SINGAPORE – Singapore is working on how to cut off web access for public servants as a defense against potential cyberattacks — a move closely watched by critics who say it marks a retreat for a technologically advanced city-state that has trademarked the term “smart nation.”
Some security experts say the policy, due to be in place by May, risks damaging productivity among civil servants and those working at more than four dozen statutory boards and cutting them off from the people they serve. It may only raise slightly the defensive walls against cyberattack, they say.
Ben Desjardins, director of security solutions at the network security firm Radware, called it “one of the more extreme measures I can recall by a large public organization to combat cybersecurity risks.”
Stephen Dane, a Hong Kong-based managing director at the networking company Cisco Systems, said it is “a most unusual situation.”
Ramki Thurimella, chairman of the computer science department at the University of Denver, called it both “unprecedented” and “a little excessive.”
But not everyone takes that view. Other cybersecurity experts agree with Singapore authorities that with the kind of threats governments face today, it has little choice but to restrict internet access.
The cybersecurity company FireEye found that organizations in Southeast Asia are 80 percent more likely than the global average to be hit by an advanced cyberattack, with those close to tensions over the South China Sea — where China and others have overlapping claims — particularly targeted.
Bryce Boland, FireEye’s chief technology officer for Asia Pacific, said Singapore’s approach needs to be seen in this light. “My view is not that they’re blocking internet access for government employees, it’s that they are blocking government computer access from internet-based cybercrime and espionage.”
Singapore officials say no particular attack triggered the decision, but noted a breach of one ministry last year. David Koh, chief executive of the newly formed Cyber Security Agency, said officials realized there is too much data to secure and the threat “is too real.”
Singapore needs to restrict its perimeter, but, said Koh, “there is no way to secure this because the attack surface is like a building with a zillion windows, doors, fire escapes.”
Koh said he is simply widening a practice of ministries and agencies in sensitive fields, where computers are already disconnected, or air-gapped, from the internet.
Public servants will still be able to surf the web, but only on separate personal or agency-issued devices.
Air-gapping is common in security-related fields, both in government and business, but not for normal government functions. Also, it doesn’t guarantee success.
Anthony James, chief marketing officer at the cybersecurity company TrapX Security, recalled one case in which an attacker was able to steal data from a law enforcement client after an employee connected his laptop to two supposedly separated networks. “Human decisions and related policy gaps are the No. 1 cause of failure for this strategy,” he said.
Just making it work is the first headache.
The Infocomm Development Authority (IDA) said in an email that it has worked with agencies on managing the changes “to ensure a smooth transition” and is “exploring innovative work solutions to ensure work processes remain efficient.”
Johnny Wong, group director at the Housing Development Board’s research arm, called the move “inconvenient” but added, “It’s something we just have to adapt to as part of our work.”
At the Land Transport Authority, a group director, Lew Yii Der, said, “Lots of committees are being formed across the public sector and within agencies like mine to look at how we can work around the segregation and ensure front-facing services remain the same.”
Then there is the problem of convincing rank-and-file public servants that it is worth doing — and not circumventing.
One 23-year-old manager, who gave only her family name, Ng, said blocking web access would only harm productivity and may not stop attacks. “Information may leak through other means, so blocking the internet may not stop the inevitable from happening,” she said.
It is not just the critics who are watching closely.
Local media cited one Singapore minister as saying other governments, which he did not name, have expressed interest in its approach.
Whether they will adopt the practice permanently is less clear, says William Saito, a special cybersecurity adviser to the Japanese government. “There’s a trend in private business and some government agencies” in Asia to go along similar lines, he said, noting that some Japanese companies cut internet access in the past year, usually after a breach.
“They cut themselves off because they thought it was a good idea,” he said, “but then they realized they were pretty dependent on this internet thing.”
Some cybersecurity experts said Singapore may end up regretting its decision.
“I’m fairly certain they would regret it and wind up far behind other nations in development,” said Arian Evans, vice president of product strategy at RiskIQ, a cybersecurity startup based in San Francisco.
The decision is “surprising for a country like Singapore that has always been a leader in innovation, technology and business,” he said.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.