It shouldn’t be any surprise at all to hear that
people are trying to hack into the United States Air Force’s networks and
computer systems.
And, as everyone knows, if you hack into the US Air
Force’s systems without their permission you’re breaking the law and – if
caught – could face a severe prison sentence.
But there is one way to hack the US Air Force
without having the book thrown at you. And you can even legally earn yourself a
tidy sum of money at the same time. And that’s by hacking the US Air Force
systems with its explicit permission.
Yesterday, the US Air Force used a Facebook live stream to
announce a new initiative it was launching with HackerOne called “Hack the
Air Force”, inviting white-hat hackers to find security vulnerabilities on its
public-facing servers and websites, and offering bug bounty payments for those
who discover flaws.
Chief Information Security Officer Peter Kim
described the need for the external scrutiny on the security of the US Air
Force, which has tens of thousands of public-facing servers:
“We
have millions of probes a day, a week, on our DoD systems quite frankly. These
are probably people out there, around the world, who particularly aren’t
friendly with the Department of Defense. And they generally don’t tell us
what’s wrong with our systems until we find out that something’s been hacked.
And so I want to turn that around. I want to know beforehand where our
vulnerabilities are. I know we have vulnerabilities, and I want to know where
those are in the United States Air Force.”
It’s
important to point out that the US Air Force isn’t opening itself up to a
hacking free-for-all. They are looking for friendly hackers to help
them, in order to get ahead of the problem. All of the vulnerability
researchers participating in the challenge will need to register on the
HackerOne website, and be vetted by HackerOne before they are given the
parameters of the task.
Registration for “Hack the Air Force” is scheduled
to begin May 15th, via the HackerOne website and is open to United States, UK,
Australian, New Zealand, and Canadian citizens, and will run from May 30 to
June 23.
Presumably, if successful, the US Air Force may run
similar initiatives in the future. Military members and government civilians
are not eligible for compensation, but can participate on-duty with supervisor
approval.
Details of the bug bounties up for grabs have not
been made available, but similar schemes run by the Department of Defense in
the past have offered bounty payments of up to $150,000 for those who discover
flaws.
I’m a strong believer that it is better to hack
yourself (or hire penetration testers) to uncover system vulnerabilities than
to wait for a malicious hacker to attack your network.
And, of course, security should be an important
consideration throughout a project – not just after it has gone live on a
public-facing website.
However, we have to be realistic. Humans make
mistakes, and vulnerabilities can creep into projects unspotted. The more
trusted eyes checking a service – with the approval of the systems’ owners –
the better.