On 8th June, I woke up to the news that the Singapore government would be cutting off internet access to 100,000 civil servants’ computers in May 2017 as a major security measure.
It is not a total ban though – there will still be internet access or terminals for those who need them.
My first thought was : “Wow, that’s a pretty ballsy move, and it makes sense.”
You will probably disagree with me, but please, do not get me wrong.
I support the spirit and boldness of the decision, but I also agree with critics that there are some major kinks to be ironed out to ensure our civil service does not get crippled overnight.
My friend Alfred Siew has written two excellent commentaries on the issue that you should read – “Puzzling to cut Internet access from civil servants in Singapore” and “Blocking the Internet isn’t the only or best way to combat cyber threats”
I have a somewhat differing approach from Alf as I favor bold measures that cut to the root of the issue and I want my Gahmen to take every measure to protect my personal data, regardless of the inconvenience caused. My earlier thoughts on Facebook here:
The raw sentiments on the ground range from “What a regressive move to the 1990s” to “Why take a sledgehammer to kill a fly?” to “You 70% voted these people in, so live with their stupid decisions!”
Frankly, you should be more disturbed by these public reactions than the actual decision by the government. Even PM Lee had to spend time to defend the actions of his chaps.
Most people will have angry reactions because we have an IT literacy problem – there is little understanding or proper consideration of the risks of today’s technology, despite its pervasiveness and usage.
You have the right to agree or disagree with the Gahmen’s decision. But you need to be able to weigh the issues involved, rather than just roll your eyes. People do not care about hackers until they get hacked, or observe the actions of hackers.
Let me share two personal stories:
First, this blog has seen over 25,000 malicious log-in attempts over the past five years, yet it still hums along because of the efforts of WordPress security plug-in developers, my hosting company and myself. And over 219,000 spam comments containing malicious URLs have been blocked or removed.
If this blog goes offline someday, it is either because I stopped paying for the hosting or my server got hacked.
Next story : A few months ago, a friend was attacked by a hacker who studied his LinkedIn profile and sent across a well-engineered email disguised as a customer complaint.
Attached to the email was an innocent-looking MS Word document that hid a malicious macro. Upon opening the document – so he could to read the customer’s complaint in detail – the macro hack went into action and went hunting through his laptop’s hard disk for his bank account (which in turn, experienced multiple failed login attempts)
My friend went through several days of back-and-forth with his bank to re-activate his bank account, and lots of other painful actions to clean up his laptop. Mind you, this friend is pretty tech-savvy, yet the hacker managed to penetrate his usual wariness and defences with a mixture of online profile research, social engineering and Word macros.
(Please, disable macros in MS Office unless you know the source).
Now, what if a hacker got hold of your personal data stored on government servers, and pretended to be a government official to get to your money and family in person, or through other means?
What if you received your annual income tax payment bill as scheduled, only to realize later that your payment never reached IRAS but was deposited into some offshore account?
What if you received a recommendation to buy some expensive medicine online for your existing diabetes condition?
Read this Heimdal security blog post for some crazy stats. They claim that 600,000 Facebook accounts are compromised daily. And thanks to Java, Adobe Flash and Adobe Reader present in our computers, we are all vulnerable to exploit kits by hackers.
Do you now comprehend what we face? It is truly frightening.
We are the weakest link
I am not an expert enough to tell you whether the Gahmen’s move will truly prevent a massive hack, but it will definitely take a big chunk of vulnerabilities out of the equation – the hundreds of thousands of civil servants who each represent an unwitting entry-point into the nation’s database.
If you forcefully strip out the ability to visit malicious URLs and filter out the macros and executable files from attachments, you can slow down the thousands of hackers who do this out of pleasure or profit (from the mafia, terrorists or certain governments).
In my opinion, people are the weakest link, and that is the point of this article.
We cannot be a Smart Nation if people do not figure out technology’s pros and cons. You cannot just treat internet devices like appliances. You cannot expect things to be truly secure without inconvenience.
We have grown up with the fastest advancement of technology the world has ever seen, and along the way, we have failed to comprehend the power of control and information that sits in our pockets or on our office desks.
One young guy told me recently that he is not selling his old, dying smartphone because he wants to keep the photos. I told him if he does not do anything, the phone will go dead along with his data. He looked really worried and I was even more aghast because he is not some old geezer who is a Luddite.
Others tell me they do not worry about data backup because they “store photos in the cloud”. I am a big fan of Google Photos, and I use it to automatically back up my phone’s photos daily. However I am also aware the service can disappear anytime, or that my photos may leak to the public.
I do not worry too much about photo leaks since I have no nude selfies (sorry, I am not sexy like Jennifer Lawrence though I have photos of naked Italian motorcycles). I am worried only about the loss of my photos, so I always have several manual backups on hard drives that are not connected to the Internet.
What I am very careful to do with cloud services is not to store any password, bank account data, credit card statements and so on. Yes, you can steal my CV (curriculum vitae) from the cloud, but hopefully you will find my work history interesting, and it’s the same content I put on LinkedIn anyway.
My bank password is stored in my brain, and you will have to get past Two-Factor Authentication to get to my critical social media or email accounts.
Technology may be super-easy today to use with mobile apps and 4G broadband, but it always requires some end-user effort to be utilized properly.
All too often, I have people asking me how to transfer address books when they change or lose phones. I know it is not an easy process but I wonder why they do not go research the methods themselves. No, I will not post the answer here, go Google it lah.
My regular readers know that I am not a big fan of this government when it comes to matters like education and transport.
Yet I think their decision on internet access makes sense, because they are getting to the root of the problem – reducing the multiple entry points posed by every single civil servant’s device.
Even if everyone became more IT-literate, you will still have some gaps in knowledge or slip-ups which allow hackers to find a chink in the armour.
It does not mean we abandon responsibility for IT literacy and expect the Gahmen to hold our hands all the time. Never let technology control you, take control of it!
PS: Some readers will come up with all sorts of weird analogies about cyber-security to counter this article (I’ve had to read and respond to quite a few bad analogies this week). Or point out that I’m not a civil servant (I’m not the sort they’ll hire). Frankly, none of us know how the final system will be implemented till May 2017. If you have a better solution to deal with millions of hacking attempts on a government database, please put it on your own blog or on your public Facebook post to share with the world.