A few weeks have gone since Singapore’s massive data breach, which resulted in the theft of health-related records of around 1.5 million people, including Prime Minister Lee Hsien Loong.
Despite the shock, the government has come in for some praise at the speed and efficiency with which it has reacted to the breach. A Committee of Inquiry (COI) is looking into all aspects and will begin its hearings later this month.
While that takes care of the immediate reaction to this unprecedented cyberattack, there’s a need to take a step back and look at the implications and how it should shape policy – not just for government but businesses too. A combination of nimble yet robust changes, along with good cyber defence, are required in an uncertain future.
The criminal intent of the SingHealth breach is clear. Data is the new oil of the global digital economy and hence there is always a black market for valuable data such as health records of citizens. However, a bigger cause for worry is the sophistication of the attack. Singapore’s Minister for Communications and Information, S. Iswaran, has made a statement in Parliament in which he said the breach was the result of an APT (advanced persistent threat) group “typically linked to foreign governments”.
Unlike more well-known cyberattacks like ransomware, malware and distributed denial of service (DDoS) attacks, APTs are more sophisticated and stealthy hacking tools that can be orchestrated over several months. It allows the intruder to gain access to a network with the sole intention of stealing information rather than causing damage. Since the ultimate aim of APTs is information exfiltration, they are excellent tools for information gathering, whether by state actors or by large criminal gangs.
This is not the first time that Singapore has been at the receiving end of sophisticated hacking attempts. In 2017, the National University of Singapore (NUS) and the Nanyang Technological University (NTU) were hit by an APT attack aimed at stealing government and research data. While the nature of the data stolen is not known, the fact remains that these two universities conduct cutting edge research in various areas, including Singapore’s Smart Nation ambitions that are of interest to various actors.
In the context of the SingHealth attack, Linda Gray Martin, Director and General Manager of RSA Conferences, rightly notes that there is a growing focus on integrating medical technology (MedTech), financial technology (fintech) and Government technology (GovTech) as part of Singapore’s Smart Nation drive, Singaporean organisations must work together to guard against such attacks.
She observes that the scenario is worrying for industries that rely heavily on public confidence. “A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks as critical data repositories are altered,” Martin notes. The alteration of critical data, particularly citizen data is as dangerous as the theft of the data.
She adds that cybercriminals now have access to a variety of nation-state toolkits on the Dark Web. “It is only a matter of time before they begin launching large-scale campaigns of their own. No government can keep criminals off the internet and no company can pre-empt the entire spectrum of threats, from automated attacks to sophisticated ones that lie low in networks, invisible to security teams.”
“Data governance can be viewed as the seed that needs to be planted in every organisation and cybersecurity as the water, soil or other nurturing ingredients.”
– Ng Hoo Ming, Deputy Chief Executive (Operations), Cyber Security Agency of Singapore
Martin notes that incident response is very much a mandatory capability in today’s connected, globalised economy. It is not a matter of “if” you will be breached but “when”. “Having a crisis-response team ready ensures that organisations can return to normal operations as soon as possible,” she adds.
One of the problems in cybersecurity is that most organisations are too focussed on the technology and less on the people aspect of defence.
Kenny Yeo, Industry Principal with the Asia Pacific cyber security practice at Frost & Sullivan observes that, based on research done by Frost, most enterprises focus on technology and solutions to “keep their organisation safe from cyberattacks”.
However, clear and defined processes and adequately trained staff are required to handle security incidents, if they do occur. “There is a need for holistic preparation to be done across every part of the organisation to ensure it is cyber secure,” Yeo adds.
One of the less understood areas of cybersecurity, especially among Small and Medium-sized Enterprises (SMEs) is data governance. Data governance refers to a system which covers areas like who can view and access what data under what circumstances.
A robust data governance framework ensures there is less unstructured and garbage data available. This gives better visibility of existing data and that, in turn, ensures better understanding of data use. As a result, in case of an anomaly or attack, immediate remedial measures can be taken since there is better visibility.
Speaking at the Asia Pacific, including Japan (APEJ) RSA Conferences 2018 Ng Hoo Ming, Deputy Chief Executive (Operations) at the Cyber Security Agency of Singapore (CSA), urged decision makers to give importance to data governance as not doing so would open up the risk of cyber-attacks. He added that one of the reasons that organisations take a long time to realise that they have been victims of an attack is because of a lack of proper data governance architecture.
According to the Ponemon Institute Cost of Data Breach study 2018, globally, the mean time required to identify a breach is 197 days, while the mean time to contain a breach is 69 days. The study notes that for the fourth year running it found a correlation between how quickly an organisation identifies and contains a breach and the total cost of the breach – the faster the identification the lesser the cost.
In the Singapore context, SMEs are particularly vulnerable to cyberattacks. According to CSA 40 per cent of the 144 cyberattack cases referred to it in 2017 involved businesses, particularly SMEs. Businesses lost around S$43 million in 2017, with one case alone accounting for close to S$5.7 million.
Smart Nation connection
In the context of Singapore’s Smart Nation push, policy makers need to keep in mind the potential cyber-threat that results from increased connectivity.
In smart cities the use of sensors that depend on IoT (Internet of Things) go up exponentially. According to Leonard Kleinman, Chief Cyber Security Advisor, APJ, RSA, the use of IoT devices promise new value for smart cities, businesses and the citizens.
“However, the constant connectivity and data sharing from IoT endpoints does in fact create new opportunities for information to be compromised, or public services to be disrupted. The distinction with smart city and IoT technologies is that attacks on such technologies can lead to the loss of control of key systems, which could have damaging consequences in the physical world, including the loss of life,” he notes.
Kleinman adds that attacks can be mitigated by good security practices, but only if there is “broad dialogue and collective action by governments, businesses and technology provider.”
The experience gleaned from the SingHealth attack will go a long way in strengthening the cyber defences of not only Singapore but also other countries which are keenly following developments and the remedial measures being taken. Striking a balance in policy is important not only for the Singapore government but also governments around the world. There is a need to craft agile policies that support a balanced and comprehensive approach to cybersecurity. This will strengthen cyber defence while at the same time allowing for innovation and enhanced cooperation.
The objective can never be to build a fortress that prevents both the bad as well as good actors from accessing networks. It has to be a fine balance that will need to constant tweaking as the cybersecurity landscape evolves.
Amit Roy Choudhury is a senior technology journalist who writes a weekly piece for GovInsider.