Singapore unveils drastic move that puts government in pre-internet era
The Singapore government is cutting off internet connection from all computers used by employees in the public sector, throwing up critical questions about how this move will impact its smart nation and e-government services in future.
The switch would be turned off come May 2017 as the government looked to stump potential leaks from e-mail and shared documents, reported local English daily The Straits Times, which noted that a memo would be sent out to government ministries, agencies, and statutory boards detailing the move.
The public sector operated a network of 100,000 computers, all of which would be impacted by the announcement. Government employees would only have online access via dedicated work terminals or be able to browse the web via their own personal mobile devices, since these would have no access to government e-mail systems.
Local industry regulator Infocomm Development Authority (IDA), which was spearheading this latest development, told ZDNet the government "regularly reviews" its IT security practices to improve its security posture.
The spokesperson said: "We have started to separate internet access from the workstations of a selected group of public service officers, and will do so for the rest of the public service officers progressively over a one-year period. There are alternatives for internet access and the work that officers need to do does not change."
ZDNet understands that government employees will continue to have access to the government's intranet and, as such, to its e-mail system and will be able to send and receive e-mail with external parties. Online queries from the general public will continue to be redirected to the work e-mail of public servants who can continue to respond using their work e-mail address.
Employees, however, will be expected to observe cybersecurity policies including rules that prohibit them from forwarding "classified" work e-mail to their personal e-mail accounts.
ZDNet also understands the one-year transition will allow for mechanisms and tools to be built to minimise interruptions to workflows as well as better enable government employees to fulfil their work requirements. These will include evaluation of access to government cloud services and wireless networks.
The announcement triggered strong reactions from the industry and general public, with several describing the move as a step back into the 1990s and "stone age".
In his tweet, local blogger Mr Miyagi wrote: "We're with you, civil servants of Singapore. Oh wait, you have no internet to read this tweet." Kelvin Wong also tweeted "the Singapore civil service enters the internet dark age from 2017", while Alex Koh noted: "Knee-jerk reaction from the civil service. Going back to stone ages...Cloud services IDA advocates are useless."
Drastic as it may seem, however, the government's move to cut direct access does not necessarily mean the delivery of its e-services will be negatively impacted.
In a phone interview with ZDNet, Vic Mankotia, CA Technologies' Asia-Pacific Japan vice president of security and API management, said citizen and e-government services today increasingly were supported through applications and APIs (application programming interfaces). These would facilitate communications between government agencies and the citizens as they made their way through "unclassified systems"--from public domains--to classified systems operated by the government.
While Mankotia supported the Singapore government's move to restrict internet access, he said a "smarter way" was to develop a "managed ecosystem" that provided identity-based access and authentication, coupled with proper governance. This would ensure the right access was given to the right person, at the right time, and on the right device, he added.
"Switching off the internet is a good start to a secure environment for a government, although intranet access should still be made available. Remember, every piece of information is not created equal where some have value, while another may not have any value, so I don't think everything needs to be shared," he explained.
With most people today connected 24 by 7 either through their work or personal devices, he added that identity had become the new perimeter and was not restricted to a specific network. This ecosystem, based on identity management, was more advanced and would better facilitate a smart nation and application economy.
"It's no longer about the internet. It's about applications, and on a network that's mobile," Mankotia said. "We have to think this through. Switching off is not the only answer. Look at a managed ecosystem, which is the smarter [model] and you'll get better results based on an identify management ecosystem."
Security vendor RSA appears to toe the same line, stressing the importance of identity management.
In his response to ZDNet queries, RSA's Asia-Pacific Japan security evangelist Michael Lee said: "The proliferation of smart devices complemented with the adoption of cloud means that employees are increasingly mobile, given that they can access company resources at anytime, anywhere, from devices like smartphones, tablets, and laptops.
"In approaching cybersecurity, we believe the ideal approach to be accounting for people, processes, and technology. Just as identification is necessary for entry to certain facilities, ensure that the proper identity and access management controls are setup so that the rightful have access to corporate resources when the data needs to extend beyond the organisation's network," Lee said, adding that analytics and visibility would further ensure anomalies could be quickly identified and addressed.
Taking a step backwards
In a previous ZDNet report, David Koh, chief executive of Singapore's Cyber Security Agency (CSA), said having greater connectivity and e-government services had yielded significant benefits over the past few decades.
"We don't want to move backwards, but at the same time, we want security," Koh said, in response to questions about how the government would resolve vulnerabilities in the public sector infrastructure. He pointed to the need to balance usability, cost, and security, noting that the criticality of a piece of information would determine how this equation should be managed when dealing with e-government systems.
Operational in April last year, CSA has centralised oversight of Singapore's cybersecurity operations and functions, and takes charge of future developments in this area. The agency comes under the purview of the Prime Minister's Office.
Asked for his comments on the latest move, Koh told ZDNet this was not a step backwards since government employees would still have internet connectivity. He said CSA was working with IDA to allow government agencies and employees to continue carrying out their respective functions "securely and effectively".
