Air Force wants bug bounties to tackle cyber threats deep in its supply chain

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Air Force has run three separate bug bounties to test the cybersecurity of its IT systems so far. And while they’ve managed to find hundreds of vulnerabilities, the service wants to take the approach much farther, including by inviting hackers to probe for weaknesses in its parts supply chain and its satellites.

The “Hack the Air Force” competitions have, so far, focused on the service’s public websites and its Cloud One environment. While they’ve led to myriad security improvements, the approach has its limitations.

For one, it’s only finding vulnerabilities on systems that are already up and running. For another, it’s not addressing the vast array  of potential cyber vulnerabilities in areas of the IT landscape the DoD acquisition process doesn’t pay much attention to, like the embedded systems and subsystems deep in the supply chain which eventually make their way into military equipment.

“The government approach to supply chain management is really about trying to keep a counterfeit part from being put on an airplane,” Dr. Will Roper, the assistant secretary of the Air Force for acquisition, technology and logistics told a recent gathering at the Atlantic Council in Washington. “But what about embedded code? There’s code on almost everything — chips, boards, a small kernel that you can boot up as a diagnostic tool, and we don’t know it. So we’re going to have to fundamentally shift the way we approach this. If we actually want to be secure, the government needs to wake up and realize software is in everything, and that the provenance of our systems has to start with that root individual component.”

And finding vulnerabilities while they’re still in the supply chain — before they make their way into military systems — might be the real future of the Hack the Air Force concept, he said.

“My hope is that we can bring the ethical hacker community into our design process, that we can do bug bounties when we’re designing things and building prototypes, and that people can make a living just hacking Air Force systems before they go to production,” Roper said.

The Air Force has already conducted at least one dry run of the hack-a-subsystem notion. At last year’s DEFCON conference in Las Vegas, it gave hackers access to a boutique system that transfers data between ground computers and F-15 aircraft.

“When we’re thinking cybersecurity for the F-15, we’re really thinking about cybersecurity once that jet is flying, and we have pretty good processes for that. But at some point, an airman has to take that data system to the jet. Well, that has access to the jet, and what if [an adversary gets] access to that? So we wanted to see if the ethical hacker community could hack the soft underbelly that we don’t think about. And they were able to do it,” Roper said. “What they told me was the ways they got in were not the things we told industry to design. They were the things industry doesn’t know is in their supply chain. Our defense companies are assemblers from the supply chain. They don’t require their suppliers to tell them what software functionality is running on components, because we don’t tell industry to do that. But we’ve got to start doing that.”

More bug bounties could mean restricting participation

There are challenges involved in using bug bounties in the way Roper’s imagining. In past iterations of Hack the Air Force, the competition has been open to pretty much anyone, and the Air Force was the first federal agency to allow participation by non-U.S. citizens.

But when it comes to that soft underbelly, for obvious reasons, the service wants to be more restrictive in who it allows to participate.

That’s a problem the Air Force is starting to think through as part of it’s the next partnership it’s planning with ethical hackers. At next year’s DEFCON conference, it plans to give them a crack at a fully-operational military satellite. But first, officials will need to develop a process to both screen participants on security criteria and “downselect” to a relative handful of teams that are most likely to produce helpful results.

Advertisement
But once the Air Force selects its teams for the program — currently dubbed, informally, “Hack-a-Sat” — the theory is they might discover security vulnerabilities the service never would have thought to look for on its own, but that foreign adversaries might be able to exploit.

“Aside from the fact that it’s a unique piece of hardware with unique ground stations, it’s whizzing around the earth wicked fast — and you only have access to it certain times. We want to see if a team can do it,” Roper said. “But we also want the community to learn that cybersecurity and space is important. We want future space companies to think that. We also want to see if the way we’re approaching cybersecurity is flawed. So maybe we’ll have a team that brings in a new trick and we’ll say, ‘Wait a second, we didn’t think of that.’”

Before the white hat hackers get a chance to red-team the live satellite, the Air Force plans to give them access to a virtual version of the same system so that they can examine it and plan their attack strategies.

Eventually — perhaps by next year, Roper said — the Air Force wants to get to a point where it’s using a similar approach for almost everything it buys: running each system through a hacking gauntlet before it’s incorporated into an active weapons platform.

“Typically in the Air Force, we build something that’s either a hardware-in-the-loop or a software-in-the-loop simulator before you go into production. It’s not the same form factor as the thing you’re going to produce, but it’s all the hardware and software that you need, and you can check it out. That’s the opportunity, and that’s where you want to run your bug bounty,” he said. “What I am working on with programs that are in their design phase is to put a bug bounty in with a prize schema, so that if you find a vulnerability, you get paid and you know how much. And I hope that the best talent in the world will just think, ‘Well, I can basically stay employed just hacking Air Force systems, because they’re fair with the rewards that they give.’ If we do that, the top talent will actually help us make systems more secure, which saves us money. So it’s win-win if we get this right.”