Mindef to invite 300 hackers to test its cyber defences

ST VIDEO: ALPHONSUS CHERN

International and local hackers will try to locate vulnerabilities in its Internet-linked systems

In a first for the Government, the Ministry of Defence (Mindef) will be inviting about 300 international and local hackers to hunt for vulnerabilities in its Internet-connected systems next year, in a bid to guard against ever-evolving cyber threats.

From Jan 15 to Feb 4, these selected experts will try to penetrate eight of Mindef's Internet-facing systems, such as the Mindef website, the NS Portal and LearNet 2 Portal, a learning resource portal for trainees.

These registered hackers can earn cash rewards - or bounties - of between $150 and $20,000, depending on how critical the flaws discovered are. Called the Mindef Bug Bounty Programme, it will be the Government's first crowdsourced hacking programme.

This follows an incident earlier this year when Mindef discovered that hackers had stolen the NRIC numbers, telephone numbers and birth dates of 854 personnel in a breach of its I-Net system.

One of the systems being tested, Defence Mail, uses the I-net system for Mindef and Singapore Armed Forces (SAF) personnel to connect to the Internet.

Yesterday, the new programme was announced by defence cyber chief David Koh after a visit to the Cyber Defence Test and Evaluation Centre - a cyber "live-firing range" where servicemen train against simulated cyber attacks - at Stagmont Camp in Choa Chu Kang.

On the significance of the "Hack Mindef" initiative, he told reporters: "The SAF is a highly networked force. How we conduct our military operations depends on networking across the army, navy, air force and the joint staff.

"Every day, we see new cyber attacks launched by malicious actors who are constantly seeking new ways to breach our systems... Clearly, this is a fast-evolving environment and, increasingly, you see that it is one that is of relevance to the defence and security domain."

The bigger picture is that cyberspace is emerging as the next battlefield, said Mr Koh, who is also the deputy secretary for special projects at Mindef.

Soldiers at a demonstration yesterday to show how they would handle cyber threats at the Cyber Defence Test and Evaluation Centre, a cyber "live-firing range" located at Stagmont Camp.
Soldiers at a demonstration yesterday to show how they would handle cyber threats at the Cyber Defence Test and Evaluation Centre, a cyber "live-firing range" located at Stagmont Camp. ST PHOTO: ALPHONSUS CHERN

EVOLVING THREATS

Every day, we see new cyber attacks launched by malicious actors who are constantly seeking new ways to breach our systems... Clearly, this is a fast-evolving environment and, increasingly, you see that it is one that is of relevance to the defence and security domain.

DEFENCE CYBER CHIEF DAVID KOH

"Some countries have begun to recognise cyber as a domain similar to air, land and sea. Some have even gone so far as to say that the next major conflict will see cyber activity as the first activity of a major conflict," he added.

While there will be some risks in inviting hackers to test the systems, such as an increase in website traffic and the chance that these "white-hat" hackers will turn over discovered vulnerabilities to the dark Web, measures will be put in place to guard against this.

White-hat hackers break into protected systems to improve security, while black-hat hackers have nefarious intentions to exploit flaws.

The programme, conducted by US-based bug bounty company HackerOne, is expected to cost about $100,000, depending on the bugs uncovered. But Mr Koh noted that this would be less than the expense of hiring a dedicated vulnerability assessment team, which might cost up to a million dollars.

In a statement, Mr Teo Chin Hock, deputy chief executive for development at the Cyber Security Agency, said the agency is currently in discussions with some of Singapore's 11 designated critical information infrastructure sectors, which have expressed interest in exploring a similar programme for their public-facing systems.

Such bug bounty programmes have been used by large organisations elsewhere, such as Facebook and the United States Department of Defence, with some success.

The initiative caps a year in which Singapore has been gearing up for the battlefront in cyberspace.

In March, it was announced that the Defence Cyber Organisation will be set up to bolster Singapore's cyber defence, with a force of cyber defenders trained to help in this fight.

A version of this article appeared in the print edition of The Straits Times on December 13, 2017, with the headline 'Mindef to invite 300 hackers to test its cyber defences'. Print Edition | Subscribe