The Defense Digital Service is a SWAT team of nerds working to improve technology across the Department of Defense". This phrase stands out in the home page of the Defense Digital Service DDS, an agency of the Department of Defense of the United States of America whose mission is the innovation and transformation in a technological sense of the aforementioned Department and, in particular "use design and technology to improve government services, strengthen national defense, and care for military members and their families". To do this, the agency counts among its ranks, in addition to very interesting professional figures such as that of the “bureaucracy hackers", Also the aforementioned"nerds", Which the Garzanti Linguistica website defines as"in youthful use, an awkward and insignificant young man who sublimates his condition with great skill and passion for computers and videogames | student who achieves good results thanks to the stubborn application, but does not shine for intelligence; swot".
But what contribution can a fierce team of "nerds" make to the Defense Department of the military superpower par excellence? Certainly they have very valid ideas of success that others obviously do not come to mind. A clear example is the program "Hack the Pentagon", Which gave rise to other very interesting initiatives in the field of bug hunting, including, in chronological order, "Hack the Air Force 4.0 ", which saw a" battalion "of hackers launch the assault on the US Air Force's technological infrastructure.
Let's see what this kind of activity consists of and what results it allows to obtain.
More than once, on these pages, we have tried to enhance the figure of thehacker ethical (or white hat hackers) who, essentially, is an IT enthusiast who is dedicated to researching the security vulnerabilities of IT systems (programming and / or configuration errors), reporting them to the relevant developer rather than to the user or the authorities.
Precisely this precious figure, never exploited enough in our country, especially in its "amateur" version, is at the center of the bug hunting (you hate bug bounty) such as Hack the Air Force 4.0, which set themselves the goal of seeking information security system leaks through competitions between hackers. In particular, the competition regarding the US Air Force systems is part of the wider initiative "Hack the Pentagon", Program of bug bounty launched in 2016, conceived and managed by the aforementioned DDS using the service company HackerOne, which acts as an interface with a community platforms globally that counts more than 500.000 hacker ethical.
Specifically, this program aims to organize and execute events of bug hunting focused on the systems of the Department of Defense, in order to detect and resolve any security holes unknown even to their respective manufacturers. Although most of the hacker ethical and motivated by personal gratification, these events include cash prizes for the winners. In this context, the aforementioned took place in the past months of October and November Hack the Air Force 4.0, a competition that has involved 60 hackers coordinated by HackerOne, in the "stress test" from the point of view of Virtual Data Centers of the US Air Force, i.e. cloud which provides the IT services of the Armed Force. The fourth edition of the Air Force competition revealed 460 security vulnerabilities and gave prizes of $ 290.000.
All in all, Hack the Pentagon allowed to discover 12.000 previously unknown vulnerabilities that could have been discovered and exploited by some attacker. In short, the latter edition, according to the program managers, confirmed that it is a successful program in many respects. Let's imagine what the strengths of the programs can be bug hunting of the DDS and, in general, of similar initiatives.
The first, more immediate, is to allow the Department of Defense to make its systems certainly more secure, as security breaches are obviously promptly removed before being made public, consequently the hacker unethical people will have to do much more to find any further vulnerabilities. The financial aspect of the program is also clearly beneficial, given that it has been going on for 4 years now. Probably, the cash prizes, rewarding for the winners, are particularly advantageous investments also for the Department, aware of the "parcels" much higher than the hacker certificates and the companies in which they operate. Besides and this is the third aspect of success, resorting to the programs of bug hunting one does not rely on a particular company, but on a heterogeneous community of hacker, each with different skills and experiences and above all not linked to any specific manufacturer of hardware o . This allows to obtain truly independent results, which are not the result of an aseptic evaluation "in the laboratory".
To better understand the potential of bug hunting, think that with the same methodology, last year, through a competition between hacker developed in two phases and dedicated to jet F-15 of the US Air Force, some security vulnerabilities of a critical system for the entire weapon platform, i.e. the Trusted Aircraft Information Download Station, appointed to collect the data acquired by the sensors and cameras of the plane during the flight. So much so, that in the plans of the DDS there is the intention in the future to test even the actual air carriers, as well as the satellite platforms. Another positive point of the competitions of bug hunting in all probability it consists in the "loyalty" of the hacker with the Armed Forces and the involvement of the industrial world. In short, the establishment of that virtuous circle that in many locations, including these pages, has been highlighted to be one of the elements that should be the basis of a strategy of cyber security national. In this way, in fact, the military become aware of the inescapable need to be able to make use of systems designed and developed to be safe, without neglecting any aspect and of the need to continuously test them throughout the entire life cycle, from their acquisition to their disposal . On the other hand, the hacker ethics, in addition to engaging in stimulating challenges, know that they are useful for their country, actively contributing to its security. Besides, the Armed Forces can do it scouting and hackers they can evaluate whether to pursue a military career. Finally, the last aspect, companies are driven to develop e hardware more and more confident, perhaps taking on exactly the same hacker who discover the flaws of their systems. Of course, according to the DDS there are also some negative sides to be improved, mainly referring to the legal aspects of the contracts used by the Department of Defense for the supply and management of IT services. However, the balance of competitions such as Hack the Air Force it is certainly far positive for all parties involved.
At the end of this brief review of the programs bug hunting of the DDS, it is useful to highlight once again how much the varied world of hacker ethics can represent, also for Italy, a very valid resource. In this period characterized by thousands of family dramas caused by the consequences of COVID-19, the inescapable need to have systems, networks and information services that are capable of guaranteeing an adequate level of security emerges even more strongly. Moreover, not only our lives depend on them, but also the economy of the country, made even more fragile by the consequences of the pandemic still ongoing. This, in spite of often outdated, heterogeneous, complex technologies, not developed to comply with security requirements, even minimal and in spite of subtle threats, more or less sophisticated but always attributable to ruthless, unscrupulous, numerically overwhelming, well-organized actors and often with huge resources available. To cope with this frightening scenario, we need the help of everyone, professionals or not, and all their best skills and energies. Therefore, there is a need even more than ever hacker ethical, a resource still mostly unknown or not considered adequately and therefore not exploited enough.
