It’s one of the most connected countries in the world, so news today of the Singapore government cutting off its public servants from the Internet at work would have come as a complete surprise.
The Straits Times had an exclusive this morning about the move to block off the Internet from the 100,000 computers used by the public service.
Already, trials had been carried out at the Infocomm Development Authority (IDA), as early as April, to tighten up security. Come May next year, public servants will have to turn to dedicated Internet terminals.
Responding to the story later today, the IDA has tried to reassure the public that these measures won’t stop officers from doing their jobs. And yes, they will still be able to exchange e-mail with the public.
Yet, therein lies the irony. E-mail has been a favourite channel for hackers to bypass the strongest of firewalls separating what’s inside an organisation and the big bad world outside.
Using elaborate “spear phishing” methods, a hacker would send customised and real-looking e-mails to victims in an organisation, say, by addressing a human resource manager by name and attaching a job application.
Along with a CV is a “payload” of malicious software that opens up the victim’s computer. All it takes is for the user to unwittingly open the document to give remote control of the PC to the hacker.
Once in, a hacker can steal information and take control of several PCs, one by one, until he reaches an account that gives him access to important network resources.
How a ban on Internet access will effectively cut out such risks is unclear. As long as you have some form of interaction with outsiders, be this a supplier or a member of the public, you have a link that can be exploited.
Yes, it’s harder without direct Internet access but it’s possible. Indeed, most of the strongest defences have been defeated via the weakest link, often third-party partners or customers, whose computers have been broken into earlier.
That is why some of the most secure systems have to be closed off from any network altogether. Military systems, for example, may not even allow you to connect a USB drive. But these are rare scenarios, where there’s a real need for such strict measures.
For government agencies that are seeking to more closely engage the public, it is unthinkable that the rank and file in the service cannot view the same webpages as the public they are serving. How do they know if their website is down?
I suspect the government will take a more nuanced approach, as it works out the kinks over the coming months. It seems impossible to have a drastic ban on Internet access without affecting the productivity of its employees and service quality to citizens.
Perhaps some users might be barred from surfing the Web, if their jobs did not require it. Others, say, corporate communications officers, will surely need to have a link to the outside world. How else would they know what people are saying about the government?
Perhaps more details will be shared in the days and weeks after this rather surprising development. Being pro-business, the Singapore government knows it can’t make it so hard for its own staff to do business with other people.
In my previous job, I recall a time when I had to use a shared PC to download pictures over the Net and save them on a Zip drive, before sending them to a network folder.
Not only was that troublesome, the practice was insecure. Malware could have spread from the terminal to my PC and to the rest of the network.
Of course, back then in the late 1990s, cyber attacks were not as sophisticated. Still, the same issue exists – people will find ways to bypass IT policies to get their jobs done. They will bring even greater security risks.
Some will try to copy files over devices. Others might even set up their own private networks to bypass what they have in the office.
This is called “shadow IT” for a good reason – the more IT administrators try to control them, the more users seek ways to overcome what appears to them as overbearing restrictions. They cause the most elaborate security measures to fail.
The cat-and-mouse game doesn’t benefit anyone. Far more useful is a way of letting users have more leeway in using devices at work, but controlling how these devices connect, say, over a secure, encrypted link.
Tellingly, many organisations today are preparing themselves for a security breach, rather than spending all their efforts to prevent one. They recognise that it’s impossible to block everything.
Using the Net comes with risks, and these risks come with doing business these days. Thus it’s puzzling to see how these risks are being managed in Singapore today.
In a smart nation, the focus has to be on finding a balance between information access and cyber security. It should not be about employees having to outsmart the system to do a job.