The review of government security measures to safeguard citizen data in Singapore seems to be getting off to a good start, with some useful measures reportedly in the works.
For starters, the entire public service will have to conform to a single common framework on how they handle such data, according to The Straits Times yesterday.
This is the biggest change that has to happen above all else. Previously, each government agency decided how it handled personal data and the inconsistency is obviously bad news when a data breach occurs.
Think about how the details of thousands of HIV patients could be simply downloaded onto an USB drive at the Ministry of Health and you get the picture.
The loophole to that breach has been plugged, but what about other agencies? Do they have similar policies in place? What kind of data is considered sensitive that requires a certain level of protection? This has to be consistent.
Now, a committee set up to review the previously piecemeal efforts has come up with some broad recommendations, chief of which is to have a common definition of what’s sensitive and how to protect such data.
Among the 13 measures it brought up yesterday are many that are already in place in private organisations that deal with personal data.
Think of encryption, for example. In future, this will be employed for highly sensitive data, such as HIV status, so that even if the data is stolen, it cannot be easily decoded and exposed.
Another measure is checking the integrity of data, to ensure that it is not altered while it is in transit, say, between computers or over the Net.
Again, this is nothing new for security-conscious private organisations and it should be a standard measure for government agencies that deal with, say, the medical or financial data of citizens.
Essentially, data protection has two aspects – protecting it from being accessed, tampered with or stolen while it is “at rest” (stored in a server) or “in transit” (transmitted over a network). Both of these should be the minimum that the likes of the tax agency or health ministry take up.
At the same time, the review committee, which is made up of both government ministers and private sector experts, should rethink this idea of “air gapping” computers, or cutting off Internet access, to them.
Right after the cyber attack on SingHealth last year, the government decided to cut off Internet access on many computers, which meant clinicians could not get the information they needed.
Sure, you can set up free Wireless@SG hotspots and force these legit users to use their own devices but is that a foolproof way to keep out hackers?
Air-gapped systems are not invulnerable, just to be sure, and while the legit users are being kept off the Internet, they become less productive switching between devices and transferring files between them.
A smart nation is not one where legit users are being DDoS’d or denied a service that they badly need to do their jobs. The approach has to be different.
For one, there have to be proactive measures to identify unusual or suspicious behavour in a system. Increasingly, this can only be carried out by artificial intelligence (AI), as systems become more complex.
If a user who usually doesn’t access a server does so after a couple of years and downloads all the files in it, the system should raise a red flag. He can be prompted to seek permission from a supervisor.
What’s heartening from yesterday’s announcement is that the committee is recommending ways to better respond to data incidents and to improve how it notifies and assists members of the public when a data breach occurs.
This is important because these breaches will occur, despite the best cyber defence. The question is how well people are notified and what remedies are available to them.
Clearly, what the Ministry of Health did earlier this year – only revealing a serious data breach years after it first found out – falls short on so many counts. There has to be more transparency.
While regulating private companies to protect users’ private data, the government also has to regulate itself – or appoint an independent panel to do so – to assure citizens their data is protected adequately.
Perhaps more importantly, more has to be done to educate the public of the shared risks and responsibilities of a smart nation.
Along with the convenience of sharing one’s data with a bank to apply for a credit card comes the risk of having that data stolen one day.
While it helps to have doctors retrieve your medical data easily, there is also a chance that the data could lost or stolen, despite the best efforts to safeguard it.
In a digital society, the government has to be a champion for citizens’ digital rights as well. As it reviews its own data protection measures, it should hold itself to a higher standard in terms of proficiency, transparency, accountability and, above all, trust.
Information on the new measures is still sketchy for now. When the committee makes formal recommendations to the prime minister in November, they should be nothing short of a sea change.
After all, how do you transform the government without transforming your security to meet new threats? How to be smart without being secure?