People are stupid; let’s ban the Internet
by Marc Bakker
THE Singapore government almost literally lit the Internet on fire last week by announcing that all civil servants would no longer be able to access the Internet from their work computers. As one might expect, the move has been almost universally panned. Most commentators have labelled this as a huge step back and I agree. If it stops there.
However, I have a feeling that this is but the first step in a longer process, which could well be a very smart and responsible move on the government’s part. I can see the torches flaring in the distance, along with the silhouette of pitchforks, but before you start flaming, hear me out for a moment.
Safe as banks
I used to work in banking, an institution that is known for security in both times past and present. Good security is security that takes into account digital security, physical security and human behaviour.
I was fortunate (and old) enough to have witnessed the corporate “discovery” of the Internet first-hand and I was young enough to be tasked with incorporating web-based services into our organisation. In those earlier days of the Internet, there were a lot of naysayers who preferred to stay offline. As a bank, security was always our highest priority and even back then, we all acknowledged that opening the company up to the Internet would bring with it increased security risks. Hence before we did anything, we consulted some of the world’s best security experts and what they told us was pretty mind-boggling.
First of all, I wouldn’t recommend talking to too many security experts in a row because you are at serious risk of ending up living in the desert wearing a tin foil hat. The world is a scary place. Threats are everywhere. The key to good security is to minimise the risks while still being able to provide the services you need effectively. It’s always a trade-off: security vs functionality. For the really super risk-averse the safest course of action is closing up shop and staying in bed all day – safe and stupid. That’s how the story has been spun by people who haven’t investigated the story in adequate depth, plus the lack of information from the Government’s side doesn’t help. But life is a little more complicated than that…
Sometimes less is more
Imagine that you had to create a secure system. What would be the biggest challenge? It always comes down to people. One of the things the security experts all agree on is that whatever security systems or processes you put in place, people will find a way to mess with them and I don’t just mean intentionally or maliciously. People will take shortcuts. Most of the progress that we’ve made as a society comes from people looking for more efficient ways to get things done with less effort (that’s how we got the electric toothbrush for example). So sure, you can build a system that is very secure, but due to the layers of restrictions, what you’ve just created is a giant puzzle for people to find (less secure) workarounds for in order to make their own lives easier. Hence the need to balance security with functionality. Incidentally, this is also why adding more layers of security, thereby adding more complexity to the system, can often counter-intuitively lead to more security issues.
Singapore is a smart nation filled with naive people, the likes of which have fallen for more than $4 million in parcel scams in the three short months of March, April and May 2016. This month alone we’ve seen two high profile scams; one involving DHL deliveries and another one involving the impersonation of police officers. On a global scale we’ve seen what is probably the biggest data leak in history with the Panama Papers and earlier this year a huge SWIFT exploit came to light.
What do all of these things have in common? Basically people. While everyone is focusing on tightening digital security, phone scams essentially hack people. You may be surprised to learn that only a small fraction of hackers actually major in computers and coding. The bulk of hackers are talented social engineers – sort of like conmen. Cybersecurity expert John McAfee of the antivirus software fame employs a team of 75 per cent social engineers and 25 per cent coders. Rather than trying to force their way into our phones and computers directly, scammers are using social engineering to just get us to hand over the information because it’s more efficient and takes less effort. In the case of the Panama Papers hack and the SWIFT exploit, both involve insiders gaining access to information and then doing nefarious things with it. According to the KPMG Singapore Fraud Survey 2014, 58% of fraud incidents were perpetrated by employees. So who exactly should we be securing ourselves against and how?
Oops I did it again
And for every deliberate security breach there are dozens of unintentional ones. Another older study by the Ponemon Institute found that 34% of data breaches were caused by negligent insiders. No nefarious intent, just complacency, laziness or whatever other dumb things people get up to naturally. And it’s not all digital either. A further 6% of breaches were caused by a failure to properly dispose of documents.
Be honest, have you ever written down a password or forgotten to pick up a copy from the printer or left documents on your desk before going to lunch? Congratulations! You’re a security risk! You’re also human though, so any data security process needs to take these very real human foibles into consideration. Not to mention that dealing with honest mistakes is a very different process from dealing with deliberate deception.
Don’t know what you got ‘til it’s gone
So back to the government’s decision to take civil service systems offline. What if restricting access to the Internet was but a first step in a longer process? If you were going to build a more secure environment, how would you strike the balance between security and functionality? How would you know whether Internet access was absolutely essential to someone’s job or not? You couldn’t just ask people. They’d just swear up and down that yes, they absolutely cannot live without the Internet. Instead, what if you just turned it all off and observed what happened? Which departments would grind to a halt? Which ones can find workable workarounds? Which departments or functions are unaffected despite the loud protests? Once you have a better grasp of the scope of the real problem, it would be much easier to refine the rules, create a workable security framework and access rights, reconnect non-essential or non-sensitive systems to the Internet based on empirical evidence instead of on the basis of speculation or on the basis of who shouts the loudest.
Only time will tell
So, is it taking government departments a step backwards? Maybe it is. Or maybe it’s a first step on a bigger journey to create a more secure environment that takes into account all three prongs of the security arena: the physical, the digital and the human side.
Of course this is merely speculation at this point. I’m hopeful, but I can see why others are not so optimistic. It would have been helpful to have some spokespersons to step forward and correct any misconceptions about the plan’s goals and longer term intentions. Amidst the exaggeration that we’ve given up on the Internet, is the final balance that this whole exercise is going to boil down to. Will civil servants simply live separate lives online and offline, or will we all be living in the desert wearing tin foil hats? Those are risks that we’re just going to have to take.
Alright, I’ve said my piece. Now… flame on!
The writer is the Marketing Director of Right Hook Communications, a boutique PR agency that pushes boundaries… and buttons.
If you like this article, Like The Middle Ground‘s Facebook Page as well!
For breaking news, you can talk to us via email.