By now we’re used to the idea of software companies running bug bounty initiatives which hand out thousands of dollars in prizes to independent researchers who find and responsibly disclose security holes.
But, as Wired reports, it’s not just technology companies who are recognising the advantages of having white hat hackers test their systems.
The US Air Force is said to be so happy with how a group of non-military researchers uncovered serious vulnerabilities in an F-15 fighter jet system at the DEF CON hacking conference in Las Vegas, that it is promising to run a similar competition next year that will probe the security of orbiting satellites.
The objective? To see if they can hijack control of an orbiting satellite and turn its camera from staring at Earth to point at the moon instead.
Of course, the Air Force isn’t going to open the door for any Tom, Dmitry or Harry to try to hack one of its satellites or ground stations.
Instead I imagine it will invite applications from vulnerability researchers who agree to its terms, and then whittle down the group to those who they feel have the best chances of success and won’t get up to any monkey business with an expensive piece of space hardware!
In other words, the Air Force will require participating hackers to be pre-registered and approved to take part, and my guess is that they are unlikely to look favourably on applications which come from certain parts of the world… sorry Syrian and North Korean hackers, you’re unlikely to be invited.
I doubt they will also be interested in signing you up if you’re unwilling to undergo a background check to see if you’ve been a wrong ‘un in the past.
So what has motivated the US Air Force to launch a hacking challenge that is likely to grab the media’s attention?
I think the reason is simple. Many of the components used on a satellite and its associated ground station may come from small specialist companies, which may not have enough resources to adequately check that their technology would withstand a determined state-sponsored hacking attempt originating from the likes of China, Russia, or North Korea.
As Wired explains, once the Air Force learns about the common security issues impacting third-party parts it can begin to build stronger security requirements into its contracts, hardening the supply chain.
Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics, says its important for the US military to recognise the value that external vulnerability researchers can being to the table, ensuring that the security of systems is tested before it is exploited by a malicious attacker.
“We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” says Roper. “We have a very closed model. We presume that if we build things behind closed doors and no one touches them, they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.”
A series of bug bounty challenges have been created by the US Department of Defense since “Hack the Pentagon” was launched back in 2016. These include “Hack the Army”, “Hack the Air Force”, “Hack the Defense Travel System”, and “Hack the Marine Corps.”
In all more than 5000 vulnerabilities have been reported in government systems through the initiatives, proving that the initiative is a win-win for both vulnerability researchers and the US Department of Defense.
The “Hack the Air Force” bug bounty, for instance, paid out over US $130,000 to hackers after over 120 vulnerabilities were found in just a one-month period last year.
I believe it’s a positive thing to see the US Air Force bringing outside experts in to see how easy it is to hack an orbiting satellite. It’s always going to be better having someone friendly testing your systems than waiting for a malicious attacker to find the serious security hole on your orbiting satellite.