We have an IT literacy problem

On 8th June, I woke up to the news that the Singapore government would be cutting off internet access to 100,000 civil servants’ computers in May 2017 as a major security measure.

It is not a total ban though – there will still be internet access or terminals for those who need them.

My first thought was : “Wow, that’s a pretty ballsy move, and it makes sense.”

You will probably disagree with me, but please, do not get me wrong.

I support the spirit and boldness of the decision, but I also agree with critics that there are some major kinks to be ironed out to ensure our civil service does not get crippled overnight.

My friend Alfred Siew has written two excellent commentaries on the issue that you should read – “Puzzling to cut Internet access from civil servants in Singapore” and “Blocking the Internet isn’t the only or best way to combat cyber threats”

I have a somewhat differing approach from Alf as I favor bold measures that cut to the root of the issue and I want my Gahmen to take every measure to protect my personal data, regardless of the inconvenience caused. My earlier thoughts on Facebook here:

The raw sentiments on the ground range from “What a regressive move to the 1990s” to “Why take a sledgehammer to kill a fly?” to “You 70% voted these people in, so live with their stupid decisions!”

Frankly, you should be more disturbed by these public reactions than the actual decision by the government. Even PM Lee had to spend time to defend the actions of his chaps.

Most people will have angry reactions because we have an IT literacy problem –  there is little understanding or proper consideration of the risks of today’s technology, despite its pervasiveness and usage.

You have the right to agree or disagree with the Gahmen’s decision. But you need to be able to weigh the issues involved, rather than just roll your eyes. People do not care about hackers until they get hacked, or observe the actions of hackers.

Let me share two personal stories:

First, this blog has seen over 25,000 malicious log-in attempts over the past five years, yet it still hums along because of the efforts of WordPress security plug-in developers, my hosting company and myself. And over 219,000 spam comments containing malicious URLs have been blocked or removed.

If this blog goes offline someday, it is either because I stopped paying for the hosting or my server got hacked.

Next story : A few months ago, a friend was attacked by a hacker who studied his LinkedIn profile and sent across a well-engineered email disguised as a customer complaint.

Attached to the email was an innocent-looking MS Word document that hid a malicious macro. Upon opening the document – so he could to read the customer’s complaint in detail – the macro hack went into action and went hunting through his laptop’s hard disk for his bank account (which in turn, experienced multiple failed login attempts)

My friend went through several days of back-and-forth with his bank to re-activate his bank account, and lots of other painful actions to clean up his laptop. Mind you, this friend is pretty tech-savvy, yet the hacker managed to penetrate his usual wariness and defences with a mixture of online profile research, social engineering and Word macros.

(Please, disable macros in MS Office unless you know the source).

Now, what if a hacker got hold of your personal data stored on government servers, and pretended to be a government official to get to your money and family in person, or through other means?

What if you received your annual income tax payment bill as scheduled, only to realize later that your payment never reached IRAS but was deposited into some offshore account?

What if you received a recommendation to buy some expensive medicine online for your existing diabetes condition?

Read this Heimdal security blog post for some crazy stats. They claim that 600,000 Facebook accounts are compromised daily. And thanks to Java, Adobe Flash and Adobe Reader present in our computers, we are all vulnerable to exploit kits by hackers.

Do you now comprehend what we face? It is truly frightening.

We are the weakest link

I am not an expert enough to tell you whether the Gahmen’s move will truly prevent a massive hack, but it will definitely take a big chunk of vulnerabilities out of the equation – the hundreds of thousands of civil servants who each represent an unwitting entry-point into the nation’s database.

If you forcefully strip out the ability to visit malicious URLs and filter out the macros and executable files from attachments, you can slow down the thousands of hackers who do this out of pleasure or profit (from the mafia, terrorists or certain governments).

In my opinion, people are the weakest link, and that is the point of this article.

We cannot be a Smart Nation if people do not figure out technology’s pros and cons. You cannot just treat internet devices like appliances. You cannot expect things to be truly secure without inconvenience. 

We have grown up with the fastest advancement of technology the world has ever seen, and along the way, we have failed to comprehend the power of control and information that sits in our pockets or on our office desks.

One young guy told me recently that he is not selling his old, dying smartphone because he wants to keep the photos. I told him if he does not do anything, the phone will go dead along with his data. He looked really worried and I was even more aghast because he is not some old geezer who is a Luddite.

