Whatever you call it, this “Internet surfing separation” that the Singapore government is embarking on is going to impact thousands of public servants and many more citizens whom they serve.
And let’s call a spade a spade. Government agencies are expected to pull the plug on Internet access on 100,000 workstations by May next year.
Okay, employees can still surf the Web on separate devices – either their own or others given to them – but there’s no denying the productivity hit that comes with such a drastic change.
This is a story about managing risks. This is a chance for the government to educate the public of the risks, when cyber attacks are getting more sophisticated and disruptive.
Yet, what are missing so far is an acknowledgement of the trade-offs and the reasons for them. This difficult part of the story is what government leaders have to tell to convince people to get onboard.
The change should not be seen as a move backwards because people can still access the Net, said David Koh, the chief executive officer of the Cyber Security Agency, in media reports today.
If several people in a department having to share a common Internet terminal to do their jobs isn’t going back in time to the late 1990s, what is?
Sure, technologies have improved. Today, you get Microsoft SharePoint and other “enterprise-grade” online services to share files, which public servants can still use. But are these services fool-proof? Will they protect against sophisticated hackers?
And since we are about shutting down the weak points, what about USB drives? Are they allowed or should they be outlawed across the board, so users cannot conveniently download reports on a Net terminal and plug a drive into a workstation?
Many questions will have to be answered in the months ahead and you hope, as a user of government services, that the authorities have thought through them thoroughly.
Because at a time when intruders are launching attacks via various online channels, through social engineering and turning to zero-day exploits – vulnerabilities that have not been publicised – you wonder if the best way is to turn off the Internet.
Are there alternatives? Here are some suggestions from a concerned citizen:
1. Do a thorough study on the impact
Cyber security is about managing risks. Has there been a thorough study done on how productivity will be affected? How many hours will be wasted by public servants copying and transferring files and Web addresses between a Net terminal and an offline workstation?
Don’t just take feedback and ignore it, either. Do a proper study with useful statistics. One of the biggest things about a smart nation is making decisions based on cold, hard facts, rather than rhetoric.
How many productive hours are lost with the new system, while realistically reducing the risks of an attack?
Member of Parliament Zaqy Mohamad, who chairs the Government Parliamentary Committee for Communications and Information, said it well in a Today story, when he suggested a study on the impact on productivity.
“I think if you have quite a lot of knowledge workers in the public service … what could be done is to look at whether there are other solutions,” he noted.
2. Calibrate the approach
Do what some experts are suggesting. Limit Internet access at agencies that have to be strict, for example, in defence or those managing critical infrastructure, like your power and water works.
Plus, there can be fine-grain control over who gets what access, instead of cutting everything off. Many governments do this, as do banks and other organisations handling sensitive information.
Identity and access control systems today can limit the information a user can gain access to, said security software firm Fortinet Asia-Pacific’s vice-president, George Chang, to The Straits Times.
3. Win over users
You are not Mr Popular when you are in charge of security, that’s a given. At the same time, you want users to buy in to what you’re doing, by explaining why things are done and coming to a decision after you have consulted the people who are impacted by it.
There’s a bigger purpose here, which is to safeguard citizens’ information. That is everyone’s responsibility, including rank-and-file officers. When you want people to take responsibility, you have to educate them.
It’s like telling a child not to climb up a chair or onto a table, without explaining that it could be dangerous. The moment you look away, he will have climbed up there and possibly landed on the floor already.
4. Don’t fall into a false sense of security
If it becomes so hard for people to do their jobs, they will find ways to short-circuit the system. Oh, like plugging in an USB drive when they’re not supposed to. Borrowing someone’s password to get a file quickly, perhaps.
Or worse, setting up an entire shadow IT department that forces administrators into a cat-and-mouse game with the people they are supposed to empower. When users don’t buy in, they become vulnerable targets.