SINGAPORE (July 30): Kim Huat, the erudite if somewhat earthy alter ego of blogger Lee Kin Mun, hit the nail on the head in his YouTube post on July 20. “See lah, like that how to ‘Smart Nation’? What if we all Smart Nation [and] upload everything onto a central database [and then get] hacked?” He was referring to the national push towards a digitally connected living environment and, more specifically, to the National Electronic Health Record that will require all healthcare service providers to contribute patients’ medical records to a central repository.

Lee’s video comes right after the government announced a major cyberattack on SingHealth’s databases. The personal particulars of 1.5 million people stored in the healthcare cluster’s database were stolen. The data included names, National Registration Identity Card numbers, addresses and birth dates, as well as the medication dispensed to 160,000 patients. Ominously, it was revealed that Prime Minister Lee Hsien Loong’s data was specifically targeted.

The Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) say the breach was deliberate, targeted and well planned. Experts believe it could very well have been a state-sponsored attack. “It was not the work of casual hackers or criminal gangs,” the government agencies said in a joint statement.

Main image, from left: CSA CEO David Koh, MCI Permanent Secretary Gabriel Lim, Minister for Communications and Information S Iswaran, Health Minister Gan Kim Yong, Ministry of Health Permanent Secretary Gan Heng Kee and SingHealth CEO Ivy Ng at a press conference on the SingHealth cyberattack. Photo: AFP/STRAITS TIMES/MARK CHONG

Worryingly, the breach occurred over the span of a week — from June 27 to July 4 — but was only reported to CSA on July 10 and to the police on July 12. The public was only informed on July 20. There also seem to be contradicting messages from the various government agencies. For one, David Koh, CSA’s chief executive, said in a statement that there was “no strong commercial value to these types of data”, in reference to the healthcare information that was accessed.

Yet, the Monetary Authority of Singapore (MAS) has since ordered all financial institutions to tighten the customer verification process, “to address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions”. In addition, financial institutions are to take immediate steps to mitigate any risks that might arise from the misuse of the compromised information,” the central bank said in a July 24 statement.

Healthcare data is actually very valuable. “Healthcare records can yield four times more money than financial data in underground markets,” says Tom Kellermann, chief cybersecurity officer at Carbon Black, a Massachusetts- based software firm. The company notes that the financial industry, healthcare organisations and governments are the top three most-often attacked sectors, and that hackers target so-called end points, or the laptops, desktops and servers housing sensitive information. “As this breach in Singapore suggests, end-point protection at healthcare organisations appears to be severely lacking,” Kellermann notes.

Paul Ducklin, of cybersecurity firm Sophos, says: “The data stolen in this breach is an identity thief’s goldmine. It’s a startling reminder to all Singaporeans that there is no such thing as ‘cyber attackers would never care about little old me’. Once your data is scooped up in a cybersecurity blunder of this sort, you simply cannot control where it will go next. Anyone affected in this breach has no choice but to assume that their personal information will end up for sale in the cyber underground, ready for active abuse by cyber crooks.”

Could the attack have been prevented? What does the breach say about the overall strength of our public sector cyber defences, especially as individuals’ digital footprints — active and passive — grow? Shouldn’t government organisations holding the people’s data be held to higher standards than private entities?

Critical infrastructure

The SingHealth data breach, considered the worst cyberattack Singapore has seen, was not the first hack into government organisations here. In February last year, the Ministry of Defence reported an attack on its internet access system that resulted in the theft of the personal data of 850 personnel. Mindef had said at the time that the objective of the “targeted and carefully planned” breach could have been to steal official secrets. That did not happen because classified military information was stored on a separate, more secure system that was not connected to the internet. Deputy Prime Minister Teo Chee Hean pointed to the thousands of SingHealth internet- connected computers as the hackers’ way in this time around. “We could and should have implemented internet surfing separation on public healthcare systems, just as we have done on our public sector systems,” said Teo at the Public Service Engineering Conference on July 24.

“We are studying whether this could have been detected and reported more quickly, preventing such a large data loss,” Teo added. “This case reinforces the importance of reporting any intrusion promptly to CSA.”

In March, the Cybersecurity Act came into being. The law, yet to come into force, requires owners of Critical Information Infrastructure, which includes healthcare, to “establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the critical information infrastructure”. However, it does not state the time period within which CSA must be notified of any breach. The Personal Data Protection Act also does not apply to any public agency, leaving the public with no legal recourse if a government agency leaks their data.

