The Air Force plans to offer more of its systems as fodder for freelance cybersecurity researchers.
Will Roper, assistant secretary of the Air Force for acquisition, technology and logistics, said Thursday he wants to have enough bug bounty programs for civilian hackers to “make a living” of finding flaws in the service’s technology.
The department will be supporting the “Aerospace Village” at the upcoming DEF CON conference — held online this year, instead of in Las Vegas — where satellites will be up for grabs for white-hat hackers.
Last year’s hacking conference provided Roper inspiration on how the military can work differently with hackers, he said during a virtual press conference Thursday. During DEF CON, the Air Force will be hosting a “Hack-a-Sat” event in partnership with the Defense Digital Services, the civilian “SWAT team of nerds” in the Pentagon. The event will offer up to $50,000 for the grand prize with other smaller prices, and it will be one of many, Roper said.
“It’s an asset that our nation has that we have not leveraged in a smart way,” he said during a virtual press conference. The military has, however, shown a consistent interest in the concept.
Previously the Air Force has served up its public-facing websites for “Hack the Air Force” events, giving out more than a $100,000 to 30 researchers in 2018. Other “Hack the Pentagon” events also used .mil websites for testing.
In 2019, the Air Force added a Fast Track Authorization to Operate (ATO) for cybersecurity firms to do deeper penetrative testing on networks. The ATO gave the department the ability to use white hat hackers on more than just websites and continuously test systems more frequently than hackathon events every few months.
Continuing beyond bug bounty programs, the service also used the new authorities to signed a blanket purchase agreement in February to work with outside firms to penetration-test its IT networks.
Roper wants more than just new contracts and more authorities, he said he wants to see the Air Force and new Space Force as places hackers want to contribute their skills and collaborate on the design process from the start.
He said the force needs to “shift our posture” and “flip the script” on the old ways of thinking that hackers couldn’t be trusted or used for military systems.
“We are trying to first be a valuable member of the community,” Roper said. To do that, the department will be putting “meaningful activity on the table.”
The department has its own in-house cyber office, Cyber Resiliency Office for Weapons Systems (CROWS), but the services doesn’t have enough officers to cover all the technology being acquired and developed. As the force develops emerging technology, like artificial intelligence and the network-of-networks Joint All Domain Command and Control (JADC2), hackers will be drawn into the design process itself.
“I think there is huge potential for this,” Roper said.