016, but the goal is to permanently expand the program to defense contractors following the pilot.

There is plenty of impetus. A week before Russia’s full-scale invasion of Ukraine in February, the FBI and other US agencies warned that Kremlin-backed hackers had acquired sensitive information on the development of US weapons by breaching American defense contractors over the last two years.
Meanwhile, a separate suspected Chinese hacking operation has breached multiple US defense contractors, CNN reported in December.

The National Security Agency, which is charged with helping protect defense contractors from hacking, is investigating both of the Russian and Chinese spying efforts.

Forty-one companies participated in the VDP pilot program for defense contractors. Some defense contractors in the pilot program were unaware that certain IT systems were publicly accessible until researchers pointed them out, Vice said.

But an estimated 300,000 companies comprise the US defense industrial base, according to Vice. Her next step is to figure out how to get regular funding for the program, and perhaps how to automate it so that many more contractors can participate.

“This is … a long-term look at how we can take that defense-in-depth layering and extend that umbrella of protection over the defense industrial base,” Vice told CNN.