Being an early adopter of technology, Singapore's public sector may very well be susceptible to vulnerabilities inherent in legacy systems, but this does not mean the country's e-government systems need a complete overhaul.
David Koh, chief executive of Cyber Security Agency (CSA), explained that where cybersecurity was concerned, there were typically three key aspects to manage: usability, cost, and security. Focusing on two would inevitably mean the third had to be compromised, and up until the past five years, the general consensus seemed to be that usability and cost should be the main drivers.
"People were prepared to sacrifice security," he said, noting that two-factor authentication (2FA), for instance, had been available for years but remained largely unused. "Best practices for security have been advocating 2FA, but there's been reluctance to implement this... If security professionals tried to implement this five years ago, I think there would have been a huge outcry from the man on the streets who would ask why we're overreacting and inconveniencing people, and adding cost."
It took a June 2002 incident, during which DBS Bank's online banking system was hacked and funds stolen, for the public to finally support the need for more robust security measures, he noted. The use of 2FA in 2008 was mandated for all online banking services island-wide.
Speaking to ZDNet in an interview, Koh was responding to questions about a 2014 security breach involving SingPass that affected some 1,560 users. There are more than 3.3 million SingPass accounts, which citizens use to access e-government services including filing income taxes, checking balances in the national retirement fund, and registering new businesses.
In July this year, 2FA was introduced into the SingPass login process for transactions involving sensitive data such as financial or health information, as well as services that required high level of identity assurance.
Similar to the banking sector, Koh said there would not have been higher consensus and support for the use of 2FA in SingPass had the breaches not occurred. Even so, there were camps who argued that it would be too complicated for the older generation to manage, he added.
"So there needs to be ongoing education and in due course, we need to accept that these [steps] are necessary," he said. "We can talk about increasing the level of security, but it also has to be supported by the people and man on the street. Until recently, the level of support and awareness and appreciation [for stronger security measures] weren't there. Things are changing, and the public now recognises the threat and is increasingly prepared to support [these changes]."
Pointing also to recent hiccups that brought down the Central Provident Fund Board's e-services for several days, he noted that this was not the result of a security breach but likely of poor IT project management and implementation. He added, though, that such lapses were not uncommon and were part of operational issues all companies faced.
The service outage was attributed to "technical issues" that surfaced following a website upgrade.
Asked if Singapore's e-government systems needed an overhaul, especially since the public sector began computerising its processes in the 1980s when the threat landscape was vastly different, Koh replied: "Yes, and no."
He acknowledged that as an early IT adopter, there would be potential for vulnerabilities in the public sector infrastructure, but the benefits of e-government services and greater connectivity had been significant over the past few decades. "We don't want to move backwards, but at the same time, we want security," he noted.
Referring again to the need to find a balance between usability, cost, and security, he said the criticality of a piece of information would determine how this equation should be managed when dealing with e-government systems.
Moving forward, he added that when new systems were implemented, or when older ones were due for refresh, security would be a key consideration from the get-go. "We can't try to bolt on or add security after the fact," he said, reiterating comments from Singapore's Minister for Communications and Information Yaacob Ibrahim about the need to adopt a security-by-design mindset.
"It's challenging technically to add security after a system has been designed or implemented. It's also more costly," Koh explained. "We're better off integrating security at the onset and this has to be take into account at the implementation stage, as well as throughout the system's lifecycle including future upgrades, to preserve the security [posture]."
"We see security, ultimately, as an enabler for things like e-government and smart nation. It's only when you can successfully implement security as part of the system can you reap the full benefit that it promises," he said, adding that citizens would not use a system in which they had no confidence.
IoT, cyberterrorism major concerns
Operational only in April this year, CSA has centralised oversight of Singapore's cybersecurity operations and functions, and takes charge of future developments in this area. The agency comes under the purview of the Prime Minister's Office and currently has some 100 employees, including its own staff as well as personnel it "inherited" from other government agencies such as the Infocomm Development Authority and Ministry of Home Affairs.
Koh, who also is the deputy secretary of technology for the Ministry of Defence, pointed to IoT (Internet of Things) and cyberterrorism as major concerns, when asked to choose between the two and human error.
"I think we will never be safe from human error. No matter how well we design and architect a system, ultimately, it's still operated by humans who, by all best intentions, make mistakes," he smiled, as he related a cartoon that referred to the "nut behind the screen" as the weakest link in the network. "It's a reality and we can't engineer the human out of the network. So we have to manage and mitigate this as best we can."
IoT and cyberterrorism, though, were worrying.
Koh noted that IoT, with its vast connectivity, significantly expanded the attack surface and potential for breaches. "It's a latent threat [and] would depend on bad actors to exploit," he said, adding that this then led to the potential spread of cyberterrorism.
He noted that malicious hackers could cause real physical damage should they penetrate critical systems such as power plants and transport networks, potentially creating accidents that could result in lost of lives.
To mitigate risks brought about by IoT, he suggested "operating norms" could emerge and evolve such as that only ports and connectivity that were necessary would be enabled by default. All others would be closed so the device, such as a refrigerator or car, would only have limited functions to do what it was designed to do, and nothing else, Koh said.
"So from the onset and design, only basic functions are enabled and others locked down. This would reduce the attack surface," he said.
He added that Singapore's general population, as well as businesses, must start assuming personal responsibility and recognising they had a role to play to preserve their cybersecurity wellbeing.
"People need to realise that cybersecurity is mainstream and is part of our mainstream life. If we all do our part, it will go a long way in raising the overall herd immunity of Singapore's cyber environment, rather than our current bad habit of thinking it's someone else's problem," he said. "It's our problem and we need to play a [more] active part."
He also underscored the need for greater cooperation between countries, including those in Asean, to combat cyberterrorism and cybersecurity threats.