The Straits Times says

Sussing out weak links in cyber defence

Public concerns have been raised about the powers the Cyber Security Agency will acquire under a Bill now in the works to help thwart digital threats. It would be a "misunderstanding" to see it as a Big Brother Bill as it doesn't give the agency "broad powers to oversee every computer in Singapore", according to its chief executive David Koh. The proposed powers are said to be linked to cyber security events and information sought would be largely technical in nature.

Under the Bill, the Commissioner of Cybersecurity - appointed by the relevant minister - is required to oversee and maintain the cyber security of computer systems in the city-state. The Commissioner is empowered to seek information related to such defences and to investigate cyber security incidents. In furtherance of the latter duty, the Commissioner would be able to access a computer, "search any data" available to it, and take a copy of any electronic record, among other powers. Such authority would override rules on banking secrecy and the confidentiality of information. Certain limits are also spelt out - for example, the owner of a computer system may appeal to the minister if it is designated as "critical information infrastructure", which carries a higher set of responsibilities.

Given the grave risks posed by hacking which could paralyse a nation, citizens ought to ponder choices like strong powers to stop attackers in their tracks, an agency's constrained authority to act, or some balance of the two. Tardy responses could produce a domino effect. Being interlinked, a breach in one area could affect even systems in remote spheres. Of course, it is the provision of essential services that is of greater concern - like phone and Internet connections, power and water supply, transport, banking and finance, and public security. Accordingly, the Bill empowers the minister to authorise or direct any person or organisation to take necessary steps to prevent a possible cyber meltdown.

Another utility of contemplating whether too little or too much power is being given to the authorities is that it might prompt people to examine their own attitudes towards data. Certain information is deemed precious, yet standards of data protection vary across different sectors. Thus there is merit in ensuring useful codes of practice and standards of performance are widely observed, as directed by the Commissioner.

The irony is that many who might shrink from architectures of surveillance, called the Panopticon by philosopher Jeremy Bentham, often think little of how corporations leverage their data to make money. Danger arises when they pay little attention to surveillance by hackers who are constantly probing networks to find weak links. Slackness on the part of organisations and users in effect cedes power over networks to subverters.

A version of this article appeared in the print edition of The Straits Times on November 21, 2017, with the headline 'Sussing out weak links in cyber defence'. Print Edition | Subscribe