iStock/gorodenkoff

iStock/gorodenkoff

How Ethical Hacking Can Make DOD’s Weapon Systems More Secure

As the Defense Department looks to preserve national security, it is investing in solutions that enable weapon system cybersecurity. Here’s how a crowdsourced penetration testing framework can help.

Presented by Synack

In 2018, the Government Accountability Office released a report that revealed cyber vulnerabilities in nearly all weapon systems under development at the Defense Department. During the study, penetration testers were tapped to play the role of adversary — using their ethical hacking expertise to expose even the simplest of vulnerabilities, including weak passwords. For many defense leaders, this was a wake-up call. It was time to reprioritize weapon system testing.

Today, as the Defense Department looks to protect and preserve national security, it is beginning to recognize a need to mitigate invisible vulnerabilities within existing systems and invest in tools and solutions that can enable weapon system cybersecurity.

This paradigm shift also comes after a number of pushes from the private and public sector to invest in this type of cybersecurity. In July 2020, the Cyberspace Solarium Commission released several legislative proposals aimed at empowering DOD to more effectively defend the nation against cyberattacks. Among these recommendations: evaluate cyber vulnerabilities of major weapon systems, with the aim to share lessons learned from these assessments in order to continue improving nuclear command and control system resiliency.

The Case for Crowdsourcing Cybersecurity 

To get there, DOD is partnering with security researchers who can help shed light on these vulnerabilities. Known as “pentesters,” or “ethical hackers,” these professionals are paving the way for a future where weapon systems are more secure. 

This approach was backed in the Department of Defense Cyber Strategy, which outlined a plan to identify crowdsourcing opportunities, such as hack-a-thons and bug bounties, in order to identify and mitigate vulnerabilities more effectively. The benefit of crowdsourced security testing is two-fold. First, it grants defense leaders higher visibility into their testing from an adversarial perspective. Second, it aims to add scale and efficiency by narrowing the cybersecurity workforce gap and leveraging the skills and expertise outside of DOD. In fact, one telling report from Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity jobs globally by 2021. 

Moreover, in 2019 “the Department of Test and Evaluation highlighted a serious shortage of pentesters within the DoD and burnout,” adds Mark Kuhr, chief technology officer and co-founder at Synack, a technology company that aims to fill this gap “by providing world-class talent in crowdsourced pentesting to help augment internal teams.” 

An Alliance of Humans and Machines

In order for this crowdsourced security model to scale at the pace of systems development and digital transformation, humans and machines must work together and augment each other. Artificial intelligence excels at conducting repetitive tasks at scale, whereas human strengths lie in creative tasks and business logic. Working together, humans and machines cover all the bases necessary for successful cybersecurity testing. 

Kuhr and his colleagues at Synack work directly with DOD to provide managed crowdsourced penetration testing. Unlike bug bounty marketplaces, Synack’s secure platform combines the intelligence of vetted researchers and AI/ML to investigate and respond to vulnerabilities in a controlled way. The “Synack Red Team” (SRT) is composed of security researchers who undergo a complex vetting process that assesses skill and trust, with a small percentage of applicants accepted into the program. 

The SRT also leverages AI-enabled proprietary scanning technology to trace suspected vulnerabilities and deliver high quality, actionable insights to the end user. 

“Synack brings a human-centered approach to security testing to mimic what a real attack looks like while providing smart technology to help testing scale,” Kuhr explained. 

For example, Kuhr and his team recently combined the capabilities of human and artificial intelligence through a collaboration with the Defense Advanced Research Projects Agency, the organization at DOD responsible for testing and developing emerging technologies for military use. The project is a public-private partnership between DARPA, Defense Digital Service and Synack. Their goal: develop hardware security architectures that protect systems against hardware vulnerabilities exploited through software. As part of this mission, DARPA engaged Synack’s crowdsourced community of vetted researchers to test the implementation. 

“Synack’s platform and community of ethical hackers provide us with the resources needed to thoroughly test and vet our defenses,” DARPA Program Manager Keith Rebello said in a recent Synack blog post. “Working with Synack and DDS provides us with proven expertise and confidence in this effort’s success.”

Ethical Hacking Helps DOD Stay Ahead of the Adversary 

The role of ethical hacking programs like Synack’s have become even more valuable today, as DOD must protect against increased threats from nation state actors. 

Take complex systems used in military aircraft, for instance. "There are millions of lines of code that are in all of our aircraft and if there's one of them that's flawed, then a country that can't build a fighter to shoot down that aircraft might take it out with just a few keystrokes,” Will Roper, a top U.S. Air Force acquisitions executive told The Washington Post. 

Instead, tapping the ethical hacking workforce can help DOD fix problems with weapon systems before it’s too late. In 2019, DOD granted Synack’s team of researchers access to a flight system used in F-15 fighter jets. The testers discovered glitches in the system that could be exploited to shut down a $20K device used to collect data from video cameras and sensors. 

Thanks to these discoveries, the Defense Department is beginning to think about threats in new ways. Moreover, defense leaders are warming up to the idea that a crowdsourced approach to weapon systems security is the way to go. 

"We want to bring this community to bear on real weapons systems and real airplanes,” Roper said to The Washington Post. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”

This content is made possible by our sponsor Synack; it is not written by and does not necessarily reflect the views of Defense One's editorial staff. 

NEXT STORY: Innovation, Partnership Help Lockheed Martin Take the Army’s Long-Range Missiles to the Next Level with PrSM

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.