If you can’t beat them, join them. Ethical hacking has become a routine practice in government to help agencies get ahead of ever-evolving cyber threats. Ethical hackers, also known as white hat hackers, are cybersecurity professionals that use their skills to identify vulnerabilities in systems before bad actors can exploit them. These hackers simulate actual cyber attacks and provide their findings to organizations to help them improve security defenses.
The Department of Defense was an early adopter of ethical hacking. It launched the “Hack the Pentagon” program to incentivize ethical hackers to apply their skills to discover IT vulnerabilities. This bug bounty program pays hackers when they find legitimate and potentially damaging software bugs that can become major vulnerabilities. Hackers are paid based on the severity of the bug found and how difficult it was to discover.
The launch of the program had 1,400 hackers sign up, and the first vulnerability was identified in 13 minutes. Two hundred more reports were submitted in the first 6 hours. Since then, more than 47,000 vulnerabilities have been identified through subsequent events. These successes led the Office of Management and Budget to require all federal agencies to develop similar programs.
Since 2020, the Cybersecurity and Infrastructure Agency has helped more than 40 federal agencies develop programs that share vulnerability research findings. This widespread use of ethical hacking results in faster time to remediate (38 days on average) with an 89% remediation rate for all validated vulnerabilities.
- The use of ethical hackers also addresses the cybersecurity skill shortage. By utilizing the expertise of cyber professionals in these short burst projects, the government can get the needed cyber expertise without having to recruit, train, and retain cyber talent. It also gives agencies access to expertise on emerging technologies such as generative artificial intelligence.
For more details on innovative approaches to cybersecurity in government, check out these resources on GovWhitePapers and GovEvents:
- Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity (white paper) – Pro-Russia hacktivists target vulnerable industrial control systems in North America and Europe. This fact sheet shares information and mitigations associated with this malicious activity.
- Making a Case for Cybersecurity (white paper) – Establishing a robust cybersecurity program that protects an organization against the modern threats we see today is essential. This will ensure that an enterprise is protected from harm and resilient against any potential attacks from individuals or groups seeking to harm an enterprise.
- Bugs Framework: Formalizing Cybersecurity Weaknesses and Vulnerabilities (white paper) – The Bugs Framework (BF) is a classification of security bugs and related faults with multi-dimensional weakness and failure taxonomies that features a formal language for the unambiguous specification of security weaknesses and vulnerabilities. The goal of BF is to help better understand and detect software, firmware, or hardware security weaknesses and vulnerabilities, as well as to resolve or mitigate them.
- Cyber Defenders Workshop (March 4, 2025; virtual) – What does it mean to be a cyber defender? In this workshop presented by Nextgov/FCW, government and industry leaders will unveil proactive strategies to mitigate risk, keys to remaining vigilant against ever-changing cyber threats, and the latest cybersecurity best practices.
- Certified Ethical Hacking Course: CEH Certification Boot Camp (March 24-28, 2025; virtual) – Delve into the tools and techniques used by cybercriminals. Gain in-depth training in ethical hacking methodologies through lectures and hands-on labs.
- DEF CON 33 (August 7-10, 2025; Las Vegas, NV) – This event is one of the world’s longest-running and largest hacker conventions. Government security researchers, cyber staff, developers, IT employees, and law enforcement join black- and white-hat hackers at this conference to better understand the significant vulnerabilities facing public and private sector technology, systems, and products.
Explore GovWhitePapers and GovEvents for more insight on how the government is strengthening its cyber resilience.
