Tuesday, January 3, 2017

Serious Cyber Security in Singapore

Via Tyler Cowern, interesting news about the one of the most forward-thinking and tech-savvy governments on the planet:
All computers used officially by public servants in Singapore will be cut off from the Internet from May next year [2017], in an unprecedented move to tighten security.

A memo is going out to all government agencies, ministries and statutory boards here about the Internet blockade a year from now, The Straits Times has learnt.

There are some 100,000 computers in use by the public service and all of them will be affected.

“The Singapore Government regularly reviews our IT measures to make our network more secure,” a spokesman for the Infocomm Development Authority (IDA) said when contacted.

The move is aimed at plugging potential leaks from work e-mail and shared documents amid heightened security threats.

Trials started with some employees within the IDA – the lead agency for this exercise – as early as April. Web surfing can be done only on the employees’ personal tablets or mobile phones as these devices do not have access to government e-mail systems. Dedicated Internet terminals have been issued to those who need them for work.
This is the new reality: everything sent via email can be read by hackers, and any document kept on a computer connected to the internet is vulnerable to spies.

Donald Trump just suggested that his White House might rely on memos written by hand and delivered by a team of couriers. I'm not sure that will happen, but it seems to be the future; can even messages sent via secure intranet be considered secure in a world of wikileaks etc.?

In a related note, I recently read that hackers can easily install ransomware on your fancy new television or other internet-connected device, which can cost hundreds of dollars to remove. Perhaps it was a bad idea to connect everything to the internet before we figured out how to make all those devices reasonably secure.

3 comments:

G. Verloren said...

The problem historically hasn't been a lack of people pushing for better security practices. That's been a constant refrain from experts in the field for as long as I can remember. The trouble has been ignorance on the part of the masses, and more importantly on the part of our politicians and policymakers.

You can have the smartest people in the world constantly try to explain the vital importance of something to our decision makers, but if they're either too blockheaded or too recalcitrant to understand, nothing will ever come of it.

Really, this is mostly a civilian issue. The military's security is top notch, because it's such a huge part of everything they do. But our civilian government has never really had much reason to operate more securely, and so they haven't bothered to think about it or learn how to do it properly. Heck, I mean... most of our legislators are barely computer literate as it is, for pretty much the exact same reason.

leif said...

i rarely if ever disagree with you, G., but on this i have to assert that IoT insecurity is primarily due to manufacturers' lack of proper motivation to develop secure devices. the masses are largely unwittingly complicit, and i can't imagine our policymakers (those who just pushed to eliminate ethical oversight) choosing to limit business... heaven forbid we do anything of the sort.

indeed it's primarily a civilian issue if you're meaning who owns the majority of insecure devices, and who was either foolish enough to buy them, or powerless enough to do anything to secure them. it's *everyone's* issue when a DDoS takes out DNS servers.

G. Verloren said...

Well of course manufacturers lacked motivation to develop secure devices.

They're in the business of making as large a profit as possible, not in the business of serving the public need or protecting consumers. Heck, capitalist greed compels them whenever possible to exploit the consumer in the name of greater profits. Why spend time, effort, resources, and money on making your devices more secure (or even just more able to -be- secured) when your customers are too ignorant to know the difference anyway? Just keep selling them insecure devices and pocketing the difference, until such a time as it becomes a big enough problem that they wisen up to the issue and create sufficient demand for more secure devices - and then you can exploit that demand and sell such secure devices at a premium. It's a cynically and predatorily brilliant strategy for exploiting people.

Of course, in a sense, the reason manufacturers are motivated to act this way is because the public and the government don't care enough to stop them. We actually often promote this sort of behavior on a cultural and legal level. So very many people are reflexively set against regulations, against "government interference", against creating a system that doesn't allow people to prey upon and exploit each other in the name of naked greed. And of course, since this situation benefits the sharks, they do everything in their power to preserve the status quo by influencing public opinion and manipulating our government representatives.

The military doesn't have to deal with any of this. They aren't selling a product - they're performing a service. They largely don't care about public opinion or what our lawmakers think. As long as they continue to perform their duties, they're given huge amounts of money and leeway with which to accomplish those duties. They run their own servers, maintain their own communications, and congress cuts them a check to cover the expenses even when they don't fully understand what it is they're paying for. The military invests in secure communications as a matter of course because they understand the value of it, even if lawmakers and the public don't.