beebright - stock.adobe.com
The Singapore government is starting a bug bounty programme at the end of this year to identify cyber blind spots and benchmark its cyber defences against skilled global hackers.
Announced by Singapore’s deputy prime minister and coordinating minister for national security Teo Chee Hean at the Singapore International Cyber Week, the programme will invite both international and local white-hat hackers to test selected, internet-facing government systems and identify vulnerabilities.
Through this process, Teo said, the government hopes to bring together a community of cyber defenders who share the common goal of making cyber space safer and more resilient by protecting its IT systems against malicious attacks.
The new bug bounty programme is part of the government’s efforts to drive cyber innovation at a time when cyber threats are growing.
In July 2018, Singapore’s public healthcare IT systems came under an unprecedented cyber attack that compromised the non-medical personal data of about 1.5 million patients who had visited specialist outpatient clinics and polyclinics at the SingHealth public healthcare group.
Data taken included names, national identity card numbers, addresses and dates of birth. Information on the outpatient dispensed medicines of about 160,000 patients was also exfiltrated through an initial breach on a front-end workstation.
“Cyber attackers are extremely innovative, and so too must our defenders,” Teo said. “There is growing demand for services from companies that provide cyber security. By embracing cyber innovation, we can grow the cyber security industry and at the same time better protect our systems and users.”
Details of the government’s new bug bounty programme have not been revealed, though it is not the first of its kind in the public sector.
In December 2017, Singapore’s Ministry of Defence (Mindef) started a bug bounty programme that offered rewards of up to S$20,000 (US$14,600) for identifying loopholes in internet-facing systems used by defence and military personnel.
Some 300 selected white hat hackers from around the world would test such systems for vulnerabilities or bugs, and receive bounties starting from S$150, based on past programmes organised by HackerOne, the bug bounty facilitator that Mindef had engaged to run the programme.
Mindef said the sum of the rewards would depend on the number and quality of the vulnerabilities discovered. The cost of running the bounty programme is expected to cost significantly less than hiring a dedicated commercial cyber security vulnerability assessment team.
A similar programme launched by the US Department of Defense (DoD) had yielded nearly 3,000 valid vulnerabilities in DoD’s internet-facing websites and web applications over a one-year period.
Other US government agencies such as the General Services Administration and the Department of Homeland Security were expected to follow suit with their own bug bounty programmes.
Read more about cyber security in ASEAN
- Healthcare workers who require internet access will have to use separate internet workstations following an unprecedented attack on Singapore’s public healthcare system.
- Grab, a Southeast Asian ride-hailing company, prefers detective controls rather than preventive ones to deter cyber threats – an approach it claims is less intrusive and costly to implement.
- The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.
- Cyber resilience remains low across ASEAN, a regional economic powerhouse that is increasingly susceptible to cyber threats as its digital economy grows.