The first-ever aviation “village” at the DEF CON security conference has an F-35 fighter jet simulator among its hacking targets, but that’s not the only reason the Defense Digital Service’s newly minted chief, Brett Goldstein, is hanging around this corner of the convention hall in Las Vegas. The agency sees it as a recruiting opportunity, too.
“In this room and throughout the convention is some of the best security talent in the world,” Goldstein tells CyberScoop. “This is a win for me if I can spark the imagination of this community, get them to understand we want to collaborate with them, that the problem space is fascinating, and this is something they should think about.”
Right now the DDS, which ran its first bug bounty program in 2016, has approximately 70 employees, some of which are civilians and some of which are active-duty military. But they rotate in and out approximately every two years. By design, the turnover forces DDS to bring in fresh ideas and talent.
“I’m always recruiting,” Goldstein says. The process is a challenge for him personally, though.
“I’m not a terribly social guy. I’m kind of quiet,” he says. “But during this conference I go up and I just meet as many people as possible,” he said.
Goldstein — who previously worked at OpenTable, the Chicago Police Department and in academia — said the mission is what convinced him to work for the Pentagon.
“I didn’t think there was anything else I wanted to do,” he says. “I learned about this job where I had an amazing opportunity to … have impact like I could never imagine. That’s what got me to say, ‘OK we’re going to move the kids.’”
When it comes to cybersecurity, the mission is never-ending for the military. The focus on aviation at DEF CON comes as government audits recently found flaws in weapons systems. Earlier this week, the bug bounty platform Bugcrowd announced it had found 54 vulnerabilities in the Air Force’s new cloud server. More generally, the Department of Homeland Security just weeks ago issued an alert that a vulnerability in small airplanes could allow hackers to alter flight data, such as engine readings, altitude or airspeed.
Will Roper, assistant secretary of the Air Force for acquisition, technology and logistics, says the service still has gaps in how it is securing their systems against real-world adversaries.
“We have teams of hackers in the Air Force, but I don’t think we have enough, and I’m not convinced that they represent the very best hacking that we would experience in the battlefield,” Roper says to reporters while touring the village. “We also have to worry about a near peer.”
Although those challenges might appeal to some hackers, working for the government in a cybersecurity capacity can be a hard sell when the private sector offers more money, Goldstein says.
“At the end of the day we aren’t going to be able to compete if you’re going to go out to the Bay Area. And I get it,” Goldstein said. “But you want to know what, if you come to work for me, for two years you’re going to work on some of the most amazing things you can think of. You’re going to go to bed knowing you have saved someone’s life.”
Goldstein acknowledges that there are internal cultural hurdles at the Pentagon.
“I absolutely have my work ahead of me,” Goldstein says. “We need to move away from these relationships, which are ‘oh the hacker community is bad.’ The hacker community isn’t bad … We need to embrace these folks.”
Roper says welcoming hackers — even just as independent participants in bug bounty programs — is necessary to make sure the Air Force doesn’t get blindsided by attacks.
“That makes us nervous in government, because now we’re working outside the government. We have to determine who we can trust, who’s an ethical hacker and who’s not,”Roper said. “But just because that’s challenging doesn’t mean we don’t have an obligation to the warfighter to do it.”