dambuster - stock.adobe.com

MoD ethical hacking programme expands after initial success

The Ministry of Defence has expanded the scope of its defensive security partnership with HackerOne

The Ministry of Defence (MoD) has revealed it has expanded an existing defensive security initiative with ethical hacking and penetration testing specialist HackerOne to include some of its key suppliers.

The original scope of the MoD’s defensive security programme included a vulnerability disclosure programme (VDP) paying out bug bounties through HackerOne, leveraging the creativity and expertise of the hacking community to help secure some of the UK government’s most critical digital assets.

Since its launch in 2021, more than 100 ethical hackers have been busy “attacking” the MoD’s systems, identifying and fixing vulnerabilities to enhance its cyber security posture.

“The decision to partner with HackerOne and leverage its community of ethical hackers was part of an organisation-wide commitment to building a culture of transparency and collaboration to improve national security,” said Paul Joyce, vulnerability research project manager for the MoD. “Our hacker partners are helping us to identify areas where we need to strengthen our defences and protect our critical digital assets from malicious threats.”

MoD CISO Christine Maxwell added: “Working with the ethical hacking community allows us to bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”

The MoD hopes that by including key suppliers within the VDP, it can help encourage a trickle-down of best practices through its supply chain, and maybe implement their own programmes. It said its long-term goal was for all firms that it partners with to run their own VDPs.

Among the suppliers that has already been involved with the expanded programme is Kahootz, which supplies cloud software-as-a-service collaboration platform services to public and third sector organisations.

“Kahootz’s VDP demonstrates our proactive commitment to promptly identifying and addressing potential security weaknesses to maintain the highest security standards for users,” said Peter Jackson, the organisation’s CTO.

“The VDP has enabled us to identify and address vulnerabilities before they can be exploited maliciously. Our collaboration with the MoD and HackerOne has facilitated knowledge sharing and best practices in cyber security, contributing to continuous improvement and increased confidence from our clients.

“We have developed a collaborative approach with the hackers on our programme that accelerates fixes, fosters trust, and enhances security. Kahootz remains committed to strengthening our platform’s security through transparency and ongoing engagement with the security community,” added Jackson.

Marten Mickos, CEO of HackerOne, said: “The MoD is a trailblazer in cyber security practices. The MoD has enlisted the help of the most formidable defenders – ethical hackers – to solve security problems and outsmart threat actors. From the vulnerability disclosure programme to the live bug bounty challenge, hackers have helped the MoD find and fix vulnerabilities before adversaries can detect and exploit them.”

Defence Academy challenge

The expanded programme also included an in-person bug bounty challenge held at the MoD’s Defence Academy in Swindon. Some of the top-performing hackers working on the scheme, 15 in all, were invited to assess and enhance the Defence Academy’s security posture.

At the event, the hackers focused on demonstrating their skills sets and lateral thinking against a wide attack surface of internet and non-internet facing systems, as well as challenging old ways of thinking and breaking down barriers.

Besides uncovering and advising on a number of vulnerabilities – which cannot be disclosed here – the event also offered the MoD more assurance on its existing cyber measures through storyboard reports that detailed the approaches the hackers tried out. Many of these, said the MoD, were ultimately unsuccessful thanks to its existing defensive measures.

“Testing on the MoD is a fascinating challenge, and you never get bored,” said a hacker involved in the programme. “The MoD is forward-thinking in its approach to cyber security, and being able to spend time with the team at the Defence Academy was a unique opportunity to learn more about how the MoD secures its systems.

“I know that when I find a bug in a government programme, I am directly impacting citizens, making their digital life a little bit safer, and that feels good,” they said.

Read more about MoD IT

  • The Public Accounts Committee is concerned that the ageing and fragmented IT systems used in the MoD’s inventory management puts front-line forces at significant risk.
  • The MoD has been fined £350,000 by the ICO after an email blunder exposed data on Afghan nationals who had worked with British forces and were at risk of Taliban reprisals.
  • The UK’s Defence and Security Accelerator is running a ‘market exploration’ exercise on behalf of the Home Office to identify new facial-recognition capabilities for security and policing bodies in the UK.

Read more on Hackers and cybercrime prevention