Where the SingHealth breach is concerned, CSA has since implemented measures across the public healthcare sector, such as internet separation on all work computers, and additional monitoring of controls and systems, according to Ng Hoo Ming, CSA’s deputy chief executive.

“We must not allow this incident or any like this to derail our plans for a Smart Nation,” said Ng in a speech at a cybersecurity conference on July 25.

Security in a digital, connected world

Singapore’s policymakers have envisioned a high-tech city for our future. Daily life would be powered, and improved, by artificial intelligence and sensors collecting and analysing endless reams of data. That also means the inevitable, and far wider, exposure to hacks. “Digital transformation and digital risk are both sides of the same coin,” says computer and network security firm RSA’s senior vice-president Grant Geyer.

“Perhaps the most important thing to do is accept the inevitability of an attack. If your organisation has any data that can be monetised, you are a target. Technology alone will not solve the problem,” says Carbon Black’s Kellermann. Cybersecurity has to be seen as a form of risk management rather than risk elimination, says Neil Campbell, director of security at Telstra’s global enterprise and services unit. And a big part of that is educating people about cybersecurity.

Experts have observed that Singapore has topped a recent technological readiness ranking, with substantial and sustained public investment in technology. Yet, people are woefully unprepared for cyberattacks.

“It comes down to three things: people, process and technology. And people are the least predictable part of cybersecurity,” Campbell says. “You have to do your best to educate them and encourage them to support safe security practices. But you also have to accept that a percentage of them will utterly fail,” he adds. Unfortunately, there is no guaranteed security against intrusions. What is important is an organisation’s response to an attack, says Steve Ledzian, technical director for Asia at cybersecurity firm FireEye. “Prevention failures will happen, and organisations should be measuring how quickly they are noticing when these prevention failures happen, and measure how quickly they can respond to them. Is the organisation’s response time trending downwards or upwards over time? Do they even attempt to measure these metrics?” he notes. Such metrics could be even more salient when it comes to information stored in public databases, as data collected and stored is often done on a compulsory basis. “When it comes to the government, you don’t have that choice; you must provide the information, which is highly personal information, for instance, healthcare records,” says Campbell.

“It is therefore incumbent on government organisations to go the extra mile for cybersecurity. Your obligation to [the public] is to make sure you provided the right level of preventative, detective and response controls,” he adds. Despite the lag, the government seems to have done much better in responding to the attack than the global average, says FireEye’s Ledzian. “The attack was detected, responded to and reported in significantly less time than the 498-day average.” That certainly compares well against the data breach at the Securities Investors Association (Singapore), which informed its members in a July 25 email that its database was hacked back in 2013, and the data of 70,000 members were stolen.

“The [SingHealth] attack was publicly disclosed, which raises awareness of what would otherwise be an invisible threat across other organisations and gives them an opportunity to improve their own defences,” Ledzian adds.

Breach, but not loss

For now, a Committee of Inquiry has been convened to establish the events and factors leading to the breach, and to recommend improvements to network protection and incident response. Meanwhile, CSA has been directed to work closely with all the 11 sectors that make up the critical information infrastructure, to enhance cybersecurity.

Consequences for commercial entities have been notably harsher. For instance, after a major breach was discovered at US credit monitoring firm Equifax in September last year, three top officials — the CEO, chief information officer and chief security officer — left or were replaced. The company’s stock, traded in New York, lost 13% in value the day after the announcement. Equifax later avoided fines by eight different regulators by agreeing to perform detailed assessments of cyber threats, increase board oversight of cybersecurity and improve processes for addressing known security vulnerabilities.

Whatever the case, the Singapore government is likely to push ahead with the Smart Nation initiative, even as more doubts surface in the light of the breach. RSA’s Geyer notes that there were similar questions after the first car accident, but cars still ply our roads. “What’s the alternative today? Do we go back to pen and paper? No, the advantages to be gained by society are so vast that this is the right approach fundamentally,” says Geyer.

However, as the risks, and impact, of cyberattacks are only growing, there needs to be more effort to shore up defences. “The impact of a cyberattack transcends technological impact, and today regularly results in business impact and geopolitical impact,” says Fire- Eye’s Ledzian.

“Breaches are inevitable,” says Carbon Black’s Kellermann. “Losing sensitive information doesn’t have to be."

This story first appeared in The Edge Singapore (Issue 841, week of July 30). Subscribe here