|
Within 30 seconds of receiving the order to “start hacking,”
researchers at the Hack the Air Force 2.0 event discovered two
vulnerabilities—exactly the result the organizers were hoping for.
The researchers were cyber security specialists invited to the
December 9, 2017 event in New York to identify security gaps in Air
Force websites.
December 9, 2017 - U.S. Air Force First Lt. Stephen Baker, 352nd
Cyber Operations Squadron, watches as one of the Hack the Air Force
2.0 participants attempts to breach the security on a military
website. HtAF2.0 is a Defense Digital Service sponsored event where
civilian cyber security experts were invited to identify and report
vulnerabilities in more than 300 Air Force sites. (Courtesy photo by HackerOne) |
Hack the Air Force 2.0 is a continuation of the Hack the
Air Force event held in June 2017. Initiated by the Defense
Digital Service, the event is a by-invitation opportunity
for computer experts outside the Air Force to assist in
strengthening the service’s defensive cyber posture, by
discovering and reporting vulnerabilities in Air Force
websites.
DDS contracted
HackerOne, an internationally respected vulnerability
disclosure and bug bounty company, to host and coordinate
the event. Twenty Fourth Air Force sent a team of Airmen
from the 90th, 315th, 352nd and 390th Cyber Operations
Squadrons to work alongside their industry counterparts
discovering bugs and weaknesses.
“This was a first to
showcase our offensive capabilities in an official capacity
alongside private and commercial sectors and international
partners,” said Maj. Gen. Christopher Weggeman, 24th AF commander. “Not only does this
program strengthen those partnerships, it allows the Air
Force to both teach and learn from the best and brightest
outside of the [Department of Defense].”
Even though
HackerOne invited some of the world’s elite hackers to the
event, they were surprised to find the Air Force sites were
not that easy to crack.
“They were impressed,” said
Lt. Col. Jonathan Joshua, 24th AF deputy chief of staff. “As
a vulnerability was identified, shortly thereafter, hackers
would be attempting to highlight the vulnerability to
another team of hackers … but the vulnerability had already
been patched. They’d be trying to grab screen shots to
prepare a post-day brief, but they couldn't because the
systems were already healthy.”
The non-Air Force
researchers were able to receive cash rewards of up to
$50,000 for each vulnerability they identified under a
practice commonly used in private sector known as “Bug
Bounties.” Under bounty programs, companies pay so-called
“white hat” hackers a reward for pointing out holes in their
security.
“Hack the Air Force allowed us to look
outward and leverage the range of talent in our country and
partner nations to secure our defenses,” said Peter Kim, Air
Force chief information security officer. “We’re greatly
expanding on the tremendous success of the first challenge
by targeting approximately 300 public facing Air Force
websites. The cost-benefit of this partnership in
invaluable.”
For Maj. Barrett Darnell, 315th COS, the
highlight of the day was the interaction between different
groups participating.
“What stood out was seeing
private sector, independent bounty hunters and the
government all come together to find these vulnerabilities,”
he said. “I was amazed at the creativity [of the
researchers] with some of these issues that were found. So
the best part was seeing all these resources come together
to solve security problems.”
In a rapidly and
perpetually evolving domain such as cyber, interacting with
industry partners is essential for the Air Force to stay on
top of its game.
“Our cyber warriors are in the fight
every day,” said Weggeman. “Our Airmen operate within Air
Force networks and employ offensive and defensive
capabilities 24/7 in a highly contested environment where
the adversary constantly changes tactics and techniques,
creating complex vulnerabilities. Participating in the
HackerOne hosted ‘hackathon’ allowed our cyber warriors to
showcase their immense talent and skills while also learning
and strengthening relationships with our partners in
industry and other nations.”
At the close of the
event, after 12 hours of hacking, participants had
identified multiple vulnerabilities, protected 300 Air Force
websites and forged immeasurable new partnerships.
By U.S. Air Force Trevor Tiernan, 24th AFPA
Air Force News Service
Copyright 2018
Comment on this article |
