Three ways the Pentagon is hacking bureaucracy

By Nurfilzah Rohaidi

National security experts share their insights into overcoming bureaucracy, transforming procurement, and helping teams become more effective.

It is not everyday that you get an invitation to hack the Pentagon. But in 2016, the US Department of Defense (DoD) did precisely that, inviting 80 white hat hackers to attack its websites and look for weaknesses.

“It was the first time that we actually had allowed hackers to come in from any place in the United States and some partner nations,” Chris Lynch, former Director and Founder of the Defense Digital Service said recently. Previously, “it was illegal for hackers to do this, even if we wanted them to help us”, Lynch noted.

This was the start of the Hack the Pentagon bug bounty programme, which crowdsourced for vulnerabilities and helped the defence department to strengthen its systems, Lynch remarked. He was speaking on a panel at the Singapore Defence Technology Summit, held on 26-28 June by the Defence Science and Technology Agency, where panellists shared how agencies can learn from their experiences in agile service delivery.

Move faster than the bureaucracy

Speed was of the essence for the bug bounty programme to be approved, Lynch noted. “I knew that if it was going really, really slow, then they would actually shut us down,” he quipped. “I just wanted to get done by the time anybody noticed.” Lynch, who made a name for himself in Silicon Valley as an advocate for rapid experimentation, was instrumental in triggering a cultural shift in the DoD.

Hack the Pentagon only took “about four months, from starting the team to actually executing”, Lynch said. In 2017, the DoD resolved nearly 500 vulnerabilities in public facing systems through this programme.

Lynch added that Congress now uses the same concept for other federal agencies. “We've continued to take that model, move very, very fast and prove results,” Lynch said. There have been sequels: Hack the Marine Corps, Hack the Army and Hack the Air Force, for instance.

Procurement reform can be a game changer

In the same vein, panellist Dr Will Roper, Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, noted how “two months in the startup realm is just simply too slow if you're a very small business”. So in October last year, the Air Force began trialling a new procurement process that would award contracts to companies within days.

Through this initiative, startups can pitch their ideas to government, win contracts and get money deposited into their bank accounts “15 minutes after their pitch was over”, Dr Roper said. “It's completely changed the game,” he added.

He pointed out that the Air Force needed to work with companies in a way that would not turn them into “defence products”. “The companies that are changing the world right now were once small and we weren't there,” Dr Roper noted, referring to tech giants such as Google.

He has also recently advocated for the military to change its contract award process to make it easier for artificial intelligence developers to work with them, Executive Biz reported.

Help your technical teams take risks

To fail fast, leaders should help their technical teams to take risks, said Lynch, formerly of the Defense Digital Service. “What does it matter if everybody has the best team if they don't actually have the ability to control their own future and their destiny?” he noted.

In that spirit, he gave technical teams the ability to waive any DoD policy “if it was in the way of the mission” during his stint at DoD. Lynch emphasised that this was only allowed if done “judiciously”, but it enabled teams to innovate more ambitiously and go after “really, really hard problems”.

“We wouldn't be on the path of something like JEDI cloud right now, if we hadn't gone with such a very strong attitude that this was really important,” he continued. He was referring to the $10bn defence cloud contract that made headlines earlier this year.

Lynch concluded with a piece of advice for agencies to be truly agile: instead of focusing on the number of sprints and minimum viable products, the only thing that matters is to generate results quickly. “The amount of time it takes for a software engineer to write a piece of code and have it show up in the production system is the only metric that matters,” he emphasised.

In days past, people would be jailed for life for hacking the Pentagon. But a new spirit of cautious openness has helped the US military plug the gaps, learn from others, and move even faster.