The UK Ministry of Defence (MoD) has completed its first Bug Bounty programme. It engaged with 26 ethical hackers and US-based HackerOne to identify vulnerabilities in the MoD cyber systems. The Bug Bounty programme comes on the back of the MoD issuing guidance for security researchers in December 2020. The MoD IT estate encompasses a number of networks and over 750,000 devices.
The success of this first Bug Bounty programme means that the MoD intends to continue the programme. Minister for the Armed Forces James Heappey said: “Bug bounty is an exciting new capability for the Ministry of Defence. Our cyber teams are collaborating with the ethical hacking community to identify and fix vulnerabilities in our systems, ensuring we’re more resilient and better protected.
“This work will contribute to better cyber and information security for the UK.”
How successful was it?
The ethical hackers were given access to a carefully curated set of internal MoD systems. How sensitive these were is unknown. Importantly, the MoD is saying that this was a successful programme. However, it has not revealed how many vulnerabilities were identified and remediated or what it paid. While disappointing, this should come as no surprise. The challenge now is how many vulnerabilities were missed in other systems declared off-limits?
What is important is that the MoD prioritised remediation of all vulnerabilities that were detected. It shows a willingness to take advice and react accordingly, something that is not always the case in cybersecurity. However, unless it widens the scope for access, there will be vulnerabilities left for adversaries to exploit.
According to ethical hacker, Trevor Shingles who took part in the Bug Bounty programme: “I focused on identifying authentication bypasses that would allow unauthorized users to access systems they shouldn’t. I successfully reported an OAuth misconfiguration, which would have allowed me to modify permissions and gain access, but instead was able to help the MoD fix and secure.”
Enterprise Times: What does this mean?
The MoD is beginning to realise that not everything can be done in-house. Removing its own echo chamber and opening up to ethical hackers is a start. However, there are limits on what the MoD can expect to achieve as it has to ensure the security of its data.
While it has worked here with a number of ethical hackers, it might want to consider widening its programme. Fox example, it could include veterans who are active in this field. There is a growing number of UK veterans with the right security clearances to work on these systems. Many will have a reservist commitment and while the MoD is beginning to use them to bolster its cyber force, using them to probe its own systems makes sense.
According to Steve Bradford, Senior Vice President EMEA, SailPoint: “Once ethical hackers determine whether malicious activities are possible by hostile states, a plan of action can then be implemented to protect assets for a more resilient future. A common fracture point found is when ethical hackers gain access to material they shouldn’t. To reduce the risk, and decrease vulnerabilities, organisations must address their identity security—monitoring who should have access to what and why. This should be a standard best practice for cyber security and will also reduce the risk of other malicious threats.”