"This new policy of internet surfing separation does not prevent government employees from accessing the internet. Rather, they will access the internet in a different manner such as by using a different laptop or mobile device," he said.
This "separation" would prevent attackers from tapping the internet to plant malware, access government computers, and exfiltrate information from government systems, he explained. Koh further noted that actions prohibited under this new initiative encompassed those that cyberattackers would want government employees to carry out, such as clicking on a link contained in a spear-phishing e-mail.
"Singapore government networks and systems are connected to the internet and, therefore, are potentially vulnerable to cyberattacks," he said. "The government has the responsibility of protecting important data including that of its citizens, thus, we need to keep our systems secured."
Asked if CSA would recommend local businesses adopted a similar strategy, Koh said it would depend on the organisation's risk assessment where web browsing was concerned. He noted that banks, too, had this policy in place for some of their business functions to prevent their critical internal systems from being compromised.
"CSA has been advocating the concept of security-by-design for every smart nation project, thus, efficiency, effectiveness, and security are already part of the design in the cyber environment of the future," he said.
Has Singapore government given up on security?
Well-intended or not, IDA's decision to do so will inevitably be seen as a significant step backwards for a country that, up until now, has been widely deemed a global leader in the adoption of new technologies and its provision of e-government services. Singapore also regularly ranks among the most connected countries in the world, with residents able to access broadband speeds of up to 10Gbps.
All these, it seems, will soon mean zilch to government employees who will have to run to a terminal each time they need to do additional research online for work. If they rather get their daily workout at the gym, they should then seriously consider a mobile plan that gives them unlimited data allowance since their personal devices will be heavily utilised as a work support tool.
Bad news is, they probably will have to pay for this out of their own pocket. On the bright side, with no access to their work e-mail outside of the office, they can embrace a better work-life balance.
This cutting of the cord, though, begs the question: has the Singapore government given up? Is this its way of raising the white flag and admitting defeat? Surely, pulling the plug and switching off the internet isn't the only workable solution to its cybersecurity problems?
Because, with this announcement, it certainly seems like it has exhausted all possible options and concluded the only way to be adequately secured is to cut the cord. It has basically personified the standing industry joke that, the only way to be truly safe in this interconnected world, is to pull the plug. It was a joke!
Far fetched as it may sound, however, some proponents in the global industry actually have mooted the idea of an "internet kill switch", creating a single point of control to shut down the internet and safeguard against cyber assailants. Critics say this violates freedom of expression and human rights law.
Freedom fighter it may be, the US government itself has developed an internet kill switch--though, little is known about the exact technical protocols. The US Supreme Court in January dismissed a petition from the Electronic Privacy Information Center to compel the US Department of Homeland Security to reveal details about the kill switch, which reportedly could shut down mobile phones and internet access when activated.
In comparison, the Singapore government appears to have adopted a much milder form of the kill switch for its own employees. Perhaps, over time, it may prove wrong the people who now scoff its seemingly desperate attempt at securing its network and emerge to have built the best model for a secured work environment. Perhaps, over the next year, it will be able to introduce the right mechanisms to ensure its employees are sufficiently supported despite their lack of direct internet access.
Meanwhile, however, it will need to address questions about the impact this initiative will have on its e-government and smart nation programmes. Details as its one-year transition progresses also should be made publicly available and updates provided on a regularly basis.
This will help assure, in particular, foreign organisations operating and investing in Singapore that the local government has made a calculated move with its decision, rather than one that is currently perceived to be horrendously backward and ill-conceived.
George Chang, Fortinet's Asia-Pacific vice president, said in an e-mail interview: "There are many technology solutions that can provide secure web internet access, ranging from next-generation firewalls, web gateways, data leak prevention, enterprise endpoints, and desktop virtualisation.
"The government shouldn't be giving up on the fight against cyber threats," Chang said, adding that the government should look at redesigning the network to support different security levels as well as have proper identity and access management and clear security policies.
Allan Robertson, Asia-Pacific senior vice president at Intralinks, also noted: "Cyber threats are real. However, limiting internet access on employee workstations will only address parts of the cybersecurity issues that many organisations face today."
Like his industry counterparts, Robertson advocated the need for information rights management to secure access across the data lifecycle.
"If government agencies cut off internet connectivity, they risk sacrificing necessary enterprise collaboration through social and online services for work and research purposes," he said. "Ultimately, limiting internet access to the workplace is not the cure-all to end cyber threats today."
The Singapore government has been preaching the need for a "security-by-design" mindset and building up local capabilities in cybersecurity. Minister for Communications and Information Yaacob Ibrahim, who also is the country's Minister-in-Charge of Cybersecurity, had said: "Security-by-design is about assessing threats and risks, building, and configuring our systems with security in mind from the start, checking for intrusions after implementation, disposing the assets securely at the end of their life span, and educating the end-users to be 'cybersmart'.
"If we do this right, we will avoid piecemeal implementation and the need for costly and often ineffective 'retrofitting' later on," Yaacob said.
The question then is, Mr Minister, why bother doing all of this when the government seemingly has decided that the best way to solve the problem is to unplug from the internet?