SAN FRANCISCO — The Air Force is inviting vetted computer security specialists from across the U.S. and select partner nations to do their best to hack some of its key public websites.
The initiative is part of the Cyber Secure campaign sponsored by the Air Force’s Chief Information Officer as a measure to further operationalize the domain and leverage talent from both within and outside the Defense Department.
The event expands on the DOD ‘Hack the Pentagon’ bug bounty program by broadening the participation pool from U.S. citizens to include “white hat” hackers from the United Kingdom, Canada, Australia and New Zealand.
“This outside approach—drawing on the talent and expertise of our citizens and partner-nation citizens—in identifying our security vulnerabilities will help bolster our cybersecurity. We already aggressively conduct exercises and ‘red team’ our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team,” said Air Force Chief of Staff Gen. David L. Goldfein.
White hat hacking and crowdsourced security concepts are industry standards that are used by small businesses and large corporations alike to better secure their networks against malicious attacks. Bug bounty programs offer paid bounties for all legitimate vulnerabilities reported.
“This is the first time the AF has opened up our networks to such a broad scrutiny,” said Peter Kim, the Air Force Chief Information Security Officer. “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”
Kim made the announcement at a kick-off event held at the headquarters of HackerOne, the contracted security consulting firm running the contest.
“The whole idea of ‘security through obscurity’ is completely backwards. We need to understand where our weaknesses are in order to fix them, and there is no better way than to open it up to the global hacker community,” said Chris Lynch of the Defense Digital Service, an organization comprised of industry experts incorporating critical private sector experience across numerous digital challenges.
The competition for technical talent in both the public and private sectors is fiercer than it has ever been according to Kim. The Air Force must compete with companies like Facebook and Google for the best and brightest, particularly in the science, technology, engineering, and math fields.
Keen to leverage private sector talent, the Air Force partnered with DDS to launch the Air Force Digital Service team in January 2017, affording a creative solution that turns that competition for talent into a partnership.
In fact, Goldfein and Acting Secretary of the Air Force Lisa S. Disbrow visited the Defense Digital Service and Air Force Digital Service in early April to discuss a variety of initiatives the Air Force can benefit from.
“We’re mobilizing the best talent from across the nation and among partner nations to help strengthen the Air Force’s cyber defenses. It’s an exciting venture, one that will make us better, and one that focuses an incredible pool of capabilities toward keeping our Air Force sites secure,” Disbrow said.
The DOD’s ‘Hack the Pentagon’ initiative was launched by the Defense Digital Service in April 2016 as the first bug bounty program employed by the federal government. More than 1,400 hackers registered to participate in the program. Nearly 200 reports were received within the first six hours of the program’s launch, and $75,000 in total bounties was paid out to participating hackers.
Registration for the ‘Hack the Air Force’ event opens May 15 on the HackerOne website. The contest opens May 30 and ends June 23. Military members and government civilians are not eligible for compensation, but can participate on-duty with supervisor approval.