Others tell me they do not worry about data backup because they “store photos in the cloud”. I am a big fan of Google Photos, and I use it to automatically back up my phone’s photos daily. However I am also aware the service can disappear anytime, or that my photos may leak to the public.

I do not worry too much about photo leaks since I have no nude selfies (sorry, I am not sexy like Jennifer Lawrence though I have photos of naked Italian motorcycles). I am worried only about the loss of my photos, so I always have several manual backups on hard drives that are not connected to the Internet.

What I am very careful to do with cloud services is not to store any password, bank account data, credit card statements and so on. Yes, you can steal my CV (curriculum vitae) from the cloud, but hopefully you will find my work history interesting, and it’s the same content I put on LinkedIn anyway.

My bank password is stored in my brain, and you will have to get past Two-Factor Authentication to get to my critical social media or email accounts. 

Technology may be super-easy today to use with mobile apps and 4G broadband, but it always requires some end-user effort to be utilized properly.

All too often, I have people asking me how to transfer address books when they change or lose phones. I know it is not an easy process but I wonder why they do not go research the methods themselves. No, I will not post the answer here, go Google it lah.

My regular readers know that I am not a big fan of this government when it comes to matters like education and transport.

Yet I think their decision on internet access makes sense, because they are getting to the root of the problem – reducing the multiple entry points posed by every single civil servant’s device.

Even if everyone became more IT-literate, you will still have some gaps in knowledge or slip-ups which allow hackers to find a chink in the armour.

It does not mean we abandon responsibility for IT literacy and expect the Gahmen to hold our hands all the time. Never let technology control you, take control of it!

PS: Some readers will come up with all sorts of weird analogies about cyber-security to counter this article (I’ve had to read and respond to quite a few bad analogies this week). Or point out that I’m not a civil servant (I’m not the sort they’ll hire). Frankly, none of us know how the final system will be implemented till May 2017. If you have a better solution to deal with millions of hacking attempts on a government database, please put it on your own blog or on your public Facebook post to share with the world.

5 Replies to “We have an IT literacy problem”

  1. Here’s the thing; take a fistful of rice and try to grip it as tight as possible. Instead of keeping what you already have tightly in your reach, it actually ends up causing more to slip through the cracks of your fingers.

    It’s the same thing with what is going on right now. So they are cutting off online access on their workstations, but you know just how innovative people can be when it comes to getting their way. Cue lots of workers tethering their phones to their workstations and connecting to the Internet via mobile data. That is even worse for security; at least, with official online access, internet traffic that enters and exits the organization can be logged, tapped and analyzed for threats, or if need be, actively screened in real time to greatly lower the risks of online-based threats entering the corporate network. A direct connection to the Internet via tethered mobile data bypasses all of these backend protections and exposes the workstation to every single available threat on the Internet. Which one is more at risk?

    1. Hi, until we know how the system will be implemented, I’d suggest that the analogies you’ve come up with may or may not be valid. Eg. mobile tethering may not work for quarantined devices.

      Also everyone, please note I will not allow any more comments on this thread unless you use your full name and a valid email address. Take accountability for your views, and I’m open to any as long as they are respectful and constructive.

      1. I don’t often agree with our government too but this is the right move for security reasons.

        Most employees of law firms, MNCs and other large corporations do not have access to the internet on their organisation’s systems for exactly the same reasons.

        Well said Ian.

  2. Thanks for the article, you mirrored my thoughts, but just more articulately than I can. I would also like to point out that people tend to seriously underestimate the severity of cyber threats too. It’s is no longer just restricted to simply losing some sensitive data. With IoT and sophisticated computer virus which can bridge into the physical world, life are at risks. In future, cyber terrorism will overshadow today’s terrorist threats.

  3. It probably isnt just lack of IT literacy. Many people are ready to shoot off the hip when it comes to government bashing. The dont really want to know about the issue just wants to bash and with as sensational headlines as possible. “PAP cuts off internet access” etc.
    Cant see how this can stop unfortunately.

    In gun analogy, its akin to someone outside possibly having remote control to the gun trigger and point. We wld want these guns to have their bullets removed, be in an isolated room and physically clamped down not being able to point.
    In the driving example, its like someone outside anywhere in the world being able to remotely take over and drive the car. Controls wld be save as above.
    To continue to use these guns and drive these cars and pretend that all is well is foolhardy.

Comments are closed.