SINGAPORE, Dec 12 — In a first for a government agency here, hackers will be invited to put the Ministry of Defence’s (Mindef) public-facing systems — including the National Service (NS) Portal — to the test, in order to expose vulnerabilities.

The move, announced by Mindef’s defence cyber chief David Koh today, will involve 300 or so "white-hat” hackers — computer-security specialists whose role is to break into protected systems and networks to test their security, before hackers with malicious intent strike.

The Cyber Security Agency of Singapore is also in talks with some of the 11 critical information infrastructure (CII) sectors which have expressed interest in exploring a similar programme for their public-facing systems, its deputy chief executive for development Teo Chin Hock said in a statement. CII sectors include infocomm, land transport and water.

Under Mindef’s programme, hackers will receive "bounties”, or rewards, for bringing to light "valid and unique” vulnerabilities.

These can be anywhere from S$150 (RM455) to S$20,000, going by programmes run previously by global bug-bounty company HackerOne, which Mindef has engaged to run its programme from January 15 to February 4.

The rewards will hinge on the number and quality of the vulnerabilities exposed, and are expected to cost significantly less than working with a commercial cyber-security vulnerability-assessment team, Mindef said.

While such commercial programmes can cost up to S$1 million, Mindef’s new bug-bounty initiative is estimated to cost about S$100,000, said Koh.

Eight of Mindef’s internet-facing systems — including the Mindef, Defence Science and Technology Agency and Central Manpower Base websites, and the NS Portal — will be part of the exercise.

It will not involve the Singapore Armed Forces’ operational systems, which are not public-facing.

The United States-based HackerOne has run similar programmes for government agencies elsewhere, including the US Department of Defence, and corporate giants Intel and Twitter.

The pilot initiative at the US Department of Defence, which ran from April to May last year with five public-facing websites, turned up nearly 140 vulnerabilities. A total of US$75,000 was paid out in rewards to hackers.

That programme was later expanded to cover measures such as a vulnerability-disclosure policy for the US government department, allowing hackers to report potential cyber loopholes.

More than 2,800 vulnerabilities have since been resolved through those disclosures — of which over 100 were of "high or critical severity”, including Structured Query Language injections (attacks that could result in data being stolen) and ways to bypass authentication, HackerOne said on its website.

Calling the cyber space a "new battlefront”, Mindef said Singapore was exposed constantly to the rising risk of cyberattacks, and the ministry was an "attractive target” for malicious cyber activity.

"As hackers with malicious intent find new methods to breach networks, Mindef must constantly evolve and improve its defences against cyber threats,” it added.

Koh, the ministry’s defence cyber chief who also helms the Cyber Security Agency of Singapore, said it was virtually impossible to secure modern computer software systems completely, with new vulnerabilities being unearthed daily.

No agency, he added, can keep up on its own amid the fast-changing cyber landscape.

In February this year, Mindef was dealt its first cyber-security breach when the personal details of 850 national servicemen and staff members were stolen in a cyberattack.

The breach of Mindef’s internal I-net system, which gives national servicemen and employees Internet access for their personal communication and web surfing, was executed remotely over the Internet.

No classified military data was lost, but as a precaution, Mindef checked all its other computer systems in the wake of the breach. — TODAY