WASHINGTON — A Defense Department pilot program designed to eradicate digital vulnerabilities among contractors identified hundreds of flaws over the course of a year, organizers said.
Cybersecurity researchers with the HackerOne bug bounty team discovered some 400 issues at dozens of companies during the Defense Industry-Based Vulnerability Disclosure Program, coordinated by the department’s Cybercrime Center and the Security and Counterintelligence Agency. defense.
“The DC3 Department of Defense VDP has long recognized the benefits of using crowdsourcing ethical hackers to add defense-in-depth protection to Department of Defense information networks,” said Melissa Vice, Acting Program Director. vulnerability disclosure, in a statement, adding that the pilot was aimed at identifying whether similar high-severity and critical vulnerabilities existed in small and medium-sized licensed and unauthorized defense industrial-based companies with potential risks to critical infrastructure and security. US supply chain
It was not disclosed which contractors were involved. The campaign launched in April 2021 with 14 participating companies and 141 publicly accessible assets to vet. Interest skyrocketed quickly; Finally, 41 companies and about 350 assets were admitted. The results They were announced on May 2.
The total represents a fraction of the department of defense Strong contracting group of 200,000 companies, raising concerns about vulnerabilities in many more networks.
The Pentagon operates a vulnerability disclosure program, in which specialists look for weaknesses and point them out to fix them. Such a practice, the Cyber Crime Center said, improves network defenses and promotes proactive cyber management.
“Every organization should prioritize the security of its software supply chain, but it’s even more critical for federal agencies protecting national security,” said Alex Rice, co-founder and chief technology officer of HackerOne. The company is from the Department of Defense main source for vulnerability reports and background checks.
defense industrial base is under constant threat from hacks and foreign influence efforts. While international competitors may be dissuaded from fighting the U.S. directly, the Pentagon’s 2018 cyber strategy noted, they are leveraging the digital domain to steal “our technology, disrupt our government and commerce, challenge our democratic processes, and threaten our critical infrastructure.
In a joint cybersecurity bulletin issued days before Russia re-invaded Ukraine, the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency warned that Moscow-backed hackers had targeted defense contractors. US weapons and communications infrastructure.
The targets, according to the notice, work on defense and intelligence contracts, including missile development, vehicle and aircraft design, and command and control. Committed companies support the US Army, Air Force, Navy, Space Force and national security programs.
Defense News in June 2018 reported Chinese sponsored cyber attacks He also breached the computers of a Navy contractor, compromising sensitive data related to secret work on an anti-ship missile.
The Government Accountability Office in a December 2021 analysis said the Defense Department “has taken steps to improve the cybersecurity of the defense industrial base,” but more could be done. The department agreed with the report’s findings and recommendations, the documents show.
Colin Demarest is a reporter at C4ISRNET, where he covers networking and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration, that is, developing nuclear weapons and cleaning up the Cold War, for a newspaper in South Carolina.