Why Mindef’s move to engage white hat hackers may pay off

The Ministry of Defence’s announcement last week that it has engaged an international company to get 300 whitehat hackers to test the ministry’s major internet-facing systems for vulnerabilities has elicited many responses online.

Contrary to comments circulating on social media, Mindef’s Bug Bounty Programme is neither a crazy risk nor a cunning ploy to trap hackers.

In fact, such an initiative can be useful for other organisations – if executed correctly.

A bug bounty programme is an arrangement where security researchers can receive recognition and payment (‘bounty’) for discovering and reporting security flaws or vulnerabilities in websites or software (‘bugs’) that could otherwise be exploited by cyberattackers or cybercriminals.

These security researchers are called ‘white hat hackers’ because their intentions are honourable as they use their skills to gain access to computer systems.

To anyone outside the cybersecurity field, the idea of rewarding people for finding your security flaws may sound crazy. But a bug bounty programme takes advantage of crowdsourcing to tap on a wide range of researchers with different tools and techniques, who can find security flaws that a single organisation cannot find on its own.

Although this is the first time a Singapore Government agency is engaging in such an exercise, Mindef follows in the footsteps of the successful United States Department of Defense (US DoD) 2016 bug bounty programme called “Hack the Pentagon”.

Bug bounty programmes are more established in the private sector, where companies like Facebook, Google, and Microsoft offer rewards of up to US$250,000 (S$336,600) to security researchers who discover and disclose major security flaws in their software.

These organisations are willing to offer these rewards, because they can identify security flaws and prevent cybersecurity breaches that would otherwise cost them much more in reputation and financial losses.

Critics of bug bounty programmes say that they would heighten the risk of a company getting hacked by ‘black hat’ hackers, that is, those with criminal intent. But organisations that embrace bug bounty programmes recognise that they are already at risk: ‘black hat’ hackers are already trying to hack into their systems, and are not waiting for invitations or programmes to encourage them.

Other organisations can take the lead from Mindef. If its programme is successful, it is likely that companies in the 11 designated critical information infrastructure sectors (companies providing essential services like power, transport, health care, telecommunications) might do the same for their public-facing systems.

This may in turn encourage more public sector and private sector organisations to consider such programmes. Some scholars have even suggested that bug bounties should be a corporate governance best practice, because they provide an objective and independent report system for management.

Before embarking on any bug bounty programme, an organisation should consider how it will handle logistics issues such as managing a sudden influx of reports, verifying that bugs are genuine, avoiding triggering false alarms, and preventing researchers from accidentally disclosing sensitive information. Organisations also need to provide rewards that are adequate to compensate researchers for their time and effort. In short, a bug bounty programme requires significant investment of time and money in order to be successful.

Mindef and US DoD chose a trusted external vendor to manage their bug bounty programmes and to deal with these issues.

Mindef describes its partner HackerOne as “a reputable international bug bounty company”.

An experienced bug bounty organiser does not come cheap, but it can assemble a select group of experienced researchers, and set explicit limits for the project, such as which systems are off limits, and what types of actions are not allowed.

BUILDING A COMMUNICATION LINK

Regardless of whether an organisation chooses to implement a bug bounty or not, all organisations should provide channels for security researchers to safely communicate potential security flaws to them, and to give feedback on cybersecurity lapses, without fear of prosecution.

When the US DoD implemented the ‘Hack the Pentagon’ programme, they discovered that security researchers had already found security flaws in their systems, but there was no legal channel for them to report these flaws.

This is also an issue in Singapore, as uninvited security researchers who discover security flaws in an organisation’s systems, whether intentionally, accidentally, or serendipitously, may technically be committing the offence of unauthorised access under the Computer Misuse and Cybersecurity Act. Local security researchers tell me they are reluctant to report security flaws that they discover because there have been instances where the organisations concerned reacted badly against the bearers of bad news and in one case even reported the researcher to the police.

These organisations have been short-sighted, and have lost useful allies in the quest for better security.

On the other hand, organisations who encourage security researchers to safely communicate potential security flaws, without fear of criminal prosecution, can build relationships that can serve them well in the future.

Microsoft’s bug bounty programme leaders recognise the importance of these relationships. In addition to making payments, they also engage security researchers in national and regional events, give recognition, and build a community that they can trust.

To be sure, a bug bounty programme is not targeted at cyber criminals who tend to be interested in far greater financial gains. Instead, bug bounties should be an incentive for doing the right thing, and a way for white hat hackers to do what they enjoy – hacking into websites – legally.

While some security researchers are motivated by the monetary incentives, others seek recognition or ranking points, which in turn can lead to lucrative projects or employment.

Mindef’s move could mark a turning point in the relationship between organisations here and white hat hackers, thereby opening up opportunities to build a more secure cyberspace for Singapore.

ABOUT THE AUTHOR:

Benjamin Ang is Senior Fellow and Head of the Cyber and Homeland Defence Programme at the S. Rajaratnam School of International Studies’ Centre of Excellence for National Security.