10 Qs for the G about restricting Internet at work – & what it might say

Jun 09, 2016 10.29PM |
 

by Daniel Yap and Wan Ting Koh

EVERYONE’S talking about the G’s move to restrict Internet access for people working in both ministries and agencies from next year. Is it really necessary? How bad could it get for the G to resort to such a drastic measure? How will civil and public servants be affected?

Here are 10 questions we have for the G, and how they might answer:

1. How much slower will the civil service function because of this move?

We often hear of public servants complaining that their workload is too heavy (of course, nobody complains that it is too light). It is well-known that teachers have hectic schedules. Surely these already-packed schedules will be worsened by the air-gap, no? Or will taking things offline force officers to cut down on busywork to survive?

What the G might say:

Any interruption is likely to be work-flow based and minor. If you’re fond of copying and pasting online content to your work emails, well, you can’t do that anymore. Different ministries and agencies will take the rest of the year to figure how to work around this. Some will be more affected than others. The Education Ministry, for example, has already said that it won’t be restricting its teachers from using the Internet since they use it for teaching and learning purposes.

 

2. Was there an imminent or past cyber-threat that prompted this move?

Although it is probably safe to assume Singapore is being spied on at all times, was there any incident (domestic or foreign) that prompted this decision? There must have been pros and cons weighed. How did the scales finally tip this way?

What the G might say:

Or you could argue perhaps that it was only a matter of time before the G headed down this path. Just earlier this year, South Korea claimed that North Korea had tried to hack into the email of South Korean railway workers in an attempt to control the transport system.

Luckily, it was able to block the attack by closing the employees’ email accounts. In another incident, the mobile phones of 40 national security officials in South Korea were hacked. So you might say that there have already been plenty of examples that have led to this perhaps drastic move – even if none of them happened in Singapore.

Just earlier this year, South Korea claimed that North Korea had tried to hack into the email of South Korean railway workers in an attempt to control the transport system.

3. Why apply this to ministries that may not be considered high-security?

The teaching service (although that brings to mind the “computer glitch” that delayed student ranking data recently), the Ministry of Social and Family Development, and Manpower Ministry may not be obvious high-value cyber targets. Was the decision to air-gap implemented across the board rather than calibrated based on more tailored risk/impact assessments?

What the G might say:

Well, it’s true that some ministries are not considered as high-security as others that hold, say, state secrets. But in general the G does have extremely sensitive information – about everyone, you included.

Take what happened last year in the United States for example. A total of 21.5 million people were involved in a massive breach of government computer systems which resulted in the theft of their personal information, including their social security numbers, their financial history, some fingerprints and even their health records.

While these are not state sensitive information, these are still private details that no one wants in the hands of strangers who are probably up to no good, to put it mildly.

A total of 21.5 million people were involved in a massive breach of government computer systems which resulted in the theft of their personal information, including their social security numbers, their financial history, some fingerprints and even their health records.

4. How severe would the effect of a cyber-attack on the G be, based on current systems?

The uniformed and essential services such as utilities already practise some degree of air-gapping. What risks is Singapore currently exposed to that might result in serious consequences due to a cyber attack? Most known cyber attacks these days do not have very severe consequences. What other consequences are there that we don’t hear much of?

What the G might say:

While Singapore has not been hit by major cyber attacks, it is not invulnerable to security threats. Security software firm Symantec’s Internet Security Threats reported last year that Singapore was the third most popular destination for spear-phishing, where crooks send messages through email that appear to come from a trusted source, but in fact downloads malware or viruses to victims that click on the fake link.

We can also look to instances of cyber attack in other countries to see just how bad it can get. Ukraine’s power grid was attacked by hackers in Russia, who cut off electricity to over tens of thousands of people in December last year. The hackers also flooded the call centres of the power companies to prevent customers from reporting the outage.

Ukraine’s power grid was attacked by hackers in Russia, who cut off electricity to over tens of thousands of people in December last year. The hackers also flooded the call centres of the power companies to prevent customers from reporting the outage.

5. What kinds of systems can be put in place to mitigate the negative effects of air-gapping?

We’ve heard very briefly about how workflow will change for civil servants after government computers go offline. What measures are in place to improve workflow in the new operating environment? Will Singapore develop new systems?

What the G might say:

While new systems have yet to be announced by the G, it has said that the agencies and data scientists will be coming together to decide on the possible measures to mitigate the inconveniences caused by the restrictions. Beginning from this year, the restrictions will be rolled out in phases to different groups of public and civil servants to ease them into their new workflow process.

 

6. What other cyber defence solutions were considered and rejected before deciding on this one?

Has any other technology or process been developed that can help with Singapore’s cyber security? Why were these inadequate?

What the G might say:

An alternative operating system perhaps? Why not upgrade our defences instead of doing away with the internet altogether? While this might seem intuitive, other factors come into play, such as cost. Constantly upgrading our systems to deal with evolving cyber security threats might cost up to billions of dollars, what with our sizable civil/public service sector. This would include having to constantly maintain those 100,000 computers to keep them virus-free.

Just look at how much we’ve spent on cybersecurity in the past years. In 2013, we spent $130 million on a plan to enhance the G’s cybersecurity in the face of a rising tide of global cyberattacks. Just last year, 10 per cent of the IT budget was spent on cybersecurity. This will likely rise if we were to keep upgrading our systems.

So you could say that both upgrading the system or switching to another, will cost a lot of money. Question is, which is going to be more effective in preventing a cyber attack?

 

7. What cyber-attack capabilities do our adversaries have?

What can they do? How will they do it? Who are they exactly?

What the G might say:

Well, we can’t say who for sure. Presumably people from various backgrounds would like to hack into our systems to get their hands on information that may be beneficial to them, including state and non-state actors. They might be terrorists, trying to seek state ransoms to fund their activities, as was the case with the Hollywood Presbyterian Medical Center in Los Angeles, which had to fork out US$17,000 (S$22967.85) worth of bitcoin in ransom in February this year after hackers installed a virus that encrypted their files, leaving hospital employees unable to access health records. They might be students trying to bring down systems for lulz.

They might be terrorists, trying to seek state ransoms to fund their activities, as was the case with the Hollywood Presbyterian Medical Center in Los Angeles, which had to fork out US$17,000 (S$22967.85) worth of bitcoin in ransom in February this year after hackers installed a virus that encrypted their files, leaving hospital employees unable to access health records.

8. How prone are civil servants to security breaches?

Is there complacency or ignorance among civil servants when it comes to cyber security? Would such attitudes still place our government systems at risk even with air-gapping? Stuxnet infected Iran’s nuclear program even though it was offline.

What the G might say:

Complacency could definitely be a risk-factor. But sometimes it could be as easy as surfing the wrong website or clicking a false link sent to you via email. Surfing the wrong websites might make you susceptible to malware downloads.

Cyber Security Agency of Singapore told TODAY that with the new restrictions, “the specific actions that are prohibited in this instance are actions that attackers want government employees to do, such as clicking on a link in a spear-phishing email, thereby allowing attackers to use the Internet surfing channels to exfiltrate stolen information.”

 

9. What about major contractors who handle sensitive projects for the G: Will they also be required to air gap their systems? Or do they already practise this?

NCS, for example, develops some of the software used by the military. ST’s group companies also work on high-security projects. What happens if they get attacked? Is there a need for them to conform to the same safety protocols?

What the G might say:

In general, contractors currently have their own instruction manual which they have to follow with regard to security measures. These manuals are updated periodically, and the next time they are, contractors might find themselves having to follow in the agencies’ footsteps as well.

 

10. Is this practice recommended for other industries?

If this is a good decision for the whole of the G, would that mean it is also a good practice for other industries or companies as well? Productivity loss by the G due to a cyber attack can be as bad as productivity loss from a cyber attack on the private sector. Are there real risks that Singapore’s companies and citizens face that we are unaware of?

What the G might say:

Currently for banks, telcos, and casinos, cutting off Internet access entirely is not common practice. Some banks give only some employees Internet access, all while blocking file-sharing sites, web-hosted email and pornography websites. But these companies also have a trove of personal details in their systems, so while the G can’t really tell them what to do, there may be a cause for restricting Internet access to all but those who really need it. After all, since even Hollywood studio Sony Pictures Entertainment was hacked, who’s to say companies with more sensitive information, like banks, would not be?  

 

Featured image by Natassya Diana.

If you like this article, Like The Middle Ground‘s Facebook Page as well!

For breaking news, you can talk to us via email.

skillsfuture_300x250