Air Force considers ‘hybrid model’ for bug bounties on classified systems
The Air Force has long said that it wants to enlist more ethical hackers to help harden the security of its space assets, and now it’s turning that into a reality.
To work more closely with white hat hackers, the Air Force is rethinking how it classifies systems and if there is a way to open up some of their basic code to the inspection of the greater cybersecurity community, said Will Roper, the assistant secretary of the Air Force for acquisition, technology and logistics.
“We have felt the same welcoming embrace from this community that has historically mistrusted us and we have mistrusted them,” Roper said. “The future I think is bright if we focus on trust first.”
This comes after more than 6,000 white hat security researchers were unleashed on a satellite as a part of a bug bounty hacking event sponsored by the Air Force and Defense Digital Service at this year’s virtual DEF CON conference. Several teams came away with prizes, with some able to maneuver the satellite to snap a picture of the moon.
Roper called it a “literal moonshot” in his first-ever tweet.
Moving forward, the Air Force plans to publish some of its code on open-source platforms to draw more insights from the wisdom of the crowd, Roper said in a Friday virtual press call. He hopes that the department, which houses Space Force, will also re-think how it classifies and builds its applications to more easily accommodate bug bounties and work with the white hat hackers who simulate adversary attacks.
Typically, the Air Force classifies a large amount of its work in the interest of national security. But, if those classified systems have weak cybersecurity, their secret nature doesn’t really matter that much, Roper said.
“If a hacker in a foreign nation is able to take our system down in a few hours of conflict then I would be hard-pressed to say that by classifying our systems we did our warfighters the service that they deserve,” he said. “There is a way to have a hybrid model.”
In that hybrid model, conceptual-level designs and initial software could be shared to have others inspect it and ensure that as it matures into operational systems, it has fewer vulnerabilities. The goal is to essentially crowdsource security for the basic and medium-level challenges while leaving the minute details to cleared airmen, civilians and contractors working for the Air Force. Other officials have also previously suggested deploying artificial intelligence and “expert systems” to search for security gaps.
“We don’t open-source things typically, but the Air Force open-sourced its first code at Kessel Run last year,” he said, referring to the department’s in-house coding factory. It’s a trend that will continue with developmental code — but don’t expect the Air Force to post the source code for the F-35 Joint Strike Fighter any time soon (or ever, probably).
Hacking: A space novelty
Attacking satellite systems presents some novel challenges. Since they are hurdling around the Earth’s atmosphere and only connecting at certain points, hacking the systems requires some understanding of the physics at play, Roper said.
They also are unique in impact. Knocking a satellite out through a cyber intrusion could disrupt critical infrastructure, like GPS. So there is much more to learn from real-life bug bounties on the systems, which Roper says will continue.
“Hopefully this won’t be the last DEF CON” the Air Force will participate in, he said.
The hackers involved seem to share Roper’s eagerness for continued engagement. The winning capture-the-flag team, Pwn First Search or “PFS,” said it was happy to see the military sponsoring the event and hopes it will return to the community to bring more cybersecurity awareness to space systems.
“Working with the Air Force on this was awesome because it’s not every day you get access to this kind of technology to mess around with,” Cyrus Malekpour, a PFS team member, told FedScoop.
And now, with the event’s conclusion, the more important work begins: Conversations, or “hot-washes” as Roper calls them, are taking place where the cybersecurity specialists will tell the Air Force how they were able to take over the satellite for the military to learn about its vulnerabilities.