The Air Force is now joining the club of defense entities inviting so-called white hats to hack their websites.
In an appearance at HackerOne on Wednesday afternoon in San Francisco, Peter Kim, the Air Force's chief information security officer, announced that the service is partnering with HackerOne to invite vetted hackers, or white hat hackers, to break into public Air Force websites.
This effort expands on the Hack the Pentagon and Hack the Army bug bounty programs and is part of the Cyber Secure campaign sponsored by the Air Force CIO that aims to operationalize the cyber domain and leverage talent from inside and outside the Department of Defense, the Air Force said.
"We do cyber exercises. We 'Red Team' our public facing and critical websites, but even with the amazing talent we have within the AF, the outside expertise will assist with identifying and resolving security vulnerabilities within Air Force websites, making our cybersecurity stronger," Air Force Chief of Staff Gen. David Goldfein said.
The Air Force is not just following in the footsteps of the DoD and the Army in inviting hackers to its websites, but is also following up by creating its own institution for which these initiatives were spurred.
Former Air Force Secretary Deborah Lee James announced last year that the military branch would be standing up the Air Force Digital Service — calling it a "nerd cyber swat team" — tasked with recruiting engineers from the private sector to perform short-term work, just like the Defense Digital Service.
DDS has been described as bringing in people from the private sector for a "tour of duty" to help the DoD solve difficult problems in the technological and digital world. DDS chief Chris Lynch described his staff as a "SWAT team of nerds" that come to the Pentagon to work on projects of impact.
Lynch, who flanked Kim during Wednesday's announcement, acknowledged the gradual escalation of access for these programs, noting Hack the Pentagon involved public-facing websites — not sensitive systems — while Hack the Army went a bit deeper, focusing on recruiting systems.
"With Hack the Air Force, we are continuing that effort, going deeper into the missions," Lynch said.
"I don't think I can get into the specifics of what we're going to be looking at, but at a broad level, public-facing servers," Kim said. "So for the folks in the Air Force, if you have a web server or a website or something that's public-facing that the general public can get to, that's a computer, that's a piece of information technology that has vulnerabilities just like anything else. … We have thousands of those different websites or web servers, and those are probably the most concerning to me in terms of we need to get the security right on those things. Those are assets we need to continually probe and penetrate to see what's vulnerable."
The cyberthreat is becoming increasingly aggressive. Kim noted in January that in 2016 alone, Air Force networks blocked 1.3 billion attempted malicious connections, boiling down to more than 40 attempted intrusions per second.
"This is the first time the AF has opened up our networks to such a broad scrutiny," he said Wednesday. "We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture."
According to publicly released preliminary results from the Hack the Army campaign, it only took five minutes to receive the first vulnerability report, 118 total valid reports were received and an estimated $100,000 in bounties was paid to hackers.
Hack the Air Force also broadens the participation pool from U.S. citizens to include citizens from the United Kingdom, Canada, Australia and New Zealand. Registration for the Hack the Air Force event opens May 15 on the HackerOne website. The contest opens May 30 and ends June 23.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.