I ask because once you get past the glowing generalities of USAF Launches ‘Hack the Air Force’:
Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.
Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.
Staley notes that the DoD’s Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government’s first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties.
“In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities,” Staley explains. “For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown.”
Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. “While the money is a draw, we’re also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer,” he says.
Let’s see, $75,000 split between 1,400 hackers, that’s $53.57 per hacker, on average. Some got more than average, some got nothing at all.
‘Hack the Air Force’ damages the defensive cybersecurity labor market by driving down the compensation for cybersecurity skills. Skills that take time, hard work, talent to develop, but the Air Force devalues them with chump change.
I fully agree with anyone who says government, DoD or Air Force cybersecurity sucks.
However, the Air Force chose to spend money on valets, chauffeurs for its generals, fighter jets that randomly burst into flames, etc., just as they chose to neglect cybersecurity.
Not my decision, not my problem.
Want an effective solution?
First step, “…use the free market Luke!” Create an Air Force contact point where hackers can anonymously submit notices of vulnerabilities. Institute a reliable and responsive process that offers compensation (market-based compensation) for those finds. Compensation paid in bitcoins.
Bearing in mind that paying market rate and adhering to market reasonable responsiveness will be critical to success of such a portal. Yes, in a “huffy” voice, “you are the US Air Force,” but hackers will have something you need and cannot supply yourself. Live with it.
Second step, create a very “lite” contracting process when you need short-term cybersecurity audits or services. That means abandoning the layers of reports and graft of primes, sub-primes and sub-sub-primes, with all the feather nesting of contract officers, etc., along the way. Oh, drug tests as well. You want results, not squeaky clean but so-so hackers.
Third step, disclose vulnerabilities in other armed services, both domestic and foreign. Time spent hacking them is time not spent hacking you. Yes?
Until the Air Force stops damaging the defensive cybersecurity labor market, boycott the ‘Hack the Air Force’ at HackerOne and all similar efforts.