Delinking govt computers from the Net: Consistent approach needed

Delinking govt computers from the Net: Consistent approach needed

Last month, the Singapore Government made the surprising announcement to "cut off" Internet access for the 100,000 machines used by public servants for their daily work by May next year.

Public servants can continue to access the Internet using their personal devices and specific machines sitting on a segregated network, thus adding a layer of physical defence to the Government's infocomm network.

Depending on who you speak to, this move was met with ridicule, scepticism and bewilderment; others hailed it as visionary and expected other governments globally to follow suit.

As Singapore pushes towards the audacious ambition to be the world's first true smart nation, only time will tell if the "cut-off" move is in the right direction towards making Singapore a truly "secured" smart nation.

Parliament last week debated the Internet delink issue.

While the debate answered some questions, two important questions beg a reply: how the "cut-off" move is part of a bigger strategy, and if it represents a policy shift in the way the Singapore Government tackles the cyber-security challenge.

In April, Dr Yaacob Ibrahim, the Minister for Communications and Information, announced that a new Cybersecurity Bill will be tabled next year to increase pressure on operators within Singapore's critical information infrastructure (CII). With the Government's Internet delink move, what more can we expect in next year's laws?

In 2013, Singapore passed amendments to the 20-year-old Computer Misuse Act, granting the Government enhanced powers to counter cyber threats against Singapore's national security and essential services.

Key sectors affected include energy, water, finance and banking, government, healthcare, information communication, security and emergency services, and transportation.

Given that CII is a prime target of cyber attacks, the 2013 rules were considered critical, to protect the nation's security, economy, public health and safety.

Beyond the public sector, what is the implication for private sector companies providing essential services? Should Internet access also be restricted to the extent implemented by the public sector?

This is a question that the healthcare, transport, and finance and banking sectors will be asking, against the backdrop of explosive investment and growth in health tech, transport tech and fintech, initiatives driven by the Singapore Government no less.

Should the ministries of health, transport and finance, and regulatory authorities start to issue new directives, amend industry standards or "encourage" this paradigm shift?

If we are to be consistent in our policymaking, we would expect that all private companies in the essential services sector be mandated to take a similar approach.

Interestingly, a few weeks after the Internet delink announcement, DBS announced the adoption of Microsoft's public cloud solution to create a more "fintech-like" workforce. This is different in spirit as it closely links business processes into the Internet instead of moving further away.

In a television interview on the Government's move, Mr Chai Chin Loon, the director of the Cyber Security Group at the Infocomm Development Authority of Singapore, cited the example of the United States Office of Personnel Management's (OPM) breach last year, which affected 22.1 million people. What is noteworthy about that breach was how the hackers broke in using credentials stolen from a third-party contractor.

Now with the Government restricting Internet access, would third-party service providers also be required to meet the same level of stringent security control? Does this fundamentally change how the Government will engage with the broader ecosystem going forward?

Since security is only as strong as the weakest link, we would expect a consistent approach for the whole government supply chain, which, in the connected economy, consists of an interconnected and interdependent network of service providers.

The domino effect cannot be underestimated.

In March, the US Department of Defence invited more than 1,400 vetted security researchers from the hacking community to "Hack the Pentagon" websites.

The programme successfully uncovered 138 security vulnerabilities. Not only was this programme more effective than traditional approaches, it cost just US$150,000 (S$202,160) but, as the US Defence Secretary put it: "It's not a small sum. But if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than US$1 million."

At the end of the day, it is sometimes important to move backwards, just to move forward. However, this is only effective if this is accompanied by a holistic strategy made up of proactive measures that move the needle a lot. Otherwise, it is impossible to move forward.

- Lim Wei Chieh is the CEO of Swarmnetics, a Singapore company that helps organisations find security weaknesses by harnessing the expertise of the global White Hat community.

This article was first published on July 19, 2016.
Get a copy of The Straits Times or go to for more stories.

This website is best viewed using the latest versions of web browsers.