igor - Fotolia

Singapore’s defence ministry starts bug bounty programme

Bug bounty programme will offer rewards of up to S$20,000 for identifying loopholes in internet-facing systems used by defence and military personnel

Singapore’s Ministry of Defence (Mindef) is getting white hat hackers to identify loopholes in its internet-facing IT systems in the country’s first government-led bug bounty programme to combat growing cyber threats.

Some 300 selected white hat hackers from around the world will test such systems for vulnerabilities or bugs, and will receive bounties from S$150 (US$111) to around S$20,000, based on past programmes organised by HackerOne, the bug bounty facilitator that Mindef has engaged to run the programme.

The list of eight websites that white hat hackers can try their hands on include the Mindef corporate website, the National Service (NS) portal used by servicemen for administrative matters, as well as the eHealth website used by Mindef and Singapore Armed Forces personnel for medical purposes.

Mindef said the sum of the rewards will depend on the number and quality of the vulnerabilities discovered on those websites. The cost of running the bounty programme is expected to cost significantly less than hiring a dedicated commercial cyber security vulnerability assessment team.

Like most highly connected countries, Singapore has seen a growing number of cyber attacks in recent years against both commercial and government entities.

Mindef, in particular, has been an attractive target of cyber attacks, such as those launched against the I-Net system that provides internet access for servicemen and employees earlier this year.

According to Mindef, the identity card numbers, telephone numbers and dates of birth of around 850 servicemen and employees were stolen from I-Net in the February 2017 incident. No classified information that resides in separate air-gapped systems was compromised.

David Koh, Singapore’s defence cyber chief and CEO of the Cyber Security Agency of Singapore, said that the crowdsourcing-based bug bounty programme, which will run from 15 January to 4 February 2018, is an innovative and effective way of strengthening Singapore’s cyber defences.

Given that it is not possible to fully secure modern computer systems with new vulnerabilities being discovered every day, Koh described the crowdsourcing approach as “effective and fast” in combatting threats in a fast changing cyber landscape.

Read more about cyber security in ASEAN

  • The computer networks of two universities in Singapore were breached in April 2017 by hackers looking to steal information related to government or research.
  • The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.
  • A majority of publicly listed companies in Singapore had little or no exposure to cyber threats even as the country is being used as launch pad for cyber attacks.
  • Coordination is vital to ensure that Southeast Asia’s cyber security efforts are focused, effective and in synergy with one another, said ministers and senior officials at a recent cyber security event in Singapore.

“This is the first time that Mindef is launching such a bold programme. White hat hackers participating in this programme will be given the mandate to ‘hack’ Mindef, to find bugs in our major internet-facing systems,” he said.

Bill Taylor-Mountford, vice-president of Asia-Pacific and Japan at LogRhythm, called Mindef’s bug bounty programme “a brave move”, noting that when it comes to outsmarting cyber criminals who are evolving so quickly, there is no better place to start than identifying where the current vulnerabilities are.

“There is a wealth of experience out there that we can all tap in to by simply partnering with experts – whether they are in the public or private sector, local or overseas – to exchange information and expertise. It is important that such initiatives are conducted consistently and regularly given how fast the cyber threat landscape is changing,” he said.

A similar programme launched by the US Department of Defense (DoD) has yielded nearly 3,000 valid vulnerabilities in DoD’s internet-facing websites and web applications over a one-year period.

Other US government agencies such as the General Services Administration and the Department of Homeland Security are expected to follow suit with their own bug bounty programmes.

Read more on Hackers and cybercrime prevention