Why the UK Ministry of Defence is teaming up with HackerOne to bolster security
The MoD is expanding its vulnerability disclosure program, carried out with ethical hacking outfit HackerOne, in a bid to ramp up operational resilience
The UK’s Ministry of Defence (MoD) is expanding its defensive security arrangement with HackerOne following concerns over cyber resilience.
The original scope of the program, launched in 2021, covered vulnerability disclosure and bug bounty programs aimed at securing the MoD's digital assets through ethical hacking.
Since then, according to HackerOne, more than 100 researchers drawn from the ethical hacking community have identified and helped to fix a number of vulnerabilities in the MoD’s computer systems.
"The decision to partner with HackerOne and leverage its community of ethical hackers was part of an organization-wide commitment to building a culture of transparency and collaboration to improve national security," said Paul Joyce, vulnerability research project manager at the MoD.
"Our hacker partners are helping us to identify areas where we need to strengthen our defenses and protect our critical digital assets from malicious threats."
The expanded agreement now includes a number of the MoD's key suppliers, with the aim of encouraging best practices throughout the MoD’s supply chain.
Long-term, the defense department hopes to motivate suppliers to bolster their own vulnerability disclosure programs and create a safer environment.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
One MoD supplier taking part, SaaS collaboration platform provider Kahootz, said the program has already enabled it to identify and address vulnerabilities before they could be exploited maliciously.
"Working with the ethical hacking community allows us to bring more diverse perspectives to protect and defend our assets," said Christine Maxwell, CISO and the MoD.
"Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience."
The new program has already included an in-person bug bounty challenge at the MoD’s Defence Academy, which gives advanced education and training to military personnel, civil servants and individuals from a number of international partners.
Fifteen top-performing hackers took part, concentrating on breaking down barriers, challenging norms, and demonstrating their skills and lateral thinking against a wide attack surface of both internet and non-internet-facing systems.
It was a reassuring event, HackerOne said, with the hackers failing to breach existing security measures.
"Testing on the MOD is a fascinating challenge, and you never get bored," according to one hacker involved in the program. "The MOD is forward-thinking in its approach to cyber security, and being able to spend time with the team at the Defence Academy was a unique opportunity to learn more about how the MoD secures its systems."
Inside the MoD’s sharpened security focus
The MoD has been ramping up its efforts over operational security and resilience since 2022, when it introduced a new 'secure by design' strategy that it said should make it resilient to "all known cyber security vulnerabilities" and attack methods by 2030.
However, despite this, the department has experienced some notable security blunders in recent months. In September 2023, thousands of pages of sensitive information were leaked by the notorious LockBit ransomware gang.
Meanwhile, a report in January raised concerns that the MoD had the most vulnerable IT systems in Whitehall, with 11 systems 'red rated'.
Labour MP Matt Rodda described the state of the MoD’s IT systems as “utterly unacceptable” and called for a greater focus on modernization at both the defense department and other government divisions.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.