The Ministry of Defence has, for the first time in its history, worked with ethical hackers to test and strengthen the cybersecurity of its network and estate of 750,000 devices.
Over the course of a 30-day exercise, 26 ethical hackers engaged through US-based bug bounty platform HackerOne were let loose on the MoD’s web-accessible systems to search for exploitable cybersecurity weaknesses.
“The Ministry of Defence has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process,” said Christine Maxwell, Chief Information Security Officer for the Ministry of Defence. “It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
The exercise follows guidance published by the MoD in December 2020, which laid out restrictive guidelines for reporting vulnerabilities and affirmed that the department “will not seek prosecution of any security researcher who reports any security vulnerability on a MOD service or system, where the researcher has acted in good faith and in accordance with this disclosure policy”.
At the time, commentators expressed surprise that a similar process had not already been in place, pointing to similar bug bounty programs already in place in France, Singapore and the US, for example.
However, while bug bounties and the rewarding of ethical hacking have gained more mainstream acceptance in recent years, many organisations have historically not reacted well to being informed of vulnerabilities. Even in 2020, when the importance of cybersecurity has become abundantly clear, security researchers have found themselves ignored and threatened with legal action for attempting to disclose vulnerabilities, and even organisations with bug bounty or vulnerability reporting programs have been accused of ignoring disclosures.
And in the UK, the Computer Misuse Act of 1990 has represented a barrier to normalising penetration testing. A survey commissioned by techUK and the CyberUp Campaign found that 80% of cybersecurity professionals were worried about breaking the law in the course of their duties, with answers indicating that even with the cyber community there was considerable confusion about what counts as a criminal offence under the act. Approximately 40% said the Computer Misuse Act has been a barrier to fulfilling their duties and has prevented employees from proactively safeguarding against security breaches, and 91% felt that the law puts the UK at a competitive disadvantage.
Earlier this year, the government began work on reforming the act, and has set out a call for information. While this has yet to yield results, the MoD’s decision to embrace ethical hacking and penetration testing is a very positive indication.
“Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore,” said Marten Mickos, CEO of HackerOne. “Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the U.S government making it mandatory for their federal civilian agencies this year. The U.K MoD is leading the way in the U.K government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”