The Ministry of Defence (Mindef) revealed last week that hackers exploited a vulnerability in its I-net system early last month and stole the personal data of around 850 national servicemen and employees, including NRIC numbers, telephone numbers and dates of birth.

Mindef added that its investigations did not detect any compromise of sensitive military systems or breach of classified information, as the I-net system, which is connected to the Internet, sits on a physically separate network.

National servicemen, Mindef employees and Singapore Armed Forces personnel use the I-net to access the Internet for personal communications and Web surfing.

Today, both public and private sector organisations are under constant cyber attacks by hackers seeking to cause harm, to steal valuable information, or manipulate financial transactions and markets.

Cyber security experts like to espouse the cliche that it's not if, but when, an organisation will be hacked.

While this is a somewhat defeatist point of view, it points to the simple fact that most organisations have cyber security weaknesses that can be easily exploited by cyber criminals; hacking is a lot more cost effective than breaking down the physical front door. The cyber criminals do their maths too.

The cyber attack on Mindef is a sobering backdrop for the Government's latest Budget announcement to set aside over $80 million to support the Go Digital Programme for small and medium-sized enterprises (SMEs). The success of the programme will mean even more organisations setting up an online presence and perhaps even doing e-commerce.

All this begs the question: Are the SMEs ready for the threats in cyberspace? Would they invest solely in digital capabilities and neglect the critical cyber security and data protection aspects?



A simulated cyber attack at Mindef's Cyber Test and Evaluation Centre last month. Singapore, like any other sovereign nation, faces unprecedented cyber risks that can only increase. To tackle such challenges, we have to think outside the box and recognise that no one mind or one single group of individuals will have all the solutions, says the writer. ST PHOTO: SEAH KWANG PENG



So how can Singapore improve its cyber security, the way our nation continually upgrades and improves our armed forces? The recent Mindef announcement on the setting up of a cyber command to enhance Singapore's defence against cyber attacks is a good start. Indeed, having soldiers guard our cyber territory is as critical as having them guard our land.

While setting up such a unit is a good start, I would like to suggest another way for Singapore to protect its precious cyber resources.

In April last year, the US Department of Defence (DoD) conducted a bold experiment to crowdsource independent hackers from the White Hat community to participate in its "Hack the Pentagon" initiative. This approach is commonly called a "bug bounty" where participants get paid for reporting security bugs. Such programmes have been successfully implemented by tech companies such as Google, Facebook and Uber, as well as non-tech sector companies including Western Union, United Airlines and General Motors. Facebook, for example, has paid out more than US$5 million (S$7 million) over the last five years for more than 900 security bugs.

The "Hack the Pentagon" programme attracted more than 1,400 vetted participants who attempted to find security bugs on five US DoD websites. The result? In four weeks, the programme identified 138 security bugs, with the first report submitted just 13 minutes after the opening bell.

Then US Defence Secretary Ash Carter spoke about the programme's "considerable success" and highlighted the significant cost savings, despite a price tag of US$150,000 - "if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than US$1 million".

This was followed by a "Hack the Army" programme last November. Somewhat unexpectedly, a security researcher managed to exploit a chain of vulnerabilities to go from a public army website on the Internet into an internal DoD system that usually required special access credentials.

In addition to this critical security flaw - and perhaps more surprisingly - the "intrusion" did not set off any alarm bells and the Pentagon personnel started scrambling only after they had been told by the security researcher.

This is a stark reminder for us that while Singapore seeks to delink Internet access from the work computers of public servants, we need to ensure flawless design and execution.

At the conclusion of the "Hack the Army" programme, the DoD paid out US$100,000 for 118 security bugs. By the way, the first security bug was reported within five minutes of the programme launch.

It is instructive to note that the DoD saw the need to carry out the "Hack the Army" and "Hack the Pentagon" exercises, despite a US$19 billion US cyber security budget to support a robust cyber defence programme.

More importantly, the DoD took the bold step to rethink its approach and, by so doing, reaped significant benefits at a fraction of the usual cost. This approach allows the DoD to achieve a process of continuous and pervasive vulnerability detection, instead of a one-off yearly exercise. It also enables the defence organisation to tap the skills of hackers, instead of just entrusting any specific group to guard the DoD's cyberspace.

In June last year, the DoD announced that it is embarking on three follow-on initiatives: to allow anyone to disclose vulnerabilities to the DoD without fear of prosecution; to expand the bug bounty programme to other areas of the DoD; and to provide incentives for defence contractors that adopt the same bug bounty approach. This is truly forward looking for a normally conservative government defence agency.

Singapore, like any other sovereign nation, is faced with unprecedented cyber risks that can only increase. To tackle such challenges, we have to think outside the box and recognise that no one mind or one single group of individuals will have all the solutions.

While it is often difficult to prevent or predict when cyber attacks will happen, perhaps our best bet may be to work towards a cyber security programme that identifies and fixes security bugs in a continual and pervasive manner. Singapore must continue to take the leadership position in this region just as it has always led on major issues.