SINGAPORE: The Ministry of Defence (MINDEF) is opening up its Internet-facing systems to hackers in a first-of-its-kind attempt to identify and fix weaknesses in computer systems in the public sector.
The MINDEF Bug Bounty Programme was announced by Singapore's defence cyber chief David Koh on the sidelines of his visit to the Cyber Defence Test and Evaluation Centre (CyTEC) on Tuesday (Dec 12).
From Jan 15 to Feb 4, 2018, about 300 selected white hat hackers from around the world will be invited to find vulnerabilities in eight Web-facing systems.
White hat hacker is an industry term to describe those who use their skills to improve security by exposing vulnerabilities before malicious hackers (known as black hat hackers) can detect and exploit them.
The systems are MINDEF’s website, the NS Portal, the Central Manpower Base website, the Defence Science and Technology Agency’s website, eHealth, Defence Mail, LearNet 2 Portal and myOASIS Portal, the ministry said.
The vulnerabilities should then be disclosed to MINDEF, and the hackers will be financially rewarded for their discoveries according to how critical these are.
Rewards could range from about S$150 to about S$20,000, based on previous programmes organised by HackerOne, a bug bounty company engaged to facilitate the programme.
Mr Koh, who also heads up the Cyber Security Agency of Singapore, acknowledged that there are risks in conducting such an exercise, but measures have been put in place to mitigate them.
For example, he cited the possibility that the selected hackers may turn rogue and expose their findings online, instead of disclosing them to MINDEF.
But that’s why the ministry selected white hat hackers to participate, and HackerOne to facilitate, as they have a reputation of hacking for good to uphold, he explained.
HackerOne also issues rules of engagement for these hackers to abide by, such as not launching distributed denial of service (DDoS) and not selling their discoveries. Failure to comply would result in them being censured, the defence cyber chief explained.
“This is the first time that MINDEF is launching such a bold programme," Mr Koh said.
He added that bug bounty programmes are not new globally with the United States’ Department of Defense holding “Hack the Pentagon” exercises, while companies like Google and Facebook conducting similar initiatives.
MINDEF said the total amount paid out in rewards is dependent on the number and quality of the vulnerabilities discovered, and is expected to cost “significantly less” than hiring a dedicated commercial cybersecurity vulnerability assessment team.
Mr Koh explained that hiring a cybersecurity company to assess an organisation’s cybersecurity posture may cost “about a million dollars”. By contrast, the “Hack the Pentagon” exercise paid out US$70,000.
He reiterated that cost is not the main factor for launching the programme, but rather the crowdsourcing nature which allows for more and those who have different skills to participate.
It would also allow local white hat hackers to hone their skills. Of the 300 selected hackers, he hoped that the proportion will be two-thirds international ones and one-third from Singapore.
The launch of the bug bounty programme comes after the ministry announced in February this year that an Internet-facing system – the I-net system - was breached, and resulted in the personal data of 850 national servicemen and employees being stolen.
No classified military data was stolen, it added.
“Cyber is a new battlefront. Singapore is constantly exposed to the increasing risk of cyberattacks, and MINDEF is an attractive target for malicious cyber activity,” the ministry said. “As hackers with malicious intent find new methods to breach networks, MINDEF must constantly evolve and improve its defences against cyber threats.”