Last week, the world heard that the Singapore Government plans to restrict Internet access for all public servants from May next year.
On the one hand, critics have argued that the policy will set Singapore back and that it contradicts our Smart Nation aspirations. On the other hand, cyber security experts have supported the plan to keep secure systems and e-mail segmented away from the Internet. Similar segmentation is already practised in sensitive parts of both private and public sectors such as banking and the military. As businesses, the general public and even other countries are watching this controversial step closely, it is important for us, as a nation and society, to send the right messages about cyber security and Internet access.
We need to make clear that segmenting Internet access is one of several ways to be secure. Segmentation reduces the risk of spear phishing, where employees mistakenly click on links in fake e-mail which lead to dangerous websites. It also reduces the risk of ransomware, where malicious software locks up all the computers of an organisation. It is a sensible solution since reports indicate that Singapore is a prime target for both of these cyber attacks. However, for the many organisations, businesses and individuals that cannot afford to disconnect themselves from the Internet, they need alternatives to reduce their risks such as identity management systems and next-generation firewalls.
We still need to prepare the nation to respond to cyber security breaches. Segmenting a network does not guarantee that it will never be hacked. For example, Iran’s Natanz nuclear plant was not connected to the Internet, but it was nonetheless attacked by the Stuxnet virus and forced to close down.
Hackers are also increasing their use of cyber-attack methods that do not require Internet access, such as insider attacks and social engineering, using psychology to deceive others to grant access. Some day, a serious breach could take place and systems could be disrupted, or substantial personal data or money could be stolen.
Singapore will be resilient enough to withstand this if it has already set up backup systems, services to help victims, laws to protect the rights of victims and well-crafted emergency plans, and conducts regular drills much like the fire drills widely practised today.
In the meantime, there is a need to encourage organisations in both public and private sectors to work with their employees to find or develop secure Internet tools for work. Some government ministries may be able draw a line between “work” on secure systems and “surfing the Net” on less secure computers. But in many other organisations today, employees carry out their “work” by “surfing the Net”, including research, procurement of goods and services, monitoring markets and competitors, and communicating with customers.
Employees may also use webmail to access e-mail from outside office and cloud services to transfer large documents because they are more efficient. Some public servants will use dual computers because they need to access both the secure government network as well as the Internet. Others might need to use personal devices to read work documents that come through the Internet, or use cloud services like Dropbox or Google Drive to receive large documents. All of them need to be given secure yet efficient methods of transferring information and documents from external sources into the secure network in order to carry out their daily work productively while protecting the system from infection.
This message that Internet separation is but one of several ways to be secure is especially important for the digital native generation, who have grown up using the Internet and find it natural to use Internet tools and resources to work productively. Organisations in the public and private sectors which want to attract the best and brightest young talents from this generation, and to benefit from their fresh ideas, cannot afford to send the message that the Internet is unwelcome in their workplace.
On a broader scale, government and businesses need to assure the public that the Internet is safe enough for transactions like government e-services, banking and e-commerce, provided they observe secure behaviour. While cyber threats are increasing, so are security measures such as two-factor authentication. The challenge is to teach everyone, from the Pioneer Generation to the very young, how to use online services securely. As Singapore progresses with the Smart Nation and fintech initiatives, and more public and private services are provided online, we should not have any segment of the population that avoids using them because of fear, uncertainty and doubt.
Finally, as consumers, we need to demand that makers and providers of smart services and devices build in more security. Many Internet Of Things devices like pacemakers, fitness trackers, smart locks, security cameras and even our cars can be attacked through the Internet, and we need them to be more secure as we embark on the Smart Nation initiative.
At this time when misconceptions still abound about the safety of using the Internet, it is vital to spread the correct messages on cyber security to ensure that our public sector, businesses and the general public are able to securely and productively benefit from the technological advances of our Smart Nation.
The writer is senior fellow at the Centre of Excellence for National Security, S. Rajaratnam School of International Studies, NTU, and education chair at the Internet Society Singapore Chapter.