With all the significant cybersecurity breaches that have impacted major companies like Apple, Meta, Twitter, T-Mobile and even Equifax in recent years, it’s no surprise that hacking is regularly discussed, and not just within the techy realm.
The hacking world isn’t single dimensional, but rather quite complex. Although harnessing similar skills, hackers vary in how they choose to use those skills. To oversimplify it, there are good guys (White Hat Hackers), bad guys (Black Hat Hackers), and those who exist in between (Gray Hat Hackers). Companies and the US military have started programs to focus those skills for their benefit.
What Are Bug Bounty Programs?
Companies have been incentivizing White Hat Hackers and Gray Hat Hackers for their assistance in discovering software vulnerabilities since 1995.
Called bug bounty programs, these have become increasingly popular over the years, particularly as companies digitalize to a greater degree.
Also called vulnerability disclosure programs, these programs can be an effective way to identify and address security issues that might otherwise go unnoticed, as well as to incentivize security researchers to engage in ethical hacking rather than malicious activities.
Organizations are more willing than ever to dish out large cash prizes for the discovery of zero-day vulnerabilities that will save their reputations and other associated costs.
“Microsoft Teams was hacked a total of three-time for a total prize money pot of an astonishing $450,000. The greater reward amount, $150,000 for each exploit, reflects the greater complexity of the zero-day exploits demonstrated,” according to Forbes. “The total prize money awarded was $1,155,000. This covered an amazing 25 zero-days that were successfully demonstrated by the talented hackers during the event.”
Software vulnerabilities discovered are then passed to the vendors so that patches (fixes) can be created.
Air Force Leading in Aerospace Bug Bounty Programs
Application of these programs has spread to many industries, including marginally within aerospace, although there is resistance from many professionals within the sector.
The aerospace industry, with its complex systems and high stakes, is one area where bug bounties could offer valuable solutions, but there are a host of challenges with implementing such programs.
The US Air Force has been exploring the use of bug bounties since at least 2020 and has already run three separate bug bounties on Air Force cybersecurity and IT systems that resulted in the discovery of hundreds of vulnerabilities. According to an article in Federal News Network, the Air Force wants to take bug bounties even further and invite hackers to “probe for weaknesses in its parts supply chain and its satellites.”
With so many contractors and suppliers involved in the production of aerospace systems, it can be challenging to identify all potential security risks. Bug bounties offer a way to engage many talented security researchers in the effort to find vulnerabilities and shore up defenses.
“My hope is that we can bring the ethical hacker community into our design process, that we can do bug bounties when we’re designing things and building prototypes, and that people can make a living just hacking Air Force systems before they go to production,” said Dr. Will Roper, the assistant secretary of the Air Force for acquisition, technology, and logistics. He has long expressed interest in using bug bounties to identify vulnerabilities deep within the USAF supply chain.
The Air Force tested the notion of hack-a-subsystem at the DEFCON conference in Las Vegas a few years ago, where hackers were provided access to a “boutique system that transfers data between ground computers and F-15 aircraft.”
Supply Chain Threat: The Soft Underbelly
Roper explained that when the Air Force is thinking of cybersecurity for the F-15, they are typically considering once the jet is flying, and they have a pretty good grasp of that.
“But at some point, an airman has to take that data system to the jet. Well, that has access to the jet, and what if [an adversary gets] access to that? So we wanted to see if the ethical hacker community could hack the soft underbelly that we don’t think about. And they were able to do it,” he said, according to Federal News Network.
Those hackers shared how they were able to penetrate the system. They found hidden ins within the supply chain, targeting areas where designers were completely unaware of any threats.
“Our defense companies are assemblers from the supply chain. They don’t require their suppliers to tell them what software functionality is running on components, because we don’t tell industry to do that. But we’ve got to start doing that,” he said.
Aerospace Industry Bug Bounty Challenges
However, implementing a bug bounty program in the aerospace industry comes with its own unique set of challenges. As noted in a TechTarget article, one challenge is determining which systems and components should be included in the program.
With so many different systems and components involved in aerospace operations, it can be difficult to determine where to draw the line. Also, there is the risk that participants in a bug bounty program might inadvertently cause harm to critical systems while attempting to identify vulnerabilities.
This risk is particularly acute in the aerospace industry, where the consequences of a security breach can be catastrophic.
However, it could be argued that the benefits outweigh the risks. As noted in the Wix blog, bug bounty programs have been responsible for identifying critical vulnerabilities in high-profile systems, including Apple’s iOS and Google’s Chrome browser.
Identifying vulnerabilities before they can be exploited by malicious actors can help prevent costly and potentially deadly security breaches.
Also, the sheer volume of highly skilled security researchers (hackers) mobilized to find vulnerabilities increases the value of such programs. This is particularly the case in aerospace, as so many contractors and suppliers are involved in aerospace operations, that it can be challenging to ensure all potential security risks are identified and addressed.
Bug bounties offer a way to harness collective knowledge and expertise for the greater good of bolstering security by identifying unseen vulnerabilities, ones missed by in-house security teams.
Careful Design is Needed
Effective bug bounties require thorough forethought, particularly in the aerospace realm. There are a number of important considerations for designing a bug bounty:
- Incentives that are too low may not gain the participation of hackers
- Incentives that are too high might attract malicious actors who want to exploit and not help
Rules and guidelines for security researchers need to be clear.
The process for reporting vulnerabilities should also be streamlined so that zero-day vulnerabilities can be expediently addressed.
There’s A Strategic Way Forward
Complex systems demand the best and the brightest. Bug bounty programs facilitate a thorough inspection of the soft underbelly of the aerospace world, the hidden code that can become an ultimate weapon when in the wrong hands. There are certainly challenges to implementing bug bounties, but the benefits shouldn’t be ignored.
By engaging a large number of security researchers in the effort to find vulnerabilities, bug bounty programs can help ensure that critical systems are as secure as possible, reducing the risk of costly and potentially deadly security breaches.
As the aerospace industry continues to evolve and becomes more and more reliant on technology, bug bounty programs may become a vitally important tool in the effort to maintain the safety and security of our skies.
