How the Air Force relied on hackers to secure its move to the cloud

Exclusive: In late 2016, the Air Force started moving more than 100 apps to a new server. Hackers in a bug bounty found up to 54 vulnerabilities on it.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Air Force Drone Pilots

The US Air Force opened up a bug bounty program to a fleet of hackers who found 54 security vulnerabilities with its new cloud server.

Tony Avelar/Christian Science Monitor/Getty Images

The Air Force ran a standard security check after it started moving its apps to a new cloud server, and at the time, everything seemed fine. Security auditors looked through its standard checklist of security compliance, and the new cloud server, called Cloud One, had a clean bill of health. 

Then from March 18 to June 21, hackers taking part in a bug bounty program gave it a second look and found 54 vulnerabilities with the cloud server. The most critical vulnerability had a $20,000 payout, which the Department of Defense declined to provide specific details on. 

"Doing these checklists of various controls, various questions, don't do a great job of emulating what an adversary would do on a network," said Alexander Romero, a digital defense expert at Digital Defense Service. "That's really why the Air Force has found it valuable to use this method of testing." 

The Digital Defense Service plans to announce the results of its bug bounty program on Thursday at Defcon, a hacker conference in Las Vegas.

While bug bounty programs, in which companies or government agencies open up their systems to the public to test their vulnerabilities, are increasingly attractive, Cloud One represented a more extensive challenge. This bug bounty went through six stages, looking for vulnerabilities on its internal servers, its staff and the apps. Cloud security is crucial, as a single misconfiguration could lead to massive breaches, like the hack Capital One suffered in July

In the past, the Department of Defense partnered with BugCrowd, HackerOne and Synack for "Hack the Pentagon" campaigns. The DoD first announced the program in 2016, which has resulted in more than $400,000 in payouts

Bug bounty programs attract what's known as "white hat" hackers with cash rewards to anyone who can find and report vulnerabilities to them. Google in Julyupdated its bounty to allow for $30,000 payouts to anyone who can find Chrome vulnerabilities

Cloud and clear

The Air Force started looking for a centralized server to host its major applications around 2014, according to James Thomas, a DDS expert. The server needed to be easily accessible for Air Force members, but more importantly, it needed to be secure. 

The server, then called the Common Computer Environment, was eventually renamed to Cloud One. It was a mix of cloud servers from both Amazon Web Services and Microsoft's Azure Cloud, with a VPN between the two. 

Cloud One is intended to host important apps like the Air Force's online portal, a repository that could allow people to access all the other apps available. If an attacker got access to that, they would be able to see everything the Air Force used. 

The 16 fastest combat planes in the US Air Force

See all photos

It makes sense why the Air Force would want to keep this secure, even beyond its internal checklist. So the Air Force relied on the wisdom of the crowd through the bug bounty program, enticing groups of hackers that found security flaws on Cloud One that a standard audit did not account for. 

"Having been an authorizing official in the past, there's nothing quite the same as having dozens of hackers test out the security in your system," Romero said. 

The 54 vulnerabilities discovered generated a total payout of more than $130,000, Thomas said. The bug bounty program lasted for three months and went through six phases with different focuses at each one. 

The first phase looked at Cloud One's source code, while the next two looked at the security on AWS and Azure. The fourth phase looked at network authentication, and the fifth looked at social engineering -- essentially how easily staffers in control of the cloud server could be tricked into giving up critical information. The final phase looked for vulnerabilities on the Air Force portal. 

Typically, when a company wants to test how secure its system is, it can hire a penetration testing firm, which focuses on finding vulnerabilities and ways to break into a network. The DDS found the bug bounty route more cost-effective.

"They would have less people working for more time, and it would cost us more money," Romero said.