Eighteen-year-old high school student David Dworken spent a total of 10-15 hours between classes on his laptop, and in that time, the teen hacked into the Pentagon, finding bugs in U.S. Department of Defense websites, Reuters reported. Instead of being punished or even thrown in jail, however, Dworken was praised by Secretary of Defense Ash Carter at the Pentagon Friday for the hacks, which helped pinpoint vulnerabilities ahead of U.S. enemies.
The teen was part of a group that included more than 1,400 participants who took part in “Hack the Pentagon” a pilot project launched earlier this year, and the hackers have already found 138 valid vulnerability reports on the department’s websites. The pilot project invited hackers to test the cybersecurity of some public Defense Department websites, but participants did not receive access to highly sensitive areas of the Pentagon online.
“We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks… what we didn’t fully appreciate before this pilot was how many white hat hackers there are who want to make a difference.”
In recent months, the U.S. government has implicated both China and Russia for hacks that attempted to access classified websites, including the Pentagon.
Although a total of around $75,000 was paid to the successful participants in Hack the Pentagon, Dworken will not receive compensation for the vulnerabilities he exposed because they had already been reported. Still, the teen – who graduated last week from Maret high school in Washington, D.C. – successfully completed several Pentagon hacks during the project. His work clearly demonstrates his knowledge of cybersecurity, resulting in offers from several recruiters who are interested in hiring the teen as an intern, according to Hacked.
“It was a great experience. I just started doing more and more of these bug bounty programs and found it rewarding. Both the monetary part of it and doing something that is good and beneficial to protect data online in general.”
According to Carter, the total cost of Hack the Pentagon will be around $150,000, a sum that includes the reward money, which has been given out in amounts ranging from $100 to $15,000. Several follow-up initiatives are also planned by Pentagon officials, including the creation of a process that will allow hackers to report vulnerabilities without fear of legal repercussions.
“It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost more than $1 million.”
Dworken said some of the bugs he found while participating in Hack the Pentagon would have permitted hackers to display whatever information they wanted on the websites and would have also allowed them to steal account information. The teen plans to study computer science at Northeastern University this fall and said his first experience with successful hacks that located website vulnerabilities happened in 10th grade when he found bugs online for his school.
Hack the Pentagon is modeled after competitions known as “bug bounties,” which are regularly conducted by U.S. companies in an effort to uncover network security gaps. Last week, Carter also mentioned security consultant Craig Arendt, thanking him for his work during the Pentagon’s pilot program.
Dworken isn’t the only teen who has been able to pull off hacks into major websites like the Pentagon and Defense Dept., however. In June, South Korean officials arrested a 16-year-old hacker for breaking and defacing more than 3,800 websites in 87 countries in an attempt to prove himself to the Anonymous collective. In addition, a 16-year-old in Japan was charged with obstruction of justice after launching attacks on school websites that police say shut down the Osaka Board of Education website servers, affecting all 444 schools in the city.
[Photo via Twitter]