Hackers invited to “Hack the Air Force”

Hackers are invited to try to penetrate Air Force cyber networks as part of an effort to identify and remedy potential vulnerabilities, service officials said. 

The event expands on the DOD ‘Hack the Pentagon’ bug bounty program by broadening the participation pool from U.S. citizens to include “white hat” hackers from the United Kingdom, Canada, Australia and New Zealand.

“This outside approach--drawing on the talent and expertise of our citizens and partner-nation citizens--in identifying our security vulnerabilities will help bolster our cybersecurity. We already aggressively conduct exercises and 'red team' our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team,” said Air Force Chief of Staff Gen. David Goldfein.

The initiative is part of the Cyber Secure campaign sponsored by the Air Force’s Chief Information Office as a measure to further operationalize the domain and leverage talent from both within and outside DOD, a Pentagon statement said.

This exercise format involves hackers registering on a secure forum site hosted by HackerOne, a bug-bounty service firm based in Silicon Valley. The Pentagon reports that all participants must then go through a background screening, and must not appear on any of the U.S. Treasury Department's Specially Designated Nationals lists for criminal activities.

“This is the first time the AF has opened up our networks to such a broad scrutiny,” Air Force Chief Information Security Officer Peter Kim said. “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture.”

Once the exercise opens, participant coders and hackers can electronically submit reports for each bug, glitches or weak spots they find through which the Pentagon’s networks can be hacked. With the bug-bounty model, participants whose bug reports are deemed valid are given monetary awards.

Hacking exercises, such as ‘Hack the Air Force’ will likely provide valuable insight into vulnerabilities created by data sharing initiatives.

“Hack the Pentagon” revealed 138 legitimate vulnerabilities in public Pentagon sites alone, and it is likely the results of the “Hack the Air Force” exercise will likewise inform cybersecurity efforts toward heightened communication.