The Singapore Ministry of Defence has announced the MINDEF Bug Bounty Programme. David Koh, head of MINDEF made the announcement during a visit to the Cyber Defence Test and Evaluation Centre (CyTEC).
At first glance this would appear to be a gauntlet thrown down to hackers and a recipe for disaster. It is not. On closer reading of the announcement it is merely an invite to a select group of white hat hackers. The hackers are all part of HackerOne who are an international bug bounty company.
Those hackers will be allowed to test eight MINDEF Internet-facing systems. The goal is to identify any code bugs and vulnerabilities. For each one found there will be a bounty paid. Low level bugs will attract a bounty of S$150 (approx US$110) and critical bugs will earn a hacker S$20,000 (approx US$14,840).
Koh said: “This is the first time that MINDEF is launching such a bold programme… White hat hackers participating in this programme will be given the mandate to ‘hack’ MINDEF, to find bugs in our major Internet-facing systems… For each valid and unique bug that the hacker finds, he will receive a bounty.”
Which MINDEF systems are going to be tested?
There are a total of eight MINDEF systems that HackerOne will test. These are:
- MINDEF Website: Ministry of Defence website
- NS Portal: e-Services for NSFs and NSmen
- CMPB Website: Central Manpower Base website
- DSTA Website: Defence Science and Technology Agency website
- eHealth: Portal for MINDEF/SAF personnel for medical purposes
- Defence Mail: MINDEF/SAF Internet email service and I-Net
- LearNet 2 Portal: Learning resource portal for trainees
- myOASIS Portal: NSmen administration portal
The complete rules of engagement have not been made public. For example, if the hackers are able to breach the main MINDEF website, are they allowed to continue to probe and find out what other systems are vulnerable? MINDEF is focused on what it believes are its eight most vulnerable Internet facing systems. The reality, however, is that these systems are probably connected to other systems. How much the hackers will be allowed to do will determine the overall effectiveness of this campaign.
Choosing hackers, even white hat hackers with a reputation to defend, to attack your systems would worry most companies. However, the world of cybersecurity is a strange place. Over the past 20 years we have regularly seen hackers go from poacher to gamekeeper. There are numerous security firms whose founders have a long history of hacking. The same is true of many security consultants. They see this as their working CV.
What does this mean?
This is a sensible move by MINDEF. They are choosing people with the required skills and tools to attack their systems. It also admits that using HackerOne to test its systems will be far cheaper than hiring a dedicated commercial cybersecurity vulnerability assessment team.
What remains to be seen is whether this is a one off exercise or an ongoing engagement. If it is a one-off then the short term gains may well be lost in the long run. Cybersecurity is like building on shifting sands. Just when you think you have everything stable a new zero-day vulnerability arrives.
What is disappointing in this announcement is that there is no evidence that MINDEF is going to also use this engagement to train its own staff. Teaching them the techniques used by HackerOne would provide them with a degree of knowledge that they could use to maintain the security of their systems.