(source: posed photo from iStockphoto)
One of them has been charged in court. Another five are being questioned.
The spotlight is now on the suspects for the recent spade of hacking, after a fortnight spent wondering what’s the next website to be hit or whether “planned maintenance” was a cover-up for an embarrassing failure in cyber defence.
Were they highly-skilled hackers? Or just script kiddies, using readily-available online tools?
Perhaps the better question to ask, if we go beyond the sure-to-be-colourful headlines, would be whether Singapore is well prepared for a full-on cyber assault. Who could launch that? Perhaps a large group of hackers, or perhaps even a foreign government.
If that happens, is there enough deep cyber security expertise here to ward off the attacks?
Though Singapore is home to a number of cyber security centres, including the Interpol’s, only one per cent of the infocomm professionals here are security experts. It’s an area that the government hopes to improve on.
It can certainly do that by re-looking the direction it has nudged the industry towards in recent years. For starters, there has to be a focus on deep infocomm skills, learned from everyday experience.
In 2006, when the government formed a vision of the sector for the next decade, there was a desire to produce “techno-strategists” and “technologists”.
The first type, in essence, are business-oriented, while still having some technical skills. They help clients roll out projects, say, to offer a new service. They are project managers, solving business problems with technology, but not always the ones with their hands full of code.
The second type, the “technologists”, are deeply involved in cutting-edge R&D. They will produce the early DNA for the next big thing in infocomm. Everyday issues may not concern them as they seek innovative answers to big problems.
Today, what seems lacking are the battle-hardened code warriors, the experienced network engineers who begin their careers doing the boring stuff – administering a Windows server or installing a boring Exchange mail server for customers.
Want to know how to secure a server? Sure, first you need to know how to run it properly. Want to manage a project? Can you write the first line of code?
Today, those inconvenient questions on competency are easily brushed aside. Blame it on outsourcing.
This “dirty job” of administering servers and running patches is seen as a dead end, and thus outsourced to the cheapest vendor out there. If that’s not possible, hire a team of foreigners who can do the same job without complaining about career projects, as many Singaporeans are known to do.
At the end of the day, the chief information officer (CIO) or IT manager may not even need to know much about his company’s computing resources, much less secure them. After all, his main job is often to satisfy the bosses’ requirements for saving costs and perhaps driving more efficient processes.
The problem isn’t with the industry alone.
The emphasis in recent years, especially in tertiary institutions, has been to make graduates immediately marketable, and one goal has been to mix business and marketing in the technical curriculum. The emphasis is often on business savvy over technical know-how.
After all, who wants to churn code out when there are so many others from China, India, Malaysia or the Philippines who can come up with the same “grunt work” at a low, low price? Why even go into IT in the first place? Look at the banking graduates driving their new Beemers.
One “career path” often joked about, but taken somewhat seriously, is to get into an IT management role in a bank then outsource the dirty work to vendors, sit back and enjoy a Dilbert moment every day.
Now, when that dirty work is cyber security, there is a problem. It’s an area where you can’t be an expert without getting your hands dirty. Yes, there are security solutions out there to tap on, but it is important to know your own servers well. How can you secure your home if you don’t know where the holes are in your fences?
Similarly, when it comes to defending national infrastructure, it pays to have a ready pool of experts, with actual hands-on experience.
This work cannot be easily outsourced, since it may involve getting access to sensitive information, say, military secrets. A Singaporean core, to borrow the government’s term, may be needed in such as an operation.
The question is whether there are enough people for this here. The challenge will be getting people interested in the grunt work early in their careers so they can develop from there. Their deep expertise will be much needed in the years ahead.