U.S. flag

An official website of the United States government

Congratulations, you're now a "Hacker"

How does a serviceman or woman get involved with security research? Don’t hackers belong to a mysterious subculture that doesn’t match the culture of government? The truth is that many uniformed officers engage in ethical hacking, on and off duty! Air Force Master Sergeant Johnathan Miranda is one of them.

Master Sergeant Miranda is a Cyber Warfare Operator assigned to the Defense Information Systems Agency (DISA). Miranda previously led a team of enterprise-scoped threat hunters focused on finding a red team and nation-state activity on the Air Force network for the Air Force Computer Emergency Response Team (AFCERT). In his free time, he participates in bug bounty programs as a “bug hunter” to find and disclose vulnerabilities in systems. When not hunting bugs, he is honing his bug hunting skills for the next event.

The following is an interview with Master Sergeant Miranda about his experience as a military hacker.

1. When did you get started with bug bounties?

I started around 15 months ago; Hack the Army 2.0 was the first time I participated in any bug bounty program. Participating in Hack the Army 2.0 and Hack the Air Force 4.0 events got me started down the path of bug bounties. In the fall of 2019, I had an unexpected change in my work roles, and that drove me to dive headfirst into bug bounties during my time off. I needed something to channel the desire to do deeply technical work, and bug bounties filled that gap. After spending time exploring the different platforms, I became involved with the bug bounty community and was hooked. Now I spend all my free time on bug bounties.

2. Why did you participate in Hack the Army 2.0? What did you come away with from the experience?

Bug bounties were always interesting to me. When I heard about Hack the Army 2.0, I just had to give it a shot. I worked with a Defense Digital Service team member on a project back in San Antonio, so through the power of "sending a random email," I just asked if there was a way I could participate. A couple of days later, I received an invite and had the opportunity to hack on the program.

3. Does hacking overlap with your work at all, considering interests, expertise, or skill set? If so, how? If not, why do you do it?

Some aspects of hacking overlap with my current work role; I am assigned to DISA as the Deputy Branch Chief of the Cyber Fusion cell. Our team must have a deep understanding of current threats to the public-facing assets and services that DISA provides to the enterprise.

4. Do you know many other military hackers?

I've been lucky enough to interact with some of the best military hackers in the Department of Defense, having been stationed in San Antonio and now Fort Meade. I am currently associated with the Shell Collecting Club, which is all active duty, and some recently separated capture the flag teams that participate in various CTF events. There are nearly 200 of us in the community.

5. What would you say to a service member considering security research, either professionally or just as a personal interest?

Find an aspect of this field that interests you and dive right in. There are so many learning resources out there to get you started. For example, if bug bounties interest you, start looking at the platforms that host bug bounty programs (try HackerOne, Bugcrowd, Synack, or Safehats, just to name a few). Then, jump in headfirst. Don't worry about labels or barriers. If you are out there hacking what interests you, congratulations, you're now a "Hacker."

6. What do you have to say to the skeptics regarding the advantages of bug bounties and engaging hackers to improve national security?

There's a vast community of researchers that want to help protect our systems, and it is evident from how successful the DoD VDP is. Automated scanners cannot find the bugs that these researchers are finding; leveraging crowdsourced platforms is something that we should be doing across all federal and state governments. I've had the pleasure of being part of the bug bounty community for a little over a year, and it is the most welcoming and friendly group of people I've ever been a part of, and I plan to continue to be part of it for a very long time.

7. Will you be participating in Hack the Army 3.0?

Yes! I am very excited to participate in Hack the Army 3.0. I took a couple of days of leave to hack on the program and plan to participate throughout the entire event.

Hack the Army 3.0 program will run from January 6 until February 17, 2021. If you’ve got the skills and are ready to dive in like Master Sergeant Miranda did, apply now!