CFA Society Singapore
SINGAPORE (Dec 31): In December, news emerged that social media giant Facebook had been playing fast and loose with its users’ data. Internal documents and emails published by the UK government show that the company considered employing the data for strategic and commercial purposes. Advertisers and partners would be sold access to the valuable information, while rivals would be kept out.
The revelations come amid hearings in the UK Parliament on the controversies that the company has been mired in — including allowing its platform to be misused to incite violence and interfere in elections. To be sure, there is nothing wrong with a company looking to monetise its biggest asset, which, in the case of Facebook, is the trove of data from its 2.27 billion users around the world. But, the company has consistently asserted that it does not sell data to advertisers or anyone, as founder Mark Zuckerberg told members of the US Congress.
Yet, the privacy lapses at Facebook are only one of the risks faced by just about everyone who has an internet connection. In fact, in September, Facebook disclosed that 50 million user accounts were compromised in an attack that gave hackers the ability to take control of the accounts. More recently, the hack into the computer systems of the Marriott International hotel group exposed the private data of half a billion people around the world.
Indeed cyberattacks, believed to have been state-sponsored or otherwise, have been in the news for much of 2018. Both major public and private organisations have seen breaches of their systems and databases. While there appears to be a ramping-up of attacks, Barry Greene, principal architect at content delivery network Akamai Technologies, says hacks have been going on for years; people have simply been blissfully unaware.
“The problem has always been there, just that the reporting isn’t out. What’s happened is that different countries have adopted new regulations for reporting,” Greene explains. “For instance, you’ll see more reports of breaches [in Singapore] than [in other countries] in the region because [they have] adopted rules from the Sarbanes-Oxley [Act], which requires certain levels of reporting for listed companies in the US,” he says.
Industry experts and organisations say attacks and data breaches are all but inevitable. In fact, by year-end, it would be hard to find someone who has not had at least one piece of personal information — whether name, gender, address or credit card number — stolen or exposed. What more can be expected in 2019?
Complacency, organisational inertia the new virus
In Singapore, the largest breach the country has seen occurred in July, when the personal data of 1.5 million people, including Prime Minister Lee Hsien Loong, was stolen from the SingHealth database.
As the nation reeled from the discovery, questions were asked about the timeline of the incident, specifically why it took the Ministry of Health so long to publicly disclose the breach. The breach took place on June 27 and was discovered on July 4. But the public was only informed on July 20. Furthermore, statements made by the head of the Cyber Security Agency of Singapore, David Koh — that the information stolen, including names, dates of birth, National Registration Identity Card numbers, was only “basic demographic data” — were even more puzzling. On July 24, the Monetary Authority of Singapore issued an advisory to banks, asking them to tighten their customer verification process in the light of the breach.
More details of the breach have emerged as the government convened a Committee of Inquiry (COI) to look into the event. Significantly, the main cause of the lengthy lapse between the breach and the alert to the Cyber Security Agency (CSA) of Singapore was the reluctance of Integrated Health Information Systems senior manager Ernest Tan to report the suspicious network activity to his superiors. IHiS manages and integrates Singapore’s healthcare IT systems.
During a hearing on Oct 31, Tan said he felt there would be “no day, no night” for him and his colleagues once the matter was reported, meaning they would likely be working around the clock to provide information and updates to their superiors.
The COI also heard there was doubt over the ownership of the healthcare database, which meant the management of it was unclear. Also, the database had not been tested for vulnerabilities despite it being considered part of critical information infrastructure. And, there was no formal protocol for IHiS staff to follow in the event of a cyberattack.
“The culture in the region is not to report bad news unless [you] have to. Now, what you are seeing is the impact of laws and regulations as they roll into the region,” Akamai’s Greene says. “My personal experience is that I see tons of nasty stuff in the region; it just hasn’t been talked about.”
Whatever the case, cybersecurity has come to the fore in Singapore, and efforts to secure critical infrastructure have been stepped up. The Cybersecurity Act, legislated in March, identifies critical information infrastructure in sectors such as security and emergency services, and the government. Under the Act, the Commissioner of Cybersecurity has the power to issue directions to owners of critical information infrastructure to ensure its cybersecurity; establish a framework for companies to share cybersecurity information; and authorise the CSA to prevent and respond to threats and attacks.
Meanwhile, the public sector has implemented measures such as internet separation at workstations, although this approach has flaws, too. For one, experts note that this could result in higher security risks, as devices’ firmware has to be manually updated, rather than automatically done by the manufacturer or developer over the internet.
The Monetary Authority of Singapore recently launched a $30 million Cybersecurity Capabilities grant to help strengthen the cyber resilience of the financial sector, as well as develop cybersecurity talent. The grant will co-fund up to 50% of qualifying expenses, capped at $3 million.
Connected to lives
These efforts become even more important in the light of Singapore’s Smart Nation ambitions, which includes the nationwide collection and analysis of people’s data, using sensors and the Internet of Things (IoT), in a bid to make citizens’ lives easier. As the volume of data traffic grows, there are more opportunities for attackers to get into the system.
The IoT was responsible for one of the largest attacks in the history of the internet. The Mirai Botnet attack in October 2016 against Dyn, a company offering domain name system services, took down major sites. The attack leveraged consumer IoT devices to amass computing power to carry out such an attack. Significantly, when attackers are not confined by geography in their attacks, getting help from the jurisdictional authorities in other countries could prove a challenge.
“Your threat vector is going to continue to increase. [For example,] can Singapore prosecute someone in Brazil and have them extradited to Singapore? Someday, we will have things like that happening, and in the meantime we have to prepare for that risk environment,” says Akamai’s Greene.
“There are always going to be bad actors and threats. As long as you have a heterogeneous network, you will always have a vulnerability,” says Jonathan Ballon, vice-president of the Internet of Things Group at Intel Corp.
The challenge of securing every connected device is getting harder as people expect things faster with a rich user experience, says Jonathan Nguyen-Duy, vice-president, strategic programmes at cybersecurity firm Fortinet.
“If you’re not achieving your mission as a public sector agency, [security] doesn’t matter. But the connected citizen expects to have the same customer experience with the government as they do with Singapore Airlines, or Amazon.com, which means you have to wow [them]. You have to let [them] consume services any way they want, any device they want and at any time they want, and you have to make it more personalised, customisable and really secure, and ensure privacy at no cost to them,” says Nguyen-Duy. “The challenge for the good guys is ‘how do I do all that with the same amount of budget and people [and] with a heavier level of complexity?’”
Clearly, what is needed is for organisations to identify the basics of securing data and systems, particularly today, when more devices, from televisions to washing machines, are being connected to the internet.
“Acceleration means things could get really good, [with] better revenue, more efficiency, better life expectancy, if we get cybersecurity right. But because things are so interconnected now, if we get it wrong, really bad things will happen,” says Nguyen-Duy.
“In the past, you maybe have a disruption of your business process, but now, with a connected car, and if [the connection is] not secure, would you want to be travelling [in it] at 140kph? Or, do you really want to be in an operating theatre [with] your HVAC [heating, ventilating and air-conditioning] system, insulin pump, all these IP-enabled [internet protocol-enabled] things connected to our lives, [which are] even more critical?” he adds. “We have to get better at detecting a data breach.”
And managing the fallout.
This story appears in The Edge Singapore (Issue 863, week of Dec 31) which is on sale now. Subscribe here