For the first time, the Ministry of Defence has paid bounties to white hat hackers for discovering vulnerabilities in its computer networks in collaboration with US based organisation HackerOne.
The Ministry of Defence say that the 30-day challenge aimed to identify and fix vulnerabilities in cyber systems to strengthen security and to ensure better resilience.
“Bug Bounty programmes provide safe environments for experts to identify areas where security can be improved. The identification of real vulnerabilities by ethical hackers is rewarded and Defence cyber teams are working with the ethical hacking community whose expertise has been extremely valuable in finding and remediating vulnerabilities – ensuring better security across Defence’s networks and 750,000 devices.”
Minister for the Armed Forces James Heappey said:
“Bug bounty is an exciting new capability for the Ministry of Defence. Our cyber teams are collaborating with the ethical hacking community to identify and fix vulnerabilities in our systems, ensuring we’re more resilient and better protected. This work will contribute to better cyber and information security for the UK.”
Christine Maxwell, Ministry of Defence Chief Information Security Officer said:
“The Ministry of Defence has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process. It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
“Ethical hacking community”? Remember the old “double agent” days…From my view any “hacking” is unethical, and as far as my limited tech knowledge goes, illegal. So any “hacker” caught is fair game for prosecution. Oh for the days of a dodgy Bowman and L1A1. This techy stuff reeks of Playstation 😎
Well anyone with some understanding of computers can work through and try to find vulnerabilities they don’t have to be a “hacker” per se. George is one example 🙂 eg, like no password to enter a critical system, default admin passwords not changed, password = “password” to more obscure TCP IP level holes and gaps.
If you look at the biggest scandals in the past 10 years the whole Edward Snowden and the Iraq wiki leaks, they were all poor security/gaps/bad config regardless whether you agree with the ethical reasons behind what was leaked. Snowden had full admin rights that he should not had as much, and the ability to save any data to a ubs drive (gigabytes of it).
Same for Chelsea Manning he/she should not have been able to download all the footage of those events from a military servers but the usual controls that are supposed to be there were turned off as the “system was slow”.
Now both of those events held governments to account and should be applauded, but from a security perspective massive gaping holes and not difficult to find that you can do that. Hence the need for “white hats” 😀
As you say “limited knowledg”
Some hackers spend years infiltrating and understanding network architectures, even buying old or proprietary equipment to identify weaknesses. Is 30 days enough to do anything other than superficial searches?
If they are competent plenty of time to find the more obvious holes, but yes should be a continuing competition as per google Bughunter or plenty other examples in industry taht do the same.
The developer of the software should be the ones paying the bounty if it was found to be their bad coding and not a user error. Is crazy that developers like Microsoft, ect have zero liability when it comes to their products. Until they are they have no incentive to produce highly secure products.
Also the 2 leading hacker states, China and Russia are never held accountable for the damage they do to Western IP and national security with their 24/7 hacking of our networks. Is like telling criminals there is no punishment for their crimes but please stop doing it. lol
Been happening for years unofficially. A lot of the people used were idiot 18 year old hackers who either got caught, got girlfriends or realised they could set up software security companies and tender their knowledge and skills out for good money
S.W.M.B.O. suggested this idea to me years years ago – ‘poacher turned gamekeeper’… Why has it taken the authorities so long to get round to doing this? Perhaps the legal people objected? We have had a few highly publicised cases going through the courts. It’s not so dissimilar to training officers to look at ways to attack their own dug in positions.