An unwillingness to expose its systems to additional risks probably convinced the U.S. Department of Defense (DoD) not to invite Russian cybersecurity specialists to participate in its “bug bounty” program to hack the Air Force.
On April 26, the DoD announced the “Hack the Air Force” challenge for cybersecurity specialists from the U.S., U.K., Canada, Australia, and New Zealand, but denied entry to hackers from Russia.
Keep out, Russians
“Systems that might be targeted in order to identify security vulnerabilities may be those that are not connected to the internet and that are largely unknown to the public,” said Oleg Demidov, a cybersecurity expert at PIR Center, a Moscow-based think tank.
The issue of trust is key for the DoD’s choice of countries whose citizens are licensed to perform such sensitive cyber operations. While the U.S., Canada, U.K., Australia and New Zealand are all members of the Five Eyes alliance that promote cooperation in the field of intelligence, Russia is not.
“Russians will never be invited to participate in such challenges because the U.S. military officials believe that knowledge and information about the Pentagon’s security systems that are obtained during such operations might be exploited and used against U.S. interests,” Demidov said.
Whether the DoD is losing out on opportunities by not inviting hackers from Russia to participate in its “bug bounty” competition is unclear. Experts disagree on whether there is a distinctive Russian hacker ‘school,’ and whether participation could have made a difference for the Pentagon.
Some experts say compact code and non-standard solutions are features that pertain to the so-called “Russian school” of hacking. “What such hackers have in common is freedom of thinking – Russians usually seek non-standard solutions for standard tasks. This particular feature of Soviet education remains a distinctive feature of Russian hackers, who don’t think according to conventional patterns,” Alexei Lukatsky, a security consultant at Cisco Systems, told RBTH in a previous interview.
Other experts doubt hackers from the former Soviet Union comprise a distinct cyber community. “There is certainly no Russian community of hackers, but there is a global community of Russian-speaking cyber criminals dispersed throughout the world. So, it’s impossible to define what is a ‘Russian school of hacking’ based on a single criteria,” Demidov said.
At the same time, Demidov agrees there are criteria that when taken together could suggest that the hacker in question comes from the Russian-speaking community: language of communication, certain code patterns, and certain “darknet” connections that allow users to access friend-to-friend networks with non-standard software and communications protocols, etc.
Regardless of whether there is anything the U.S. could have gained by inviting hackers from Russia to participate in its “bug bounty” challenge, the DoD apparently decided not to expose its systems to additional risks and did not include Russia among the listed countries.
Difficult to control
Experts say the Russian Defense Ministry, in contrast to the Americans, relies more on private cybersecurity companies instead of the “bug bounty” challenges to unveil vulnerabilities in its systems. A private company signs a non-disclosure agreement, making it far less risky.
Since a “bug bounty” program is a deal that companies and government agencies offer to individual cybersecurity specialists to reveal hidden security vulnerabilities in their systems, it brings greater risks because it’s more difficult for the client to control.
At the same time, a number of American companies occasionally announce cybersecurity challenges and invite hackers from Russia to participate. In January, Facebook paid $40,000 to a hacker from Russia for identifying a vulnerability in its system and reporting it to the company.