Air Force enlists ethical hackers to target maintenance system from the inside
What happens if an airman or other Air Force personnel “went rogue” and wreaked havoc on one of the service’s most important IT systems for maintaining its weapons technology?
The Air Force asked bug bounty company Synack to bring in ethical, “white hat” hackers to look at just that, enlisting them to act as someone with inside access and identify vulnerabilities in its Reliability and Maintainability Information System.
According to the Air Force, leaders wanted to see just how much “‘damage’ or ‘malice’ they could accomplish” from the inside. “The hack was not intended to test the external security boundary for accessing REMIS,” the Air Force said in a release.
“The objective of this exercise was not only to assess the strength of REMIS’ cybersecurity posture, but to learn how to most effectively establish an enterprise level bug-bounty for the entire Logistics-Information Technology portfolio,” the release says.
Over four weeks, 73 cybersecurity researchers from Synack Red Team —a “private network of highly-curated and vetted security researchers” — spent more than 1,700 hours hacking the system in search of critical issues, ultimately finding 12 “critical” vulnerabilities, Synack said. Of those 12, the Air Force immediately remediated 11 and is taking steps to correct the other.
“Synack is proud to work on this engagement with the Air Force to efficiently identify and remediate vulnerabilities, leverage patriotic and ethical hackers, and provide higher ROI than traditional penetration testing companies,” said Mark Kuhr, Synack cofounder and CTO.
The Air Force said senior leaders “were pleased with the results” of the engagement.
This isn’t the Air Force’s first foray into a bug bounty. In fact, the service has run three engagements in recent years, paying out hundreds of thousands of dollars in prizes.