The U.S. military, building on the perceived success of its first “bug bounty” contest last year, has once again opened its cyber-defenses to scrutiny by outside hackers — and this time not only by Americans. And, once again, the winner was a teenager.
“Though inviting foreigners to hack military networks may sound unsafe, Air Force Chief Information Security Officer Peter Kim says the DOD frequently works with partner nations on initiatives to boost cybersecurity,” notes Jack Corrigan of NextGov in his recent report on the “Hack the Air Force” bug bounty program.
“By allowing the good guys to help us, we can better level the playing field and get ahead of the problem instead of just playing defense,” Kim reportedly said. The small minority of those good guys, 33 hackers in total, that come from other countries come from the countries we can trust, we’re told.
“Before you panic that the Russians are coming,” writes Sydney Freedberg Jr. of Breaking Defense, “all 33 come from the ‘Five Eyes’ countries with which the US shares its most sensitive intelligence: United Kingdom, Canada, Australia and New Zealand.” Whew. That’s reassuring.
Perhaps the vetting process for the non-U.S. nationals cleared to Hack the Air Force really is sufficient. It is hard to tell without actually being involved in it. But we might have cause for concern if it is anything like the processes for deciding which teenage hackers are “the good guys” and for how to compensate them for their work, which seem to raise red flags.
“Bug bounties recruit ethical or white-hat hackers to find security holes within an organization’s computer networks,” Corrigan writes (although the “white-hat/black-hat” ethical dichotomy of hacking is perhaps an oversimplification, as made fairly clear by the very existence of the term “gray-hat,” as well as a number of facts that the black-and-white thinkers at the Pentagon may find inconvenient upon examination).
“Vulnerabilities can range from low-risk flaws to major gaffes capable of corrupting the entire network or exposing sensitive information,” Corrigan continues. “When a hacker finds one, she reports it to the group and usually receives compensation based on the severity of the bug.”
Usually, but not in the case of David Dworken, one of the original winners of last year’s “Hack the Pentagon.” Still, even without monetary compensation for his hours of work, the 18-year-old Dworken found it “incredibly rewarding,” adding that part of the reward was “the greater-good aspect of it, especially when working with the federal government for something I obviously care deeply about.” Former Defense Secretary Ash Carter was also pleased with the cost-effectiveness of the $150,000 bug bounty.
Similarly, out of hundreds of hackers invited to participate in the more recent Hack the Air Force, the winner of the contest was a 17-year-old, Jack Cable, who described how he got into hacking in an interview last week.
“I was 15 and I accidentally stumbled across a vulnerability in a financial site,” Cable reportedly said. “I found that I was able to send negative amount of money to other users, and that would effectively steal money from their accounts. That financial site ran a bug bounty program, so I submitted to there. And then I sort of got into hacking from there.”
Cable also described his high-minded ethical reasons for wearing the white hat. “I try to be [one of the good guys] because it’s really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.”
For the sake of the cyber-security of systems meant to protect the national security of the United States, the security professionals at the Pentagon behind these bug bounty programs should hope the highly-vetted “cyber-security professionals” — as well as the teenage hackers — that they’re allowing to scrutinize their systems don’t have anything to hide.
Following revelations of the identities of two high-profile and fairly recent alleged and admitted National Security Agency leakers, then-29-year-old Edward Snowden in 2013 and 25-year-old Reality Winner this year, questions were raised about how people their age could get top secret security clearance. While getting limited immunity from prosecution to hack specific Defense Department websites and computer systems as part of a bug bounty program is not the same thing as having top-secret clearance, from the military’s perspective the dangers posed by teenage hackers should be even greater than 20-somethings.
It might be easy to run a background check and pull up a spotless record for a security-obsessed teenager, particularly one that has grown up seeing the dangers of overexposure of one’s personal life and views on social media. Predicting what such a person might do in the future, however, particularly based on insights gained from being given free rein to hack military computer systems, could be easier said than done.