Last fall a total of 60 hackers managed to access the United States Air Force Virtual Data Center. According to Forbes.com a “battalion of hackers” worked from October 23 to November 20 and successfully gained access to the USAF VDC’s servers.
No personnel or personal information was compromised, nor were any American military secrets. This wasn’t even technically a breach of the systems. That’s because the hackers were of the white hat variety and took part in the fourth “Hack the Air Force Challenge,” which was operated in partnership between the United States Department of Defense (DoD) and the HackerOne hacking platform.
Programs such as this are actually designed to strengthen the DoD’s security posture, not to weaken it.
“The Air Force’s use of ‘white hat’ hackers to seek out and expose flaws is an excellent example of how armed service branches are preparing themselves for evolving combat scenarios,” explained technology industry analyst Charles King of Pund-IT.
“For years now we’ve heard and read stories about how future warfare will be affected by digital technologies, including advanced communications, computerized weapons targeting and guidance systems, and using sophisticated data analysis for planning, logistics and operations,” King told ClearanceJobs. “But our opponents will be doing the same, and there is evidence that some are already seeking weaknesses that can be exploited for their advantage.”
A total of 460 vulnerabilities were revealed and those white hat (or good guy) hackers earned $290,000 in bounties. HackerOne announced the findings of the event earlier this month, and noted that the hackers were paid 60% of the bounties for high and critical findings.
Train as You Fight
Events such as these are important could be seen as crucial to ensuring that critical military infrastructure.
“Train as you fight and you’ll fight as you train,” suggested Jim Purtilo, associate professor of computer science at the University of Maryland.
“I applaud that exercise,” Purtilo told ClearanceJobs. “There’s no more effective way to integrate skill sets and test our technologies than to use them, and doing so in pen testing our own sites gives double the value.”
Hack the Air Force 4.0 was the fourth hacker-powered challenge that was designed to test the cybersecurity abilities of the USAF, but it was actually the tenth challenge since the first Hack the Pentagon project was launched in 2016. That led to the DoD’s establishing a vulnerability disclosure policy, Forbes reported. That first program found a total of 118 vulnerabilities and the hackers have found that it could be getting at least a little bit harder to breach the systems.
To date the DoD has managed to address more than 12,000 vulnerabilities.
“In essence, the Air Force’s program and the larger DoD Hack the Pentagon project highlights how the U.S. military is engaging professionals whose cyber expertise can enhance the DoD’s defensive and offensive capabilities,” added Pund-IT’s King. “A willingness to recognize and address one’s weaknesses is often cited as a mark of individual character. The Hack the Pentagon project demonstrates how that same point applies the U.S. armed forces services.”
These hackathons are often presented as “fun” ways to find the exploits, but it should be noted that had the white hats not found and reported those vulnerabilities, most would still be there for the black hat (bad guys) to find.
Such efforts are thus employed not only by the DoD but across the industry. The key to the success is ensuring that the teams continue to seek out exploits on a regular basis, not just during specific “Hack the Military” programs or events.
“Secure facilities often designate ‘rabbits’ of the day to see if they can navigate area security without being challenged,” said Purtilo.
“It keeps guards on their toes,” he added. “It can be this way with digital facilities as well. Ideally we rotate teams through each role, that is, alternate between intruder and defender, in order to train-up with the broadest perspective.”
However, a danger in any sort of exercise like this comes down to the ominous “we don’t know what we don’t know.”
That is why these events – along with routine hacking attempts – will likely remain critically necessary.
“White hat teams can try to exploit gaps in the attack surface as we might see them, but this gives no guarantee that bad actors will accommodate us by attacking in the same way,” Purtilo told ClearanceJobs. “It is just as with any type of conflict in history. If we are not careful then we will only train to fight the last war, not the next one. With a little foresight, these exercises will sharpen the critical reasoning skills of tomorrow’s strategic thinkers.”