Public services won't be hit by move to secure systems

PM Lee, speaking yesterday at the end of a visit to Myanmar, highlighted how cyber security is a problem that Singapore has been trying to tackle since the days of the floppy disks. He said Internet surfing is "the easiest way by which somebody can p
PM Lee, speaking yesterday at the end of a visit to Myanmar, highlighted how cyber security is a problem that Singapore has been trying to tackle since the days of the floppy disks. He said Internet surfing is "the easiest way by which somebody can plant something" into the system, and that people have done so.PHOTO: LIANHE ZAOBAO

Public servants will still be able to respond to citizens' queries and e-services will continue to work as normal

Government e-services will not be affected and public servants will still be able to respond to queries from citizens.

This was the assurance given by Mr David Koh, chief executive of Singapore's Cyber Security Agency, as he addressed concerns yesterday that such services could be impacted following a decision to delink Web surfing from public servants' work computers from next May.

After The Straits Times reported on Wednesday that 100,000 computers used by the public service will no longer have direct access to the Internet from next May, to keep government e-mail systems and shared documents safe, an online debate ensued, with some asking if such a measure was a step too far.

Civil servants will have to connect to the Web using a separate computer system. They will also be able to surf the Web via personal mobile devices, and non-sensitive e-mail can be forwarded to personal accounts.

Explaining why e-services will continue to work as normal, Mr Koh said: "The transactions go through a secure system to connect to the government networks."

A RESPONSIBLE STEP

We can't be a Smart Nation that is trusted and resilient if our systems are open and vulnerable. As public servants, we have a duty and responsibility to protect the Government'sand citizens' information and data. This move of Internet surfing separation will significantly reduce the attack surface and make it harder for attackers to exploit our systems.

'' MR DAVID KOH, chief executive of Singapore's Cyber Security Agency.


PM LEE ON...

THE RISKS

We've had intrusions we know, we've reported some of them publicly, serious ones. So far, we think that the damage which has been done or the information which has been stolen has not been disastrous. But we cannot be sure that will not happen. In fact, you can be pretty sure that if you have a big system, something in there is not quite right, and somewhere in that part, somebody has discovered it and may well have taken advantage of it.


THE INTERNET'S VULNERABILITY

It's very convenient to have it all on the same computer. You work, you surf, you see something relevant, you respond straightaway, copy it into an e-mail you can deal with it, or somebody sends you a link - you click on the link straightaway you can watch the YouTube video or the article. It's part of working. And yet it's a vulnerability. Because Internet surfing is the easiest way by which somebody can plant something into your system; by which way people have planted things into our system.


FINDING A SOLUTION

So what do we do? So the security people have been recommending to us, cut off. Have an e-mail system, closed; have the Internet-facing system separate. E-mails can come in, e-mails can go out, but the e-mails are all scanned. Other than e-mail, surfing off. I said, 'Do you really want to do this? It's such a nuisance to work.' But what to do? They convinced me this was a very, very serious matter. The public may not know and you don't always go around telling the public how vulnerable you are but, in fact, you are vulnerable. ''


THE MOVE TO SPLIT INTERNET ACCESS FROM WORK E-MAIL

Are we happy? I don't think so, because it will slow us down in terms of day-to-day productivity. In terms of security, safety of our systems, safety of our citizens and information concerning them - it's absolutely necessary. Otherwise one day you find all your NRIC numbers, addresses and income tax returns for sale on the Internet, one package 10 gigabytes. How will the Government explain?

He also spoke at length about why the Internet lockdown is necessary. Singapore is under constant attack by cyber criminals, gangs, "hacktivists" and even state actors. So it is crucial to hive off Internet surfing to other machines that do not have access to the Government's internal networks and systems.

Over the past year, he said, there were 16 attacks against government networks that made it past firewall systems provided by vendors. The malware was eventually detected and extracted with no damage done.

In 2014, there was a security breach of the Ministry of Foreign Affairs' IT system. Steps were taken to isolate the affected devices and the networks were strengthened following the discovery.

There was also a series of attacks in 2009 in the run-up to the Asia- Pacific Economic Cooperation meetings held in Singapore, targeting the organising committee members and delegates.

"As public servants, we have a duty and responsibility to protect the Government's and citizens' information and data," said Mr Koh, adding that the Internet-surfing separation "will significantly reduce the attack surface and make it harder for attackers to exploit our systems".

Prime Minister Lee Hsien Loong, addressing the issue yesterday at the end of a visit to Myanmar, highlighted how cyber security is a problem Singapore has been trying to tackle since the days of the floppy disks in the 1970s.

"I remember in the early days, we scratched our heads because it reached a point where people were having floppy disks, and the floppy disks were getting smaller," he said.

"What do you do? We said, well let's try and control all our floppy disks so none of them disappear. Then, somebody brings one in, takes one out - you don't know what happened. So you say, you must not bring in any floppy disks to work."

But that was very hard to enforce, he added.

Then came thumbdrives, which could easily be placed in pockets, again involving some vulnerability.

The latest challenge is the Internet. "It's very convenient to have it all (e-mail and the Internet) on the same computer," said PM Lee.

But "Internet surfing is the easiest way by which somebody can plant something into your system". He added that people have planted things into the system.

He also noted that the more serious threats will come from outside Singapore, saying: "Within Singapore, if someone is determined to do this, chances are I will be able to find out and I can visit him in real life, and not just in cyberspace."

Infocomm Development Authority (IDA) managing director Jacqueline Poh acknowledged that civil servants may face initial adjustment issues. But IDA, the agency executing the policy, will explore workarounds to keep up productivity, she added.

The move to separate Internet access from work e-mail is increasingly being adopted around the world, said security specialist Sean Duca of Palo Alto Networks Asia-Pacific.

The delinking "has become a common practice by private- and public-sector organisations worldwide to mitigate cyber risks," he said.

A version of this article appeared in the print edition of The Straits Times on June 10, 2016, with the headline 'Public services won't be hit by move to secure systems'. Print Edition | Subscribe