The UK’s Ministry of Defence (MOD) has announced a significant expansion of its defensive security initiative with security firm HackerOne.
The original scope of the three-year-old programme included vulnerability disclosure and bug bounty programmes that used ethical hackers to secure the MOD’s digital assets. It has worked alongside more than 100 researchers from the ethical hacking community which have identified and helped fix vulnerabilities in the MOD’s computer systems.
Recent data shows the MoD’s IT systems are the most vulnerable of any Whitehall department.
“The decision to partner with HackerOne and leverage its community of ethical hackers was part of an organisation-wide commitment to building a culture of transparency and collaboration to improve national security,” said Paul Joyce, vulnerability research project manager, UK Ministry of Defence. “Our hacker partners are helping us to identify areas where we need to strengthen our defences and protect our critical digital assets from malicious threats.”
On the back of the successful initial programme, the MOD has now broadened the scope of the vulnerability disclosure programme (VDP) to include a number of its key suppliers. The objective is to encourage best practices throughout the MOD’s supply chain and ultimately motivate them to implement their own VDP. The long-term goal is for all firms that partner with the MOD to run their own VDP.
“Working with the ethical hacking community allows us to bring more diverse perspectives to protect and defend our assets,” said Christine Maxwell, CISO, UK Ministry of Defence. “Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
One hacker involved with the programme said testing on the MOD “is a fascinating challenge, and you never get bored.
“Being able to spend time with the team at the Defence Academy was a unique opportunity to learn more about how the MOD secures its systems. I know that when I find a bug in a government programme, I am directly impacting citizens, making their digital life a little bit safer, and that feels good.”
Identify and address vulnerabilities before they can be exploited
Cloud software-as-a-service collaboration platform provider, Kahootz, is an initial adopter of MOD’s supplier VDP programme. Kahootz provides the secure cloud collaboration service MOD uses to work collaboratively and share information protectively.
If you liked this content…
“Kahootz’s VDP demonstrates our proactive commitment to promptly identifying and addressing potential security weaknesses to maintain the highest security standards for users,” said Peter Jackson, CTO of Kahootz.
“The VDP has enabled us to identify and address vulnerabilities before they can be exploited maliciously. Our collaboration with the UK MOD and HackerOne has facilitated knowledge sharing and best practices in cybersecurity, contributing to continuous improvement and increased confidence from our clients. We have developed a collaborative approach with the hackers on our programme that accelerates fixes, fosters trust, and enhances security.”
Bug bounty challenge
The expanded scope of the programme also included a first-of-type in-person bug bounty challenge at the MOD’s Defence Academy. The Academy provides advanced education and training to military personnel, civil servants, and individuals from various international partners. Fifteen top-performing hackers participated in the challenge to assess and enhance the Defence Academy’s security posture. They concentrated on “breaking down barriers, challenging norms, and demonstrating their skills and lateral thinking against a wide attack surface of both internet and non-internet-facing systems.”
Along with uncovering and advising on the remediation of vulnerabilities, the event also provided assurance on existing security measures through the use of storyboard reports that detailed the approaches and vectors the hackers tried, which were ultimately unsuccessful due to the defensive measures in place.
“The MOD’s work with the ethical hacking community provides benefits beyond the remediation of vulnerabilities and the improvement of security postures,” said Jason Gnaneswaran, cyber resilience programme Manager, UK Ministry of Defence. “It enables the MOD to explore new security approaches, engage with different perspectives to enhance resilience, and has helped change the culture within the MOD around cybersecurity.”
“The UK MOD is a trailblazer in cybersecurity practices,” said Marten Mickos, CEO of HackerOne. “The MOD has enlisted the help of the most formidable defenders – ethical hackers – to solve security problems and outsmart threat actors. From the vulnerability disclosure programme to the live bug bounty challenge, hackers have helped the MOD find and fix vulnerabilities before adversaries can detect and exploit them.”
Think Digital Partners is pleased to announce a new event for 2024. Think Digital Identity and Cybersecurity for Government takes place in London on May 8. Find out more and get your ticket here.
