The Air Force on Wednesday became the second U.S. military service to move toward a crowdsourced approach to hunting down security holes in its systems, saying it would invite white hat hackers to try to penetrate some of its public websites in a bug bounty competition beginning in May.
Much like the Hack the Army competition that ran for a month beginning last November, the Air Force edition will ask registered hackers to target one particular subset of the service’s public-facing websites, though officials declined to identify the precise targets for the competition ahead of its official launch on May 30.
In a first for the Defense Department however, the bounties will be open to residents of Canada, the U.K., Australia and New Zealand. The Army edition and a previous pilot program called “Hack the Pentagon” a year ago were only open to U.S. citizens.
DoD and the Air Force made the decision to expand the potential hacker pool to international participants because they said it provided a much more realistic picture of the variety of real-world threats military IT systems face, but for now, they are wary of extending the invitation beyond the so-called “five eye” nations with which the U.S. has extremely close military and intelligence relationships.
“We’re entering new territory here with bug bounties being run against active military systems,” Peter Kim, the Air Force’s chief information security officer said in an interview with Federal News Radio. “Attacks against those systems have different implications than attacks against Yahoo or Facebook might, so we wanted to make sure that there are open lines of communication between countries to be on the same page about whatever activity is occurring during those tests. Proceeding cautiously was well-advised.”
Hack the Air Force is being funded under a $3 million indefinite delivery/indefinite quality contract the Pentagon issued last year to HackerOne, a firm that specializes in bug bounties and that also ran the Hack the Army and Hack the Pentagon challenges. As in the earlier competitions, successful hackers will earn payments based on the number and severity of the security problems they uncover.
Defense officials said they considered the concept of bug bounties to be a supplement, not a replacement for the formal security audits and red team exercises the military runs on its own systems, but that the earlier competitions had proved their value: Hack the Pentagon generated 1,889 reports of vulnerabilities that had previously escaped the attention of DoD’s cyber experts; Hack the Army turned up 118 security holes, including at least one serious one that could potentially have given malicious hackers access to sensitive Army personnel systems.
Kim said those early successes had already begun to influence the way the Air Force performs its everyday defensive cyber missions.
DoD Reporter Jared Serbu discusses this story on Federal Drive with Tom Temin
“Traditionally, it’s the certification and accredidation process and it’s largely a paperwork-driven drill where they come to me for my signature on a weapons system or a logistics system to say, ‘It’s okay, it’s secure,’” he said. “But the system as it’s deployed never really matches up with the ‘as-designed,’ so as a CISO I’d really like to know how vulnerable a system really is to adversaries. You have to do something like a bug bounty to constantly get ahead of this problem instead of waiting for events to occur and being reactive. You have to be proactive these days, and I think that’s something that U.S. Cyber Command and the 24th Air Force are going to move to very rapidly in the future. A paperwork drill gets you some sense of how secure you are, but the real test comes when these programs are unleashed on you.”
Successful bounty claimants in DoD’s previous bug bounties have ranged from full-time cybersecurity professionals to ambitious high school students, and prizes have ranged from $100 to $15,000 depending on the vulnerabilities they discovered.
Alex Rice, HackerOne’s chief technology officer and co-founder said the value of the hacking challenges, both in the public and private sector, came largely through the diversity of their participants.
“You get people of all backgrounds and all motivations,” he said. “We’ll get people from active military red teams to security consulting firms and academics. In our traditional industry programs, you get people participating partly for the intellectual challenge but mostly for the financial reward. But when we run these government programs, we also see a new profile of person who’s really driven by patriotic reasons and contributing to their country, which means we also see participation from people who don’t normally sign up for bug bounty programs. That’s a really powerful dynamic.”
The bug bounty is one of the first formal projects of the fledgling Air Force Digital Service, an offshoot of the U.S. Digital Service and the Defense Digital Service that former Air Force secretary Deborah Lee James created as one of her last official acts in the waning days of the Obama administration.
And despite some initial uncertainty about the Trump administration’s level of enthusiasm for the nontraditional approach to IT modernization embodied in the digital services, Defense secretary James Mattis has become a big proponent, said Reina Staley, the co-founder and chief of staff of the Defense Digital Service.
“During the transition, it was certainly unknown territory for us, and it definitely required a lot of relationship building,” she said. “Secretary [Ash] Carter, the former Defense secretary was very tech-minded. This administration isn’t as much, but we definitely have built good relationships. Secretary Mattis and his team understand the value and importance of these programs, so I think we’re in good shape. The success of what we’ve done in the past is really inarguable, and I think people really value us being able to incorporate these practices into the DoD in a new and innovative way.”