View from academia: How to make Singapore’s internet plan work

A leading cyber security professor gives her view.

The Singapore Government will prevent officials from accessing the internet on their work computers from next year. What will this achieve? GovInsider spoke to Professor Angela Sasse, Professor of Human-Centred Technology at University College London - and Director of the UK Research Institute in the Science of Cyber Security - to seek an expert’s views on the benefits and risks of this new approach. How it would work Singapore’s approach will work “if everybody complies with this”, she says. Employees won’t have to worry as much about accidentally bringing malware into the system because the security is tightly controlled. “By following those rules you get a certain amount of peace of mind.” However, there are risks with any approach. In this case, there is a risk that officials come up with “workarounds”, Professor Sasse says. “Some of the workarounds that people then do are worse than the original threat.” The government should learn from the military - where certain systems are kept “air gapped” - meaning they are disconnected from the internet. “When things get busy, the machines that are supposed to be kept off the network, [can] end up being connected to the network because the information needs to be transferred very quickly,” she warns. Equally, hackers could try to find new ways of accessing government systems. They could move to “social engineering techniques”, finding ways to impersonate officials or persuade employees to insert a USB stick in the system. An example of this is stuxnet - a virus that entered Iran’s air-gapped nuclear system, Professor Sasse says. Attackers designed the virus to spread through USB drives, infecting outside computers which were believed to be connected to the nuclear system. Productivity Tighter security could also affect officials’ productivity, she says. “Everything will take much longer". As the policy currently stands, officials will have to use their second device for any external research or information. They will then need to securely transfer the material to their work machine. “You're literally transcribing information as you move it across.” But it’s important to measure the productivity loss against the cost of losing citizen data through a massive hack. It “doesn’t make sense” to have a security solution if it would cost the organisation more than the risk itself, she says. “It depends on whether they have considered potentially how much damage it does to the productivity of the organisation”, she says. Recruiting young employees A third potential problem to overcome is how it affects perception of government jobs. Attracting young people has “proved to be a problem in parts of government where access is very strict”, Sasse says. Millennials are accustomed to a certain degree of flexibility in using tech, and restriction could make government employment a less attractive proposition, she continues. For example, many private sector firms use chat apps and file sharing services to work in small groups. There could be a solution, however. Some financial institutions have come up with an alternative to provide employees with secure internet access. They have set up “demilitarised zones” that sit outside the secured office, where people can go to access internet. How to implement the policy Sasse also has advice on implementing the policy. Testing the system with users and getting their feedback is “the key thing”, Professor Sasse says: “Consult the people who will be affected by it and ask them what that means for the work they do.” This will allow the government to understand how to adapt processes over time, allowing people to continue working productively. At the same time, security technologies clearly need to evolve so that organisations don’t have to resort to such severe measures. “We need technologies that allow people to carry on doing the things they need to do, that don't get in the way as much. A lot of current security technologies were designed without really thinking about that,” she says. Cutting off internet access on government computers would work to keep online threats out. But if not implemented in the right way, it could mean new threats, fewer talented people and less productive employees in government. The key is to continue iterating the policy and learning lessons from it. Agile security is the key. Image from PerAda TV on Vimeo