SAN FRANCISCO—U.S. Secretary of Defense Ashton Carter provided his views on encryption and why being open to innovation is important for the nation’s defense. Addressing attendees at this year’s RSA Conference, Carter also detailed the new “Hack the Pentagon” effort, aimed at engaging security researchers in helping identify potential security vulnerabilities.
“We have to think outside the five-sided box,” he said.
The five-sided box is a reference to the Pentagon, home of the Defense Department, and the Hack the Pentagon project is essentially a bug-bounty program for the DOD.
“There are black hats out there, but we’re looking for white hats,” Carter said.
The DOD is trying to adopt a best practice and invite people to attack it—an effort designed to find vulnerabilities, said Carter, who described the Hack the Pentagon program as a way to crowdsource expertise and get access to skilled people.
“You’d much rather find the vulnerabilities in your networks this way than the other way,” meaning through a breach or some other attack from malicious threat actors, Carter said.
Bug bounties are increasingly common in the commercial sector, with individual companies running programs. Some vendors like HackerOne and Bugcrowd run bug-bounty programs on behalf of companies.
The Hack the Pentagon effort is the first such program at the DOD, which is seeking to learn from the endeavor, Carter said. “It’s an example of using best practices in the government. I’m not doing this for fun. I’m doing it for utility.”
Carter said he’s trying to create a culture of innovation at the DOD to help it execute on its mission of defending the nation. “If you don’t take risks and are not willing to fail, you won’t get anywhere.”
Carter also made a few brief comments on the ongoing Apple-FBI debate over encryption related to the iPhone 5C used by one of the terrorists involved in the San Bernardino, Calif., shooting late last year. The FBI-Apple case is not a DOD matter; it’s a legal and a law-enforcement issue, he explained.
That said, he noted that data security, including encryption, is essential to the DOD. “We’re behind data security and strong encryption—no question about it. I’m not a believer in backdoors or a single technical approach to what is a complex issue.”
Industry and government must work together to achieve a sensible result when it comes to data security and privacy, Carter said, adding that it is a solemn trust to be the U.S. government. “We are not anybody else; we are the government, and it’s fair that people hold us to a higher standard.”
Carter also commented on the use of cyber-weapons in the battle against the Islamic State. While he did not provide any specifics about the weapons, he said the goal is nothing less than achieving victory over the terrorists. “We will and we must defeat ISIL. We’re looking at all the ways we can accelerate that defeat.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.