By Benjamin Ang*

Today 

21 Dec 2017

The Ministry of Defence’s announcement last week that it has engaged an international company to get 300 whitehat hackers to test the ministry’s major internet-facing systems for vulnerabilities has elicited many responses online.

Contrary to comments circulating on social media, Mindef’s Bug Bounty Programme is neither a crazy risk nor a cunning ploy to trap hackers.

In fact, such an initiative can be useful for other organizations – if executed correctly.

A bug bounty program is an arrangement where security researchers can receive recognition and payment (‘bounty’) for discovering and reporting security flaws or vulnerabilities in websites or software (‘bugs’) that could otherwise be exploited by cyber attackers or cybercriminals.

These security researchers are called ‘white hat hackers’ because their intentions are honorable as they use their skills to gain access to computer systems.

To anyone outside the cybersecurity field, the idea of rewarding people for finding your security flaws may sound crazy. But a bug bounty program takes advantage of crowdsourcing to tap on a wide range of researchers with different tools and techniques, who can find security flaws that a single organization cannot find on its own.

Although this is the first time a Singapore Government agency is engaging in such an exercise, Mindef follows in the footsteps of the successful United States Department of Defense (US DoD) 2016 bug bounty program called “Hack the Pentagon”.

Bug bounty programs are more established in the private sector, where companies like Facebook, Google, and Microsoft offer rewards of up to US$250,000 (S$336,600) to security researchers who discover and disclose major security flaws in their software.

These organizations are willing to offer these rewards, because they can identify security flaws and prevent cybersecurity breaches that would otherwise cost them much more in reputation and financial losses.

Critics of bug bounty programs say that they would heighten the risk of a company getting hacked by ‘black hat’ hackers, that is, those with criminal intent. But organizations that embrace bug bounty programs recognize that they are already at risk: ‘black hat’ hackers are already trying to hack into their systems, and are not waiting for invitations or programs to encourage them.

Other organizations can take the lead from Mindef. If its program is successful, it is likely that companies in the 11 designated critical information infrastructure sectors (companies providing essential services like power, transport, health care, telecommunications) might do the same for their public-facing systems.

This may in turn encourage more public sector and private sector organizations to consider such programs. Some scholars have even suggested that bug bounties should be a corporate governance best practice, because they provide an objective and independent report system for management.

Before embarking on any bug bounty program, an organization should consider how it will handle logistics issues such as managing a sudden influx of reports, verifying that bugs are genuine, avoiding triggering false alarms, and preventing researchers from accidentally disclosing sensitive information. Organizations also need to provide rewards that are adequate to compensate researchers for their time and effort. In short, a bug bounty program requires significant investment of time and money in order to be successful.

Mindef and US DoD chose a trusted external vendor to manage their bug bounty programs and to deal with these issues.

Mindef describes its partner HackerOne as “a reputable international bug bounty company”.

An experienced bug bounty organizer does not come cheap, but it can assemble a select group of experienced researchers, and set explicit limits for the project, such as which systems are off limits, and what types of actions are not allowed.

BUILDING A COMMUNICATION LINK

Regardless of whether an organization chooses to implement a bug bounty or not, all organizations should provide channels for security researchers to safely communicate potential security flaws to them, and to give feedback on cybersecurity lapses, without fear of prosecution.

When the US DoD implemented the ‘Hack the Pentagon’ program, they discovered that security researchers had already found security flaws in their systems, but there was no legal channel for them to report these flaws.

This is also an issue in Singapore, as uninvited security researchers who discover security flaws in an organization’s systems, whether intentionally, accidentally, or serendipitously, may technically be committing the offence of unauthorized access under the Computer Misuse and Cybersecurity Act. Local security researchers tell me they are reluctant to report security flaws that they discover because there have been instances where the organizations concerned reacted badly against the bearers of bad news and in one case even reported the researcher to the police.

These organizations have been short-sighted, and have lost useful allies in the quest for better security.

On the other hand, organizations who encourage security researchers to safely communicate potential security flaws, without fear of criminal prosecution, can build relationships that can serve them well in the future.

Microsoft’s bug bounty program leaders recognize the importance of these relationships. In addition to making payments, they also engage security researchers in national and regional events, give recognition, and build a community that they can trust.

To be sure, a bug bounty program is not targeted at cyber criminals who tend to be interested in far greater financial gains. Instead, bug bounties should be an incentive for doing the right thing, and a way for white hat hackers to do what they enjoy – hacking into websites – legally.

While some security researchers are motivated by the monetary incentives, others seek recognition or ranking points, which in turn can lead to lucrative projects or employment.

Mindef’s move could mark a turning point in the relationship between organizations here and white hat hackers, thereby opening up opportunities to build a more secure cyberspace for Singapore.

*Benjamin Ang is Senior Fellow and Head of the Cyber and Homeland Defence Programme at the S. Rajaratnam School of International Studies’ Centre of Excellence for National Security.

(source:http://www.todayonline.com/commentary/why-mindefs-move-engage-white-hat-hackers-may-pay)