Blocking the Internet isn’t the only – or best – way to combat cyber threats

June 9th, 2016 | by Alfred Siew
Blocking the Internet isn’t the only – or best – way to combat cyber threats
Enterprise
2

Bring Your Own Device concept with stitch style on fabric backgr

Whatever you call it, this “Internet surfing separation” that the Singapore government is embarking on is going to impact thousands of public servants and many more citizens whom they serve.

And let’s call a spade a spade. Government agencies are expected to pull the plug on Internet access on 100,000 workstations by May next year.

Okay, employees can still surf the Web on separate devices – either their own or others given to them – but there’s no denying the productivity hit that comes with such a drastic change.

This is a story about managing risks. This is a chance for the government to educate the public of the risks, when cyber attacks are getting more sophisticated and disruptive.

Yet, what are missing so far is an acknowledgement of the trade-offs and the reasons for them. This difficult part of the story is what government leaders have to tell to convince people to get onboard.

The change should not be seen as a move backwards because people can still access the Net, said David Koh, the chief executive officer of the Cyber Security Agency, in media reports today.

If several people in a department having to share a common Internet terminal to do their jobs isn’t going back in time to the late 1990s, what is?

Sure, technologies have improved. Today, you get Microsoft SharePoint and other “enterprise-grade” online services to share files, which public servants can still use. But are these services fool-proof? Will they protect against sophisticated hackers?

And since we are about shutting down the weak points, what about USB drives? Are they allowed or should they be outlawed across the board, so users cannot conveniently download reports on a Net terminal and plug a drive into a workstation?

Many questions will have to be answered in the months ahead and you hope, as a user of government services, that the authorities have thought through them thoroughly.

Because at a time when intruders are launching attacks via various online channels, through social engineering and turning to zero-day exploits – vulnerabilities that have not been publicised – you wonder if the best way is to turn off the Internet.

Are there alternatives? Here are some suggestions from a concerned citizen:

1. Do a thorough study on the impact

Cyber security is about managing risks. Has there been a thorough study done on how productivity will be affected? How many hours will be wasted by public servants copying and transferring files and Web addresses between a Net terminal and an offline workstation?

Don’t just take feedback and ignore it, either. Do a proper study with useful statistics. One of the biggest things about a smart nation is making decisions based on cold, hard facts, rather than rhetoric.

How many productive hours are lost with the new system, while realistically reducing the risks of an attack?

Member of Parliament Zaqy Mohamad, who chairs the Government Parliamentary Committee for Communications and Information, said it well in a Today story, when he suggested a study on the impact on productivity.

“I think if you have quite a lot of knowledge workers in the public service … what could be done is to look at whether there are other solutions,” he noted.

2. Calibrate the approach
Do what some experts are suggesting. Limit Internet access at agencies that have to be strict, for example, in defence or those managing critical infrastructure, like your power and water works.

Plus, there can be fine-grain control over who gets what access, instead of cutting everything off. Many governments do this, as do banks and other organisations handling sensitive information.

Identity and access control systems today can limit the information a user can gain access to, said security software firm Fortinet Asia-Pacific’s vice-president, George Chang, to The Straits Times.

3. Win over users

You are not Mr Popular when you are in charge of security, that’s a given. At the same time, you want users to buy in to what you’re doing, by explaining why things are done and coming to a decision after you have consulted the people who are impacted by it.

There’s a bigger purpose here, which is to safeguard citizens’ information. That is everyone’s responsibility, including rank-and-file officers. When you want people to take responsibility, you have to educate them.

It’s like telling a child not to climb up a chair or onto a table, without explaining that it could be dangerous. The moment you look away, he will have climbed up there and possibly landed on the floor already.

4. Don’t fall into a false sense of security
If it becomes so hard for people to do their jobs, they will find ways to short-circuit the system. Oh, like plugging in an USB drive when they’re not supposed to. Borrowing someone’s password to get a file quickly, perhaps.

Or worse, setting up an entire shadow IT department that forces administrators into a cat-and-mouse game with the people they are supposed to empower. When users don’t buy in, they become vulnerable targets.

Advertisements

2 Comments

  1. Sam Jin Young says:

    the move is not a blanket move in the first place. it is just the social media assuming it is because most of the people commenting on it are not even in the public service, or worse still lack IT knowledge. Furthermore, the information is disjointed because what the public knows are bits and pieces of rumors coming out of the public service and we are talking as if we are inside the public sector. For instance, didn’t they say that teacher’s will not be affected because their network are not connected to the servers they want to protect.

    With regards to USB device, what my friend in a ministry told me was that they have already been given special govt-issued USB devices which are secured. So they are only allowed to use these govt-issued USB devices.

    With regards to identity control, it is a good measure but it wont stop exfiltration though. Again, it is because we are not inside the public service and hence make wrong assumptions about the nature of the threats they are dealing with. In any case, certain govt ministries already have identity control systems in place. The most notable one is mindef. when i was in NS, i remember I need a special card to access the mindef computers. in any case, the most secured systems use a combination of identity access controls plus isolation of servers from the internet.

    Anyway, your headline dont really match your content. You haven’t really offered concrete alternative suggestions (apart from that short sentence on identity control). You are just offering thinking points for the govt to think over, but these are not suggestions.

    • Sam Jin Young says:

      what the govt is just doing is to create its own closed private network to run its internal operations and data storage. thats all. it isnt a doomsday scenario which people are describing it to be. But for someone without IT knowledge and think that internet is all about google, youtubes, facebook etc, it might appear to be a doomsday scenario.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.