In a crisis, fear is sometimes as dangerous as the threat itself.
If more than a dozen Singapore government websites had actually been hacked yesterday afternoon, the agency involved in cyber security certainly won’t have helped matters by being so scant with information to the public.
In the end, the reason why the sites, which included ones for the Singapore Police Force and the Infocomm Development Authority (IDA) itself, went down was because “technical difficulties” resulted in maintenance that took longer than expected.
Throughout the afternoon, the IDA only put out two updates on its Facebook and Twitter feeds. The first one was a short one-liner. It hardly generated any confidence in the public.
Many believed the government was trying to cover up an embarrassing intrusion by The Messiah, a hacker or group of hackers who had earlier threatened such an attack.
Only later, when the sites seemed to be back up, did the IDA find it important enough to update people on what was going on. It said the maintenance was carried out on weekends and public holidays due to low expected website traffic.
There’s no good reason for IDA to lie. If the downed websites had been due to hackers, surely it won’t be able to cover up when the hackers later turn up to claim credit for the incident.
And indeed, Singaporeans should not be finding joy in government sites being shut down. These sites are paid for by taxpayers’ dollars and they exist to serve people here.
Disagreeing with the unpopular licensing of news sites – a cause seemingly taken up by the hackers – is not the same as agreeing to have national infrastructure taken down (read Bertha Henson’s excellent piece on Breakfast Network).
What’s more worrying, though, is the lack of responsiveness that Singapore’s authorities have displayed.
It’s strange that the IDA did not deem it fit to update people more regularly when so many sites were out of service. Not only were they unable to transact, say, on SingPass, they were also wondering if indeed a cyber attack had been carried out against government agencies, as part of a bigger wave of attacks.
The authorities surely have to do better to assuage the public. Understandably, if the maintenance work was carried out to beef up security, not much information may be shared. Perhaps, that was also why there wasn’t a notice to preempt the maintenance.
Still, there is no excuse for not updating for hours on what’s going on, while public anxiety is fuelled online. If indeed a real cyber attack had been carried out, how would the authorities respond?
Ironically, the IDA can look at the way SingTel updated its customers in the hours after a fire at a telephone exchange just weeks ago. Though the damage was way bigger, angering a lot more customers, at least they knew what was going on.
Indeed, when telcos botch up their networks, IDA fines them. Who regulates the regulator when it falls short?
And fall short, it definitely did this time. While there is speculation on why and how the sites could have been down, one thing is clear – this maintenance caused the sites to go down longer than expected.
That itself reflects badly on the nation’s cyber security efforts. “Self pwn” is the phrase that comes to mind when you bring down your own networks inadvertently.