Why Singapore defence asked 300 hackers to test its systems

By Chia Jie Lin

The Ministry of Defence and Defence Science and Technology Agency of Singapore won Best Risk at the recent GovInsider Innovation Awards for this approach.

In the Singapore Government’s first-ever bug bounty programme, the Ministry of Defence (MINDEF) and Defence Science and Technology Agency of Singapore (DSTA) invited 300 ethical hackers from around the world to test their internet-facing systems for vulnerabilities, or bugs.

During the bug bounty project, ethical hackers tested 25 e-services from MINDEF, which ranged from medical systems and web mail to administrative systems that support national servicemen in tasks like booking physical fitness tests. The programme offered cash rewards, or bounties, to hackers who discovered vulnerabilities in government systems.

The project won the Best Risk award, presented at the recent Innovation Labs World Summit hosted by GovInsider. Following its first successful run, the Singapore Government announced that it would launch a larger-scale bug bounty programme version for more selected government Internet-facing systems.

This crowdsourcing approach has allowed MINDEF to quickly and effectively find previously unidentified vulnerabilities, and strengthen the security of its systems. Of the invited ethical hackers, over 160 of them were among the highest ranking professional bug bounty hackers worldwide. The remaining 100 were hackers from Singapore. In its first run, the programme received a total of 97 vulnerability reports, and 35 were assessed to be valid security vulnerabilities.

“All these are expressions of the new way of doing business, of collaborating – inviting more people around the world to test our systems so that we can find where the bugs are and deal with them,” Neo Kian Hong, MINDEF’s then-Permanent Secretary of Defence Development, told GovInsider earlier this June.

For civil servants, this programme was a big risk: opening up Singapore’s defence systems could attract increased hacking attempts from international hackers, both ethical and malicious, on critical infrastructure. Participating hackers could potentially exploit the discovered vulnerabilities or publish them online. The resultant data leaks could affect the daily operations of MINDEF and lead to the loss of public confidence in the ministry.

To mitigate these risks, MINDEF conducted additional vulnerability assessments on the systems on top of its regular security checks. It monitored systems traffic and performance, while reviewing its existing contingency measures for cybersecurity incidents.

The ministry set up a cross-departmental Technical Operation Centre (TOC) to coordinate the detection, validation, assessment and remediation of vulnerabilities. During and after the programme, the TOC also conducted extensive checks to ensure the data integrity of the systems were not compromised.