The Department of Defense Cyber Crime Center (DC3) has reported over 45,000 cybersecurity issues since the launch of its Vulnerability Disclosure Program (VDP) in 2016. The VDP, which aims to identify and remediate vulnerabilities in the Department of Defense Information Network (DODIN), relies on crowdsourced ethical hackers from 45 different countries. The hackers use tactics, techniques, and procedures to detect vulnerabilities in the network, with over 3,900 hackers contributing to the program.
DC3’s Director of Vulnerability Reports, Melissa Vice, noted that the program saw a significant uptick in reports during the COVID-19 pandemic. While pre-COVID reports averaged around 300 per month, the first year of the pandemic saw an increase to around 900 reports per month. In the second year, the number of reports spiked to over 2,000 per month, with an average of 1,500 reports per month. As things are normalizing now, Vice acknowledged that the program has grown significantly during the pandemic.
The VDP is codified in the DoDI 8531.01 manual and is the sole focal point for all vulnerability reporting to Joint Force headquarters, DODIN, and U.S. Cyber Command. While there are other vulnerability reporting programs, such as the Cybersecurity and Infrastructure Security Agency, Vice noted that DC3’s program is unique in its focus solely on the DODIN. The program has also expanded its scope, now covering all publicly accessible DoD information systems and networks.
As cybersecurity threats become more sophisticated, the need for programs like the VDP continues to grow. With the use of artificial intelligence and machine learning in the cyber ecosystem, along with the expansion of the Metaverse, there are new vectors for exploitation. Organizations must prioritize the cyber-attack surface and vectors to mitigate threats and enhance resiliency and recovery.