Culture

Air Force wants cyber experts to ‘make a living’ off hacking its tech

The Air Force wants to do so many bug bounties that hackers can "make a living" off it. Eventually, hackers will be a brought into the design process.

By Jackson Barnett

May 14, 2020

U.S. Air Force Special Tactics operators from the 22nd Special Tactics Squadron establish communications during an airfield survey as part of a culmination exercise Mar. 10, 2020, at McChord Air Force Base, Wash. The CULEX challenged the operators to perform airfield survey and control procedures in a potentially austere environment in order to simulate humanitarian aid response during a natural disaster. Special Tactics is U.S. Special Operations Command's tactical air and ground integration force, and the Air Force's only special operations ground force, leading global access, precision strike, personnel recovery and battlefield surgery operations on the battlefield. (U.S. Air Force photo by Staff Sgt. Ridge Shan)

The Air Force plans to offer more of its systems as fodder for freelance cybersecurity researchers.

Will Roper, assistant secretary of the Air Force for acquisition, technology and logistics, said Thursday he wants to have enough bug bounty programs for civilian hackers to “make a living” of finding flaws in the service’s technology.

The department will be supporting the “Aerospace Village” at the upcoming DEF CON conference — held online this year, instead of in Las Vegas — where satellites will be up for grabs for white-hat hackers.

Last year’s hacking conference provided Roper inspiration on how the military can work differently with hackers, he said during a virtual press conference Thursday. During DEF CON, the Air Force will be hosting a “Hack-a-Sat” event in partnership with the Defense Digital Services, the civilian “SWAT team of nerds” in the Pentagon. The event will offer up to $50,000 for the grand prize with other smaller prices, and it will be one of many, Roper said.

“It’s an asset that our nation has that we have not leveraged in a smart way,” he said during a virtual press conference. The military has, however, shown a consistent interest in the concept.

Previously the Air Force has served up its public-facing websites for “Hack the Air Force” events, giving out more than a $100,000 to 30 researchers in 2018. Other “Hack the Pentagon” events also used .mil websites for testing.

In 2019, the Air Force added a Fast Track Authorization to Operate (ATO) for cybersecurity firms to do deeper penetrative testing on networks. The ATO gave the department the ability to use white hat hackers on more than just websites and continuously test systems more frequently than hackathon events every few months.

Continuing beyond bug bounty programs, the service also used the new authorities to signed a blanket purchase agreement in February to work with outside firms to penetration-test its IT networks.

Roper wants more than just new contracts and more authorities, he said he wants to see the Air Force and new Space Force as places hackers want to contribute their skills and collaborate on the design process from the start.

He said the force needs to “shift our posture” and “flip the script” on the old ways of thinking that hackers couldn’t be trusted or used for military systems.

“We are trying to first be a valuable member of the community,” Roper said. To do that, the department will be putting “meaningful activity on the table.”

The department has its own in-house cyber office, Cyber Resiliency Office for Weapons Systems (CROWS), but the services doesn’t have enough officers to cover all the technology being acquired and developed. As the force develops emerging technology, like artificial intelligence and the network-of-networks Joint All Domain Command and Control (JADC2), hackers will be drawn into the design process itself.

“I think there is huge potential for this,” Roper said.

Correction: The Air Force will be supporting the existing aerospace village at DEF CON. An earlier version of this story incorrectly described the relationship.