The Air Force is going beyond traditional bug bounty programs and ramping up its use of ethical hackers to simulate wartime attacks on its IT networks.
A recent $75 million contract signed with cybersecurity firm Dark Wolf is one such example of how the department is trying to strengthen its IT enterprise by penetration testing internal networks, Lauren Knausenberger, chief transformation officer in the Air Force, told FedScoop.
The Air Force last March issued a Fast-Track Authorization to Operate (ATO), allowing the service to issue ATOs more quickly be requiring those systems and applications to meet baseline cyber standards, conduct penetration testing and continuously monitor for threats.
To take advantage of those new authorities, the Air Force is inking deals with private-sector cybersecurity firms to expand penetration testing and so-called “white hat” hacking, where information security researchers simulate adversarial cyber-offensives.
“For the past three years now we have really been embracing the hacker community,” Knausenberger said, referring to the department’s use of bug bounty programs. That embrace has grown tighter as the Air Force is working to bundle more task orders to meet the surging demand for vulnerability hunting across the department. “I do expect our demand will continue for some time,” she added.
The recent $75 million blanket purchase agreement signed in late February with Dark Wolf is one of the first contracts the Air Force awarded that will let hackers really “go crazy” on a range of Air Force IT.
Penetration testers had been used before, but it was in very “mission-specific” ways, Knausenberger said. Previous testing agreements did not allow for the type of full-on assaults the Air Force could experience in the cyber battlefield.
“Insider threats, embedded systems and supply chain analysis are examples of penetration testing areas that the government may have a greater interest in than our commercial clients,” Dark Wolf said through an Air Force spokesperson. “We have taken lessons learned from our commercial practice and applied them to government systems.”
Through the agreement with Dark Wolf, airmen across the department can request penetration testing be done on their networks. To fast-track the tests, many smaller orders are being bundled into task orders that will allow for faster deployment of the testing, Knausenberger said.
The next step for the Air Force is “baking security in from the very beginning” of the development of new technology. As the airmen try to move away from “checklist” security, the results of hacking tests are informing how the Air Force designs its systems.
“A lot of the best hackers are also the best developers,” Knausenberger said.
In the future, the Air Force also hopes to issue larger contracts to cybersecurity firms to be able to channel needs from airmen across the world through fast-tracked task orders to be fulfilled by hackers.