Ministry of Defence embraces hackers to secure digital assets

The Ministry of Defence (MoD) has announced the conclusion of its first bug bounty challenge. The Ministry of Defence programme was a 30-day, hacker-powered security test aimed at surfacing vulnerabilities before they can be exploited by adversaries.

The MoD Challenge is part of an organisation-wide commitment to build back a culture of transparency and collaboration around security to combat cyber threats and improve national security.

Following the recent Integrated Review, the Government has called for “a more robust position on security and resilience” and “an emphasis on openness as a source of prosperity.”

“The MoD has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process,” said Christine Maxwell, Chief Information Security Officer (CISO) at the MoD. “It is important for us to continue to push the boundaries with our digital and cyber development. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”

The MoD Challenge was supported by HackerOne, a platform for organisations to access the world's largest community of ethical ('white') hackers. Armed with the most robust database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organisations across all industries and attack surfaces. Customers include the US Department of Defence and Singapore's Ministry of Defence.

In December 2020, the MoD published guidance on how hackers could report vulnerabilities in its systems or services, but said it would not offer monetary rewards for vulnerability disclosures. The hackers taking part in the bug bounty challenge were, however, compensated for their disclosures, although the amounts are unknown.

Bug bounty programmes incentivise security research and the reporting of real-world security vulnerabilities in exchange for monetary rewards for qualified vulnerabilities. These programmes are an industry best practice leveraged by the most mature governments and organisations across the world.

“It’s been proven that a closed and secretive approach to security doesn’t work well,” said Trevor Shingles a.k.a @sowhatsec, one of the 26 ethical hackers on the MoD’s programme. “I focused on identifying authentication bypasses that would allow unauthorised users to access systems they shouldn’t. I successfully reported an OAuth misconfiguration, which would have allowed me to modify permissions and gain access, but instead was able to help the MoD fix and secure. For the MoD to be as open as it has with providing authorised access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications. This is a great example to set for not only the UK, but for other countries to benchmark their own security practices against.”

By disclosing vulnerabilities to security teams, ethical hackers will help the Ministry of Defence secure its digital assets and defend against cyberattacks. This challenge is the latest example of the MoD’s willingness to pursue innovative and non-traditional approaches to ensure the capability and security of people, networks, and data.

The MoD also calls for its “secure by design” principles to be adopted by its supply chain as it conducts audits to ensure compliance with DEFCON 658 and DefStan 05-138.