Air Force enlists ethical hackers to target maintenance system from the inside

The Air Force wanted to see just how much "damage" or "malice" hackers could do from the inside.
Tech. Sgt. Christopher Shamburger, 27th Special Operations Maintenance Squadron weapons load crew chief, logs in data into a computer during a weapons load on an MQ-9 Reaper aircraft at Cannon Air Force Base, N.M., Sept. 10, 2018. Shamburger is the lead crew member and is in the position of the ‘one-man’ role which is responsible for overseeing the entire load. (U.S. Air Force photo by Senior Airman Luke Kitterman)

What happens if an airman or other Air Force personnel “went rogue” and wreaked havoc on one of the service’s most important IT systems for maintaining its weapons technology?

The Air Force asked bug bounty company Synack to bring in ethical, “white hat” hackers to look at just that, enlisting them to act as someone with inside access and identify vulnerabilities in its Reliability and Maintainability Information System.

According to the Air Force, leaders wanted to see just how much “‘damage’ or ‘malice’ they could accomplish” from the inside. “The hack was not intended to test the external security boundary for accessing REMIS,” the Air Force said in a release.

“The objective of this exercise was not only to assess the strength of REMIS’ cybersecurity posture, but to learn how to most effectively establish an enterprise level bug-bounty for the entire Logistics-Information Technology portfolio,” the release says.


Over four weeks, 73 cybersecurity researchers from Synack Red Team —a “private network of highly-curated and vetted security researchers” — spent more than 1,700 hours hacking the system in search of critical issues, ultimately finding 12 “critical” vulnerabilities, Synack said. Of those 12, the Air Force immediately remediated 11 and is taking steps to correct the other.

“Synack is proud to work on this engagement with the Air Force to efficiently identify and remediate vulnerabilities, leverage patriotic and ethical hackers, and provide higher ROI than traditional penetration testing companies,” said Mark Kuhr, Synack cofounder and CTO.

The Air Force said senior leaders “were pleased with the results” of the engagement.

This isn’t the Air Force’s first foray into a bug bounty. In fact, the service has run three engagements in recent years, paying out hundreds of thousands of dollars in prizes.

Billy Mitchell

Written by Billy Mitchell

Billy Mitchell is Senior Vice President and Executive Editor of Scoop News Group's editorial brands. He oversees operations, strategy and growth of SNG's award-winning tech publications, FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. After earning his journalism degree at Virginia Tech and winning the school's Excellence in Print Journalism award, Billy received his master's degree from New York University in magazine writing while interning at publications like Rolling Stone.

Latest Podcasts