When the Air Force showed up at the Defcon hacker conference in Las Vegas last month, it didn’t come empty-handed. It brought along an F-15 fighter-jet data system—one that security researchers thoroughly dismantled, finding serious vulnerabilities along the way. The USAF was so pleased with the result that it has decided to up the ante. Next year, it’s bringing a satellite.
That’s a promise from Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics. While sending elite hackers after an orbiting satellite—and its ground station—might sound ambitious, it’s in keeping with Roper’s commitment to fundamentally changing how his branch of the military attacks its cybersecurity challenges.
“We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” says Roper. “We have a very closed model. We presume that if we build things behind closed doors and no one touches them, they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.”
Software inevitably has bugs that could be exploited, whether in a smart microwave or a complex flight system. Roper knows this from experience: The Hack the Air Force initiative, a bug bounty that sprang from a partnership between HackerOne and the Pentagon’s Defense Digital Service, paid out $130,000 to hackers who collectively found over 120 vulnerabilities last December.
It was DDS that connected the Air Force to the organizers of Defcon’s Aviation Village, a corner of the hacking conference dedicated to all things aerial that debuted this year. There, a group of seven vetted hackers, under the USAF’s watchful eyes, attacked a Trusted Aircraft Information Download Station, which transfers data back and forth on an F-15. With the vulnerabilities they found, they could have shut it down. And that’s just one of the countless components that the Air Force sources. The Air Force has its own internal cybersecurity team, of course, but its resources are finite. It needs a little help.
“You would expect really high-security procedures for the F-15, and it has them. But what about this humble data translator,” says Roper. “You might overlook it, but those kinds of things tend to be built by smaller companies. And you can imagine that smaller companies without the resources of a Lockheed Martin or Northrop Grumman or Boeing are not able to think about cyber resiliency and security at a level that can contend with a peer competitor like China.”
Once the Air Force sees what common security pitfalls plague its third-party parts, it can start writing stronger security requirements into its contracts. That hardens the entire supply chain—which in turn makes everyone’s aircraft more secure.
More still needs to be done, though, to address the opacity of the broader aviation community. Airplane parts are difficult for independent researchers to come by, and the big manufacturers have bristled at any suggestion that their products might have vulnerabilities like anything else that runs on millions of lines of code. It’s especially glaring at a time when similar tensions with the automotive and medical device communities have largely thawed, says Pete Cooper, director of the Aviation Village. “I couldn’t see the same collaboration in the aviation sector,” says Cooper. “There wasn’t really much in the way of productive and positive relationships in that area.”
Roper hopes that the Air Force’s involvement can help build that bridge. After all, who wouldn’t want to hack a satellite?
Recovering the Satellites
Here’s how it’s going to work: Sometime soon, the Air Force will put out a call for submissions. Think you know how to hack a satellite or its ground station? Let them know. A select number of researchers whose pitches seem viable will be invited to try out their ideas during a “flat-sat” phase—essentially a test build comprising all the eventual components—six months before Defcon. That group will once again be culled; the Air Force will fly the winners out to Defcon for a live hacking competition.