Every year, the Pentagon spends hundreds of millions of dollars protecting its computer systems from hackers. But for the next few weeks, U.S. defense officials are changing their strategy: they're inviting hackers to attack the Pentagon.
The "Hack the Pentagon" pilot program, which began Monday and lasts until May 12, allows hackers to attack certain Department of Defense public websites as a way to identify cyber security weaknesses.
U.S. officials stress no sensitive "mission-facing" computer systems will be involved in the program. They also say that all hackers must undergo a background check and meet other qualifications.
But if they succeed in exposing security flaws, the hackers could receive cash rewards.
Large companies have for years used such "bug bounty" programs as a way to boost cyber security. But this is the first time the U.S. federal government has ever used such a program. Many experts say the move was long overdue.
"Hackers will look at your systems anyway," says Mikko Hypponen, the chief research officer at F-Secure, an online security and privacy company. "And once they find vulnerabilities, do you want them to tell you or do you want them to do something bad, or maybe sell them to someone else?"
And it's true - U.S. Department of Defense (DoD) websites are already subject to a dizzying number of cyber attacks. In 2012 alone, DoD public websites had four billion visits, according to Christopher Lynch, who heads the Pentagon's new U.S. Digital Service. He says 25 percent of the visits were nefarious in some way.
"Think about that – a billion attempts to undermine security. And that’s just a couple of websites," Lynch said in a recent article published on TechCrunch. "It’s a mind-numbing challenge that we have to step up to."
Shift in strategy
Katie Moussouris, a consultant who helped the Pentagon launch the bug bounty, calls the program a significant shift in cyber security strategy - from punishing hackers to attempting to work with them.
"Before this pilot, there was really no legal way for a hacker to report [security flaws] to the U.S. government, because essentially all of the activities that are allowed in this pilot are technically illegal under U.S. law,"she told VOA.
Moussouris says the program could also help improve relations between the U.S. government and the tech industry - a relationship that has suffered after the fallout over the intelligence leaks by ex-security contractor Edward Snowden.
'Cyber Pearl Harbor'
In recent years, top U.S. officials have warned of the danger of a cyber attack that could disrupt the country's critical infrastructure. Most notably, ex-Defense Secretary Leon Panetta warned in 2012 of the possibility of a "cyber-Pearl Harbor," referring to the Japanese attack on a U.S. naval base in 1941.
Those security risks were underscored more recently by a cyber attack on the Office of Personnel Management, the U.S. federal government's human resources agency. The attack, discovered in 2015, resulted in the theft of personnel data on millions of U.S. federal employees and their families.
Hypponen, the cyber security expert, also points to other recent examples of cyber attacks, including an attack last year that originated in Russia that resulted in widespread power outages in Ukraine.
"Cyber warfare and cyber attacks are not just theory," he says, adding that the U.S. is particularly vulnerable. "The United States is arguably the most technologically dependent nation on the planet. It brings you great benefits but it does open you up for new kinds of risks."
Given the risks, he says it is an "obvious step" to employ bug bounty programs. "You want the hackers to be on your side. You don't want to fight them. You want to work with them," he says.