Ethical Hackers to Identify Holes in UK Cyber Defences
In a first for Britain’s MoD, 26 ‘ethical hackers’ have recently taken part in a 30-day challenge aimed at identifying and fixing vulnerabilities in cyber systems – to strengthen security and improve resilience.
Without wishing to level any accusations or be pejorative in any way, the idea of using people who have the experience, knowledge, ability and motivation to hack official systems, with the objective of observing their methodologies and learning lessons that can be used to strengthen defences – is an excellent one. Not necessarily a brand new idea – but an effective one. In this instance, the ‘Bug Bounty’ programme was conducted in conjunction with US-based HackerOne. “Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore […] Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year. The UK MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example,” commented Marten Mickos, the organisation’s CEO.
Bug Bounty programmes provide safe environments for experts to identify areas where security can be improved. The identification of real vulnerabilities by ethical hackers is rewarded and Defence cyber teams are working with the ethical hacking community, whose expertise has been extremely valuable in finding and remediating vulnerabilities – ensuring better security across Defence’s networks and 750,000 devices. MoD will continue to make use of the Bug Bounty expertise, in addition to other capabilities available to ensure cyber security and resilience. MoD cyber security efforts reinforce the UK Government strategy for cross-department resilience and security, lessons learned by Defence are shared with partners.
In the Integrated Review published earlier this year, the government committed to a more robust position on security and resilience, ensuring that lives and livelihoods are protected from those who may wish to do us harm. This challenge is part of wider plans to ensure transparency and collaborate with partners to improve national security.
“The [MoD] has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process […] It is important for us to continue to push the boundaries with our digital and cyber development, to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience,” explained MoD Chief Information Security Officer, Christine Maxwell.
