And the award for most insecure government department goes to… the Ministry of Defence

The Ministry of Defence (MoD), the UK government department with the most insecure network according to a recent critical report, is to spend £3 million on hackers to help hunt down vulnerabilities.

A £3 million cybersecurity program sees the MoD expand its partnership with bug bounty platform HackerOne, which began in 2021. When that first agreement was signed, it was reported that an armed forces minister called it “an exciting new opportunity”. It was perhaps new to the government and the MoD, but other nations had already discovered the benefits of employing hackers to track down critical vulnerabilities in their networks. The US Department of Defense first contracted with HackerOne in 2016, and the “Hack the Army 2.0” event in 2020 saw 52 hackers expose 146 vulnerabilities.

The contract award notice states that: “The MOD’s networks and systems is a matter of national security and requires the continuous identification and remediation of vulnerabilities that can be exploited by malicious cyber actors.” That should, by rights, be a given. However, a recent report revealed that the MoD has “11 red-rated systems exposed to critical levels of risk,” which makes it the most vulnerable in all of Whitehall. Not that the others were great, it must be said, with 34 systems getting that worst-possible, red-rated score, according to The Telegraph newspaper.

However, the MoD is leaps and bounds ahead in terms of red-ratings and so way behind when it comes to cybersecurity: the Department for Work and Pensions (DWP) comes in second with six, and both the Home Office and Cabinet Office managed four each.

Related: Would you pass a Cyber Essentials audit? Here’s why hackers hope not

The experts’ view

Mark Jow, Technical Evangelist (EMEA) at Gigamon, says the findings highlight “the significant gap between where government cyber-resilience is now and where it needs to be”.

The problem is, Jow says that government CISOs are dealing with siloed systems, including both legacy platforms and new hybrid digital environments. “These environments will remain the prime candidates for bad actors to exploit until these CISOs have the opportunity to get their house in order,” Jow warns.

He adds: “The challenge is that digital transformation is essential to driving the cost efficiencies and quality of service improvements that the governments need to drive in public sector organisations, but at the same time if security isn’t baked into projects from the start, this can unwittingly widen the public sector’s cyber-attack surface.”

And, just when you thought things couldn’t get any worse, The Independent reports that some 213 suspected thefts from the MoD occurred between December 2022 and 2023, with 153 items of “service equipment” confirmed stolen.

The list includes Xbox controllers, assault ladders, “several” bicycles, an iPad and night-vision scopes. It’s not the items themselves that’s concerning, but that the Ministry of Defence isn’t as well defended as most people might think…