The Department of Defense (DoD) wants to know: do you have what it takes to hack the US Air Force?
No need to answer that, Russia. Many in the US believe they already know the answer to whether or not you can hack us.
Rather, the USAF announced last week that its new bug bounty program is only open to vetted hackers from the US, the UK, Canada, Australia and New Zealand. Those countries are all members of the Five Eyes alliance, which promotes cooperation in signals intelligence.
Snubbing Russia is understandable, security experts said, given that it would be far too risky to give them access to US defense systems. Oleg Demidov, a cybersecurity expert at PIR Center, a Moscow-based think tank, told Russia Beyond the Headlines that the Hack the Air Force program might entail peeks into systems that aren’t connected to the internet and which are largely unknown to the public.
Better they stay that way, Demidov said:
Russians will never be invited to participate in such challenges because the US military officials believe that knowledge and information about the Pentagon’s security systems that are obtained during such operations might be exploited and used against U.S. interests.
The Department of Defense said that its Hack the Pentagon bug bounty program, which ran from between April and May 2016, exceeded all expectations. The program received 250 vulnerability reports, 138 of which were deemed legitimate, with the first report coming in a mere 13 minutes after the program started. The program paid out a total of $75,000 in bounties that ranged from $100 to $15,000.
Now it’s the AF’s turn, and it sounds like they could use the help. Chris Lynch, of the Pentagon’s Defense Digital Service, which was behind the Pentagon bug bounty program, had this to say about limited cybersecurity skills:
Every business or organization has a finite amount of time and specialised skills necessary to find vulnerabilities within their networks, but when you open them up to such a diverse group you get amazing results at low cost.
Peter Kim, the Air Force chief information security officer, said that just like any organization these days, it’s a daily dogfight to keep malicious hackers at bay. Getting help from some friendly ones will be a nice change, he said:
This is the first time the AF has opened up our networks to such a broad scrutiny. We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.
Registration for Hack the Air Force opens May 15 on the HackerOne website. The contest opens May 30 and ends June 23. Military members and government civilians aren’t eligible for compensation, but they can participate on-duty with supervisor approval.
Source: Naked Security – Sophos @ May 4, 2017 at 08:12AM