Mindef to invite hackers to break into its Internet-connected systems to detect weaknesses

Remote video URL
Servicemen at CyTEC at Stagmont Camp going through a mock cyber attack on Dec 12, 2017. ST PHOTO: ALPHONSUS CHERN

SINGAPORE - In a first for the Singapore Government, the Ministry of Defence (Mindef) will be inviting about 300 international and local hackers to hunt for vulnerabilities in its Internet-connected systems next year, in a bid to guard against ever-evolving cyber threats.

From Jan 15 to Feb 4, these selected experts will try to penetrate eight of Mindef's Internet-facing systems, such as the Mindef website, the NS Portal and LearNet 2 Portal, a learning resource portal for trainees.

These registered hackers can earn cash rewards - or bounties - between $150 and $20,000, based on how critical the flaws discovered are. Called the Mindef Bug Bounty Programme, it will be the Government's first crowdsourced hacking programme.

This follows an incident earlier this year when Mindef discovered that hackers had stolen the NRIC numbers, telephone numbers and birth dates of 854 personnel through a breach of its I-Net system.

One of the systems being tested, Defence Mail, uses the I-Net system for Mindef and SAF personnel to connect to the Internet.

On Tuesday (Dec 12), defence cyber chief David Koh announced the new programme after a visit to the Cyber Defence Test and Evaluation Centre (CyTEC) - a cyber "live-firing range" where servicemen train against simulated cyber attacks - at Stagmont Camp in Choa Chu Kang.

On the significance of the "Hack Mindef" initiative, he told reporters: "The SAF is a highly networked force. How we conduct our military operations depends on networking across the army, navy, air force and the joint staff.

"Every day, we see new cyber attacks launched by malicious actors who are constantly seeking new ways to breach our systems... Clearly, this is a fast-evolving environment and increasingly, you see that it is one that is of relevance to the defence and security domain."

The bigger picture is that cyberspace is emerging as the next battlefield, said Mr Koh, who is also deputy secretary for special projects at Mindef.

"Some countries have begun to recognise cyber as a domain similar to air, land and sea. Some have even gone so far as to say that the next major conflict will see cyber activity as the first activity of a major conflict," he added.

Servicemen at the Cyber Defence Test and Evaluation Centre at Stagmont Camp on Dec 12, 2017. ST PHOTO: ALPHONSUS CHERN

While there will be some risks in inviting hackers to test the systems, such as an increase in website traffic and the chance that these "white hat" hackers will turn over discovered vulnerabilities to the dark Web, measures will be put in place.

"(If) we can't even manage the increase in traffic, that in itself would be a vulnerability that we would need to address," said Mr Koh.

White-hat hackers are those who break into protected systems to improve security, while black-hat hackers are malicious ones who aim to exploit flaws.

The programme conducted by US-based bug bounty company HackerOne is expected to cost about $100,000, depending on the bugs found. But Mr Koh noted that this would be less than hiring a dedicated vulnerability assessment team, which might cost up to a million dollars.

Mr Teo Chin Hock, deputy chief executive for development at the Cyber Security Agency (CSA), said: "By embarking on a bug bounty programme, companies have the advantage of uncovering security vulnerabilities on their own by harnessing the collective intelligence and capabilities of these experts and addressing these vulnerabilities before the black hats do."

In a statement, he added that the CSA is currently in discussions with some of Singapore's 11 designated critical information infrastructure sectors which have expressed interest in exploring a similar programme for their public-facing systems.

Major Yiew Pei Ling (centre) taking defence cyber chief David Koh through a demonstration of a mock cyber attack at the Cyber Defence Test and Evaluation Centre at Stagmont Camp on Dec 12, 2017. ST PHOTO: ALPHONSUS CHERN

Large organisations, such as Facebook and the United States Department of Defence, have embarked on similar initiatives with some success.

For instance, a similar Hack the Pentagon programme, also conducted by HackerOne, was launched by the US defence department in 2016. A total of 138 bugs were found by more than a thousand individuals within three weeks.

The initiative caps a year in which Singapore has been gearing up for the battlefront in cyberspace.

In March, it was announced that the Defence Cyber Organisation will be set up to bolster Singapore's cyber defence, with a force of cyber defenders trained to help in this fight.

Join ST's WhatsApp Channel and get the latest news and must-reads.