Singapore’s decision to air-gap public sector closely watched

technology computer IT

Aug 29, 2016 (LBO) – Singapore is working on how to “air gap” web access for public servants as a defense against cyber attacks, a media report said.

But some security experts say the policy, due to be in place by May, risks damaging productivity among civil servants and cutting them off from the people they serve, according to a Reuters report.

Ben Desjardins, director of security solutions at network security firm Radware, called it “one of the more extreme measures I can recall by a large public organization to combat cyber security risks.”

Stephen Dane, a Hong Kong-based managing director at networking company Cisco Systems, said it was “a most unusual situation”, and Ramki Thurimella, chair of the computer science department at the University of Denver, called it both “unprecedented” and “a little excessive.”

But not everyone takes that view. Other cyber security experts agree with Singapore authorities that with the kind of threats governments face today it has little choice but to restrict internet access.

In Sri Lanka, President Maithripala Sirisena’s official website was hacked on two consecutive days last week, with “The Sri Lankan Youth” group making demands including a call to reconsider the decision to hold the GCE A/Level examination in April instead of August.

It also called on the government to be more mindful about the security of Sri Lankan websites.

With the Singapore proposal, public servants will still be able to surf the web, but only on separate personal or agency-issued devices.

FireEye, a cyber security company, found that organizations in Southeast Asia were 80 percent more likely than the global average to be hit by an advanced cyber attack, with those close to tensions over the South China Sea – where China and others have overlapping claims – were particularly targeted.

Bryce Boland, FireEye’s chief technology officer for Asia Pacific, said Singapore’s approach needed to be seen in this light. “My view is not that they’re blocking internet access for government employees, it’s that they are blocking government computer access from Internet-based cyber crime and espionage.”

Singapore officials say no particular attack triggered the decision, but noted a breach of one ministry last year.

David Koh, chief executive of the newly formed Cyber Security Agency, said officials realized there was too much data to secure and the threat “is too real.”

Singapore needed to restrict its perimeter, but, said Koh, “there is no way to secure this because the attack surface is like a building with a zillion windows, doors, fire escapes.”

Koh said he was simply widening a practice of ministries and agencies in sensitive fields, where computers are already disconnected, or air-gapped, from the Internet.

Air-gapping is common in security-related fields, both in government and business, but not for normal government functions.

William Saito, a special cyber security adviser to the Japanese government, said: “There’s a trend in private business and some government agencies” in Asia to go along similar lines, he said, noting some Japanese companies cut internet access in the past year, usually after a breach.

“They cut themselves off because they thought it was a good idea,” he told Reuters, “but then they realized they were pretty dependent on this Internet thing.”

Indeed, some cyber security experts said Singapore may