Jack Cable, a white hat hacker who has participated in more than 50 bug bounty events for the Defense Department and companies such as Google and Uber, has advice for federal agencies looking to boost their cybersecurity: It’s good to be uncomfortable.
Cable is an unexpected voice in the federal IT cybersecurity scene. This fall, he began his senior year at New Trier High School outside of Chicago. He hopes to major in math or computer science when he starts college next year.
Cable won this year’s Hack the Air Force event, which the Air Force announced in April and which ran from May 30 to June 23, identifying 30 vulnerabilities on the service’s networks before 271 other white hat hackers. Air Force officials awarded more than $130,000 in total prize money for the event.
As the Air Force notes, “bug bounty programs are an industry standard practice that helps better secure an organization’s internet presence. These programs crowdsource sanctioned hackers to identify vulnerabilities within systems, which then allows the organization to quickly remedy those vulnerabilities.”
One of the vulnerabilities Cable uncovered included a “faulty admin panel that could have been exploited to upload files and modify content on a military website,” according to Nextgov.
Cable is no small-time hacker. He currently ranks No. 66 overall among members of HackerOne, a worldwide community of thousands of hackers that organizes bug bounties in the public and private sector, as Nextgov notes. His success in Hack the Air Force helped him jump to eighth place in the group’s third-quarter rankings.
The HTAF event was actually the third time the DOD launched bug bounty initiative. According to Defense One, the previous initiatives, Hack the Pentagon and Hack the Army, found 138 and 118 security gaps, respectively. The previous bug bounty programs were open only to Americans, but Hack the Air Force invited hackers from four countries outside the U.S. to participate: Australia, Canada, New Zealand and the United Kingdom. Those nations are considered the U.S. government's strongest intelligence partners and together the five countries make up the so-called “Five Eyes,” a longstanding intelligence-sharing arrangement.
Air Force CISO Peter Kim says the DOD often works with partner nations on efforts to improve cybersecurity. “We get a diversity of efforts that will make sure we have looked at our security from every angle,” Kim tells Nextgov. “By allowing the good guys to help us, we can better level the playing field and get ahead of the problem instead of just playing defense.”
For his part, Cable has noticed that the agencies that are most successful in their cybersecurity efforts are those that bring the most transparency to the process, even if it’s awkward.
Among the steps he recommends to feds: hire staffers who proactively seek out problems and ensure users know how to submit vulnerabilities to the IT team. From a strategic standpoint, agencies should hold hackathons and respond quickly to reported vulnerabilities, he says.