JUST IN: Air Force to Host Satellite Hacking Event Virtually
The Air Force will host a virtual satellite hacking challenge this summer to expose cybersecurity issues and vulnerabilities in space assets and ground control systems, a top service official said May 14.
“We've got a lot to learn from the hacker community,” said Will Roper, the Air Force’s assistant secretary for acquisition, technology and logistics. “The way that we build systems now behind closed doors, presuming that secrecy is one-to-one with security, that time is over and done with.”
The “Space Security Challenge 2020: Hack-A-Sat” contest will take place in two phases, according to a Space Force press release. The Space Force is part of the Department of the Air Force. The event includes an online qualification portion May 22-24, and a virtual event slated to take place Aug 7-9.
During the final phase, hackers will be challenged with reverse-engineering “representative ground-based and on-orbit satellite system components to overcome planted ... software code," according to the release. In hacking contests, these types of codes are also known as "flags." The top three teams to overcome the most flags will be awarded prize money.
In recent years, the Pentagon has turned to "white hat" cyber experts outside the department to find vulnerabilities in its systems, encouraging participation with cash prizes for those who discover the most..
“We need to embrace this external community to help us understand how to use … bug bounties and hacking events to deal with security issues before we take [systems] onto the battlefield,” Roper told reporters during a videoconference.
The Air Force, Space Force and Defense Digital Service are partnering with DEF CON’s Aerospace Village for the challenge. DEF CON is an annual hacking conference that was canceled this year due to safety concerns surrounding the ongoing COVID-19 pandemic.
Although these types of events can help strengthen cybersecurity for the Pentagon’s space assets, not every security vulnerability can be addressed this way, Roper noted.
“Some things we will have to use our own Air Force- and Space Force-cleared hackers," he said. "We've got amazing hackers in the Air Force,” he added. “I've just been amazed by what they're able to do, but we don't have enough of them.”
The services have more than 530 programs, and their personnel don’t have the ability to thoroughly probe each system for vulnerabilities, Roper said.
“I see huge potential to work with this broader hacker community — [to] start hacking things in design and shift the paradigm by which we prove to warfighters we're secure,” Roper said. “Right now ... we develop in a closed environment. In the future, I think it will balance closed development with an openness of discovering vulnerabilities and retiring them.”
Roper also hopes challenges such as Hack-A-Sat will spotlight the need for cybersecurity awareness among companies looking to work with the Defense Department.
“One of the things I'm hoping will happen as space continues to burgeon and grow is that there will be more cybersecurity awareness in the industrial base, especially in the commercial industrial base, which is certainly hoping to work with defense and intelligence, but probably isn't thinking about cybersecurity as step one as they try to grow their business,” he said.
This will be the second year the Air Force has worked with the DEF CON community, Roper said.
“It's an asset that our nation has that we really have not … leveraged in a smart way in the government," he said. "I'm hoping to do that, but we have to build those bridges prudently,” he added. “The last thing the government should do is come in like a bull in the china shop and say, 'We're here to partner.'”
Some programs are too sensitive to open up to outsiders, he noted.
The Air Force through its Life Cycle Management Center stood up the Cyber Resiliency Office for Weapons Systems, or CROWS, in 2016.
"We're going to have to use our CROWS for systems that are highly classified that we simply cannot outsource to a broader community," Roper said. The personnel who work in that office are “wicked hackers,” he added. However, there are not enough of them to employ across all of the service's programs, he noted.
Roper noted that he sees an opportunity for the service to have CROWS-type personnel that are not government employees. These could be individuals that have gone through screening and are available to do bug bounty-style hacking and probe systems, he said.
“The thing I hope will be the case is that people will think that they can make a living hacking Air Force and Space Force systems — that there's a living in that in the long term,” he said. “And with the number of programs we have, I think that there is.”