Home Front

Delinking Internet access for public servants: Too much of a security blanket?

Could there have been a more calibrated approach to reducing public servants' Internet access? After all, banks have not been this sweeping in their approach

Separating Web surfing from computers that are plugged into classified information systems is a practice entrenched in many operations, including those in the banking sector and the military.

Yet, a heated online debate ensued, with keen interest shown by international media, after The Straits Times reported last Wednesday on the Singapore Government's impending move to hive off Web surfing from public servants' work computers.

The move, which will take effect next May across 100,000 computers, is aimed at plugging potential leaks from work e-mail and shared documents amid heightened security threats.

It is particularly striking in its breadth. Everyone in the public service - except teachers, as they are plugged into a separate internal network - will be affected.

Public servants who need to surf the Internet for work will get to do so on dedicated Internet terminals, which will be provided. Public servants can also surf on their personal mobile devices, and forward non-classified e-mail from their work computers to personal accounts.

In adopting such a sweeping policy, Singapore is outdone only by Russia, whose intelligence services in 2013 went back to using manual typewriters to thwart alleged spying by the United States.


ST ILLUSTRATION: MANNY FRANCISCO

The German government had also reportedly said it was considering going back to typewriters and ditching e-mail completely for the same reason. The suggestion was met with strong opposition from parliamentary committee members, who called it "absurd".

The German government had also in 2013 instructed its MPs to use only encrypted mobile phones for sensitive calls.

In Britain's civil service, a handful of computers in highly sensitive departments are already cut off from the Internet, but this is not markedly different from the current practice in Singapore.

Here, the Ministry of Defence and the Ministry of Home Affairs, for instance, have had the no-surfing rule on work computers for years. Camera phones are also not allowed into restricted military premises.

The questions now are: Why must such separation apply broadly to all 100,000 public service computers? And could the move have been more finely calibrated?

SMART YET SECURE

The argument for it stems from Singapore's ambition to be a smart nation, where government agencies become more connected to one another to up the ante on e-citizen services.

As Singapore's Cyber Security Agency (CSA) chief executive David Koh said: "We can't be a Smart Nation that is trusted and resilient if our systems are open and vulnerable."

After news broke of the planned public service Internet restriction, Prime Minister Lee Hsien Loong said from Yangon, where he was on an official visit, that with the rising sophistication and number of cyber threats, it was time to introduce measures that require public servants to use separate computers for work e-mail and Internet access. "Otherwise, one day you find all your NRIC numbers, addresses and income tax returns for sale on the Internet... how will the Government explain?"

There is no such thing as foolproof protection. There are pros and cons for various approaches. A more finely-calibrated approach, however, will allow the Government to strike a better balance between productivity and security in the public service.

The Government also recognised the limitations of even the latest technologies against new threats.

Mr Koh said that a firewall could filter, at best, half of all malware.

This is because the tool - typically the first line of defence for most systems - works well only on known malware, and is less effective against new ones.

Over the past year, 16 attacks against the Singapore Government's networks made it past firewall systems, CSA revealed.

Most networks are also designed to have other basic protections such as anti-virus software as well as intrusion detection and prevention systems, which work like firewalls. But these tools are unable to identify fresh malware.

This is because hackers know how to disguise malicious programs as benign-looking installer apps, for instance, to escape detection. Hackers also frequently change a malware's distribution location to avoid detection and blocking.

Some hackers also design malware to stop snooping temporarily when anti-virus software is scanning a computer.

"This extends the life of the malware in its undetected state," said Mr Vitaly Kamluk, global research and analysis director of the Moscow-based security systems specialist Kaspersky Lab Asia-Pacific.

All it takes is one click by a curious individual on malware embedded in a Web link or an e-mail attachment to put an entire network in the hands of a hacker.

MORE CALIBRATION

However, some people have wondered why a more calibrated approach is not being taken in Singapore's move.

Security software firm Fortinet Asia-Pacific's vice-president, Mr George Chang, said current identity and access control technologies, for instance, are able to limit the information one can receive or view based on an employee's job scope.

A calibrated approach would have less of an impact on the productivity of public servants, and thereby make more sense.

Under the proposed new arrangements, a social media specialist in public service, for example, would have to lug two laptops home to receive e-mail on one computer and surf the Web for research work on the other.

As classified e-mail messages cannot be forwarded to personal e-mail accounts, the Web links embedded in these classified e-mail would have to be typed out in full on a mobile tablet or another device just to view the Web page. Text on the Web page also cannot be copied if any reference needs to be made to it - and must be typed out - in the e-mail reply.

Banks also face a tremendous amount of threats from hackers and cyber thieves. But they have so far not issued a blanket separation policy.

The Straits Times understands that many banks give only some personnel - such as analysts, sales staff and corporate communications employees - Internet access on their work stations, recognising that online research is key to their role.

But specific file-sharing, Web-hosted e-mail and pornography websites are blocked. The fear is that staff may download malware accidentally from dodgy websites, or share sensitive documents online.

Mr Patrick Chew, head of operational risk management at OCBC Bank, said the bank has no plans to change its graduated approach at the moment, although it frequently reviews its policies.

"So far with our existing measures, we are able to balance our business needs without compromising the requirements for security," he said.

Banks have also disabled the USB ports of employees' computers to prevent any information leak or malware from entering the system when storage drives are inserted.

And yet, "authorised" storage drives will be allowed on government computers.

It is unclear what makes a drive an authorised one in this instance. But commercial software is available to block certain models of drives, and regulate access to USB devices by the time of day and week. Security software can also capture logging activities, such as what files are copied onto what sort of devices.

Arguably, a USB port - especially when it is not disabled - is as much of a security gap as Web surfing is on public servants' computers. After all, what brought down Iran's nuclear plant in 2010 was a malicious computer worm delivered via an unassuming piece of technology: the USB drive.

An Iranian double agent working for Israel reportedly plugged the deadly USB drive into a computer in Iran's Natanz nuclear facility. The malware quickly propagated and knocked the facility offline, temporarily crippling Iran's nuclear programme.

Also, as safe as manual typewriters may seem, top secret documents can still be photocopied and the information leaked to the photocopier's serviceman who has access to stored images. They could also be photographed on a mobile phone.

There is no such thing as foolproof protection. There are pros and cons for various approaches. A more finely-calibrated approach, however, will allow the Government to strike a better balance between productivity and security in the public service.

If banks can reach an equilibrium between securing their systems and delivering cutting-edge online convenience, then perhaps the public service's blanket policy is worth a second look.

A version of this article appeared in the print edition of The Straits Times on June 16, 2016, with the headline 'Too much of a security blanket?'. Print Edition | Subscribe