When the Air Force showed up at the Defcon hacker conference in Las Vegas last month, it didn’t come empty-handed. It brought along an F-15 fighter jet data system—one that security researchers thoroughly dismantled, finding serious vulnerabilities along the way. The USAF was so pleased with the result that it has decided to up the ante. Next year, it’s bringing a satellite.
That’s a promise from Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics. While sending elite hackers after an orbiting satellite—and its ground station—might sound ambitious, it’s in keeping with Roper’s commitment to fundamentally changing how his branch of the military attacks its cybersecurity challenges.
“We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” says Roper. “We have a very closed model. We presume that if we build things behind closed doors and no one touches them they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.”
Software inevitably has bugs that could be exploited, whether in a smart microwave or a complex flight system. Roper knows this from experience: The Hack the Air Force initiative, a bug bounty that sprung from a partnership between HackerOne and the Pentagon’s Defense Digital Service, paid out $130,000 to hackers who force hackers hijack orbiting satellite
