The U.S. Military, as part of its practice to enhance cybersecurity systems through the promotion of bug bounty programs, will open some Air Force cyber systems to possible hacking by vetted hackers from the Five Eyes intelligence alliance, a covert global surveillance arrangement of five countries- the United States (National Security Agency) the United Kingdom (Government Communications Headquarters), Canada (Communications Security Establishment Canada), Australia (Signals Directorate), and New Zealand (Government Communications Security Bureau). HackerOne, which will coordinate the contest, shall screen hackers from these five countries for participation. Registration for “Hack the Air Force,” as the contest is called, commences on May 15, 2017.
Air Force Chief Information Security Officer Peter Kim said inviting vetted hackers for ethical hacking is a safe step to fortifying cybersecurity systems because attempts to hack military websites occur daily by mischievous hackers. “We have malicious hackers trying to get into our systems every day,” he said. “It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture.” Hack the Pentagon and Hack the Army were held last year leading to the identification of 138 and 118 vulnerabilities, respectively, in those networks. HackerOne has not disclosed the reward range for Hack the Air Force but researchers who uncovered vulnerabilities during Hack the Pentagon received between $1 and $15,000, totaling $75,000 in awards.
Air Force Chief of Staff General David Goldfein said of the program, “drawing on the talent and expertise of our citizens and partner-nation citizens” to identify vulnerabilities in the system would enhance our cybersecurity. This is an “outside approach,” according to him, that would bring additional talents on board the [US Air Force] cyber team for effectiveness. The Department of Defense (DOD) may soon initiate another program that would expose DOD critical infrastructure like buildings, sensors in heating systems, among others, to likely attacks in a bug bounty program. Program Manager for the Office of the Assistant Secretary of Defense for Energy, Installations, and Environment Daryl Haegley said he would seek to convince the senior staff on the initiative because discovering “vulnerabilities at one building site would likely help DOD shore up facilities elsewhere,” Nextgov reported.
A vulnerability coordination pilot program facilitated by Luta Security, a security consulting firm, was launched in the United Kingdom last month to enhance the disclosure process and discover more bugs in U.K. military systems. HackerOne, which coordinated Hack the Pentagon, raised a $40 million investment in February, and will partner with Luta Security to deliver about twenty bug bounty challenges over three years to the Defense Department. Bug bounties are gaining ground in the tech sector but are quite rare for large companies. Founder of Luta Security Katie Moussouris said “not as many bug bounties are launching as one might think. In fact, while the numbers are increasing, most governments and even the largest Fortune 500 companies lack even the most basic vulnerability reporting capabilities.”