SINGAPORE (Oct 8): Singapore has been investing heavily into cybersecurity amid its Smart Nation drive. But as details of the events leading to the cyberattack on Singapore Health Services’ patient database system in June emerge, so too do signs of a worrying trend: Has a culture of complacency seeped into the people and organisations tasked with defending the nation against cyber threats? And will these human-related weaknesses prove to be the chink in the armour that will lead to the collapse of “Fortress Singapore” — a term coined to describe the nation’s favourable position as a data centre hub due to its physical security and political stability?
“Technology is only one-third of the solution to cybersecurity,” says Justin Hammond, regional director for Asia-Pacific at Synopsys. “The others are processes and people.”
“Your overall cybersecurity defence will be only as good as your weakest point, so having the latest technology and comprehensive processes will not be effective if the human aspect of cybersecurity is lacking,” he adds.
The first tranche of public hearings convened by the Committee of Inquiry (COI) into the SingHealth cyberattack was held over two weeks from Sept 21 to Oct 5, with subsequent tranches expected. Already, the revelations have been nothing short of stunning.
According to Solicitor-General Kwek Mean Luck, a series of staff missteps and gaps in SingHealth’s mission-critical IT systems had contributed to the worst data breach in Singapore’s history. It involved the personal data of 1.5 million patients and outpatient prescription records of 160,000 people, including Prime Minister Lee Hsien Loong.
“[The SingHealth cyberattack] was a harsh reminder that cyberspace is not a benign environment, and we have to do much better in keeping our IT systems and data safe and secure,” Lee says at the inaugural Stack 2018 Developer Conference organised by the Government Technology Agency of Singapore (GovTech) on Oct 2.
To Lee, the incident revealed internal weaknesses and lapses in Singapore’s IT systems and organisations. “We have to improve and put these right. We have to train up our people, institute robust processes, inculcate the right mindsets and enforce accountability,” he says.
Indeed, the COI revealed that Integrated Health Information Systems (IHiS), the IT arm of the Ministry of Health that managed SingHealth’s database, had been made aware of a possible vulnerability in the system as far back as four years ago.
Initial remark ignored
Former IHiS employee Zhao Hainan had in 2014 mentioned to his project manager, Angela Chen, about security concerns he had regarding the system design of SingHealth’s Sunrise Clinical Manager (SCM) software. However, Chen was either out of office or on leave over the next few days, and did not follow up on the issue.
Zhao then contacted a rival vendor over the loophole in the system. When then-CEO Chong Yoke Sin was alerted to Zhao’s email containing the alleged vulnerability, she quickly dismissed him for the “ethical breach”. However, the former CEO did not conduct any formal investigation into the possible vulnerability in the system. Essentially, the flaw in the system was never fixed.
“The human factor will always be an aspect of security breaches. The extent of the human factor is dependent on the organisation and the systems and processes they have in place,” says Gary Gardiner, head of security engineering for Check Point Software Technologies in Asia-Pacific, Middle East and Africa.
The COI also heard that an old server had not had security software updates for 14 months. This became one of the pathways used by hackers to reach SingHealth’s critical systems where the data breach occurred.
Citing findings from the Cyber Security Agency of Singapore (CSA), the Solicitor-General revealed that the cyberattacker had managed to gain an initial presence in SingHealth’s network as early as August 2017 by “infecting workstations”.
Between December 2017 and May 2018, the attacker then moved sideways in the network, making use of malware planted in one of the initially infected workstations to gain remote access to and control of the workstation, before using that computer to distribute malware to infect other computers.
“Patch management is a challenge for most organisations, and it is a balance of technology and process to be successful,” Gardiner says. “In this attack, the threat actor used an unpatched system to gain access. To prevent such attacks, the simple solution would be to monitor the patch levels of the systems and have a patch management strategy to ensure the system is up to date.”
The way Tom Kellermann, chief cybersecurity officer at Carbon Black, sees it, the incident was very much preventable.
“SingHealth must make cybersecurity a priority and the security officer must be given greater authority and budget to mitigate future cyber intrusions with technology designed to prevent, detect and respond to attacks,” he says.
Human-related mistakes greater than technology-related ones
In light of the revelations from the COI into the SingHealth cyberattack, there seem to be more human-related errors than actual IT-related weaknesses. For one, Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, believes that IHiS’ cybersecurity practices could be “above average”.
“They were able to detect the intrusion within a few days and take decisive action to contain the attack. This is unusual and a sign that they are reasonably well prepared for this type of attack,” Wisniewski says.
But beyond IHiS and SingHealth, Singapore will need to avoid a mindset of complacency when it comes to cybersecurity. When news of the SingHealth cyber breach first broke, fingers were quickly pointed outwardly at state-sponsored actors. After all, Singapore has invested significantly in cybersecurity, and any breach would have to be well-coordinated and backed by significant resources.
The underlying assumption, however, was that our cybersecurity system was formidable, and that any breach would in no way have been due to our own weaknesses — but the COI has proven otherwise.
Curiously, CSA CEO David Koh was quick to allay fears that the SingHealth breach could cause some serious damage. In the wake of the cyberattack, Koh referred to the data accessed as “only basic demographic data” with “no strong commercial value”. Ironically, the CSA was created in 2015 to strengthen Singapore’s cybersecurity posture in support of the country’s Smart Nation push.
But the threat is very real. The types of information stolen — such as name, NRIC number, address, gender, race and date of birth — are commonly used, for example, for customer verification in accessing online financial services.
The Monetary Authority of Singapore (MAS) on July 24 ordered banks and -other financial institutions to tighten their customer verification processes. MAS directed all financial institutions not to rely solely on the types of information stolen for customer verification in accessing online financial services.
Instead, MAS said additional information must be used for verification before undertaking transactions for the customer. This may include the use of one-time passwords, personal identification numbers, biometrics and last transaction date or amount.
According to MAS, these measures are to address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions.
“Human beings are certainly the biggest weakness in securing complex systems,” says Sophos’ Wisniewski. “We can’t study why humans are tricked and then provide a patch. We have to build resilience into our systems that accept and recover from human failures.”
And for Singapore to remain a cybersecurity fortress resilient to cyberattacks, we might certainly need to patch the complacency.
This story appears in The Edge Singapore (Issue 851, week of Oct 8) which is on sale now. Subscribe here