‘Ethical hackers’ offered bounty by MOD to spot security flaws
THE Ministry of Defence (MOD) has become the first government department to pay “ethical hackers” to help thwart cyber criminals.
The department’s first bug bounty programme involved 26 “hackers” being invited to access its networks for 30 days, in an effort to outflank criminals and improve national security by identifying vulnerabilities.
Bug bounty programmes offer people a financial reward in exchange for reporting technical flaws. Despite it being a non-traditional approach for the MOD, it is common practice among the technology industry and has already been adopted by the US Department of Defence.
Defence teams are already working with the ethical hacking community in order to ensure better security across its networks and 750,000 devices.
Christine Maxwell, the Mod’s chief information security officer, said the move was an “essential step in reducing cyber risk and improving resilience”. “Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets,” she said.
One participant, Trevor Shingles, said he was able to alert the MOD to a flaw he uncovered that would have allowed a malign actor to modify permissions and gain access.
“It’s been proven that a closed and secretive approach to security doesn’t work well,” he said. “For the MOD to be as open as it has been with providing authorised access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications.
This is a great example to set for not only the UK, but for other countries to benchmark their own security practices against.”
James Heappey, minister for the Armed Forces, said the bug bounty was an “exciting new capability”, adding that collaboration with ethical hacking would ensure “we’re more resilient and better protected”. “This work will contribute to better cyber and information security for the UK,” he said.
Marten Mickos, chief executive of Hackerone, said: “Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore. Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year.
“The MOD is leading the way with forward-thinking and collaborative solutions to securing its digital assets. I predict we will see more government agencies follow its example.”