‘Hack the Air Force’: US invites Foreign Techies for ‘Bug Bounty’
The U.S. Air Force is inviting vetted computer security specialists from across America and select partner nations to do their best to hack some of its key public websites.
The initiative is part of the Cyber Secure campaign sponsored by the Air Force’s Chief Information Office as a measure to further operationalize the domain and leverage talent from both within and outside the Department of Defense.
The event expands on the DoD ‘Hack the Pentagon’ bug bounty program by broadening the participation pool from U.S. citizens to include “white hat” hackers from the United Kingdom, Canada, Australia and New Zealand.
“This outside approach–drawing on the talent and expertise of our citizens and partner-nation citizens–in identifying our security vulnerabilities will help bolster our cybersecurity,” said Air Force Chief of Staff Gen. David Goldfein.
“We already aggressively conduct exercises and ‘red team’ our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team.”
White hat hacking and crowdsourced security concepts are industry standards that are used by small businesses and large corporations alike to better secure their networks against malicious attacks. Bug bounty programs offer paid bounties for all legitimate vulnerabilities reported.
“This is the first time the AF has opened up our networks to such a broad scrutiny,” said Air Force Chief Information Security Officer Peter Kim.
“We have malicious hackers trying to get into our systems every day.”
“It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture.”
“The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”
Kim made the announcement at a kick-off event held at the headquarters of HackerOne, the contracted security consulting firm running the contest.
“The whole idea of ‘security through obscurity’ is completely backwards. We need to understand where our weaknesses are in order to fix them, and there is no better way than to open it up to the global hacker community,” said Chris Lynch of the Defense Digital Service (DDS), an organization comprised of industry experts incorporating critical private sector experience across numerous digital challenges.
The competition for technical talent in both the public and private sectors is fiercer than it has ever been according to Kim. The Air Force must compete with companies like Facebook and Google for the best and brightest, particularly in the science, technology, engineering, and math fields.
Keen to leverage private sector talent, the Air Force partnered with DDS to launch the Air Force Digital Service team in January 2017, affording a creative solution that turns that competition for talent into a partnership.
In fact, Acting Secretary of the Air Force Lisa S. Disbrow and Gen. Goldfein visited the Defense Digital Service and Air Force Digital Service in early April to discuss a variety of initiatives the Air Force can benefit from.
“We’re mobilizing the best talent from across the nation and among partner nations to help strengthen the Air Force’s cyber defenses.”
“It’s an exciting venture, one that will make us better, and one that focuses an incredible pool of capabilities toward keeping our Air Force sites secure,” said Acting Secretary Disbrow.
The DoD’s ‘Hack the Pentagon’ initiative was launched by the Defense Digital Service in April 2016 as the first bug bounty program employed by the federal government.
More than 1,400 hackers registered to participate in the program.
Nearly 200 reports were received within the first six hours of the program’s launch, and $75,000 in total bounties was paid out to participating hackers.
Former Secretary of Defense Ash Carter extended personal thanks to:
- Craig Arendt, a computer security researcher, who helped the DoD identify a number of vulnerabilities, and
- 18-year-old David Dworken, who recently graduated from a Washington D.C. high school and also submitted several vulnerabilities during the competition
(Courtesy of the Department of Defense and YouTube)
The Hack the Pentagon pilot launched on April 18, and ran until May 12.