WASHINGTON — A U.S. Defense Department pilot program designed to root out digital vulnerabilities among contractors identified hundreds of flaws over the course of one year, organizers said.
Cybersecurity researchers with bug bounty team HackerOne discovered some 400 issues across dozens of companies during the Defense Industrial Base-Vulnerability Disclosure Program, coordinated by the department’s Cyber Crime Center and the Defense Counterintelligence and Security Agency.
“[The program] has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks,” Melissa Vice, interim director of the vulnerability disclosure program, said in a statement.
Vice added that the pilot was intended to identify whether similar critical and high-severity vulnerabilities existed for small-to-medium-cleared and non-cleared defense-industrial base companies with potential risks for critical infrastructure and the U.S. supply chain.
Which contractors were involved was not disclosed. The campaign launched in April 2021 with 14 participating companies and 141 publicly accessible assets to examine. Interest quickly ballooned; 41 companies and nearly 350 assets were eventually admitted. The results were announced May 2.
The total represents a fraction of the Defense Department’s 200,000-company-strong contracting pool, raising concerns about vulnerabilities across far more networks.
The Pentagon operates a vulnerability disclosure program, in which specialists seek out weaknesses and flag them for fixing. Such a practice, the Cyber Crime Center said, improves network defenses and promotes proactive cyber management.
“Every organization should prioritize securing their software supply chain, but it’s even more critical for federal agencies that protect national security,” said Alex Rice, the co-founder and chief technology officer of HackerOne. The company is the Defense Department’s primary source for vulnerability reporting and vetting.
The defense-industrial base is under constant threat of hacks and foreign influence efforts. While international competitors may be deterred from directly fighting the U.S., the Pentagon’s 2018 cyber strategy noted, they are leveraging the digital domain to steal “our technology, disrupt our government and commerce, challenge our democratic processes, and threaten our critical infrastructure.”
In a joint cybersecurity bulletin issued days before Russia’s Feb. 24 invasion of Ukraine, the FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency warned that hackers backed by Moscow had targeted U.S. defense contractors for years, absconding with data that provides “significant insight” into weapons and communications infrastructure.
Those targeted, the advisory stated, work on defense and intelligence contracts, including missile development, the design of vehicles and aircraft, and command-and-control technologies. The compromised companies support the U.S. Army, Air Force, Navy, Space Force and national security programs.
Defense News in June 2018 reported Chinese-sponsored cyberattacks breached a Navy contractor’s computers, jeopardizing sensitive data related to secret work on an anti-ship missile.
The Government Accountability Office in a December 2021 analysis said the Defense Department “has taken steps to improve the cybersecurity of the defense industrial base,” but that more could be done. The department concurred with the report’s findings and recommendations, documents show.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its NNSA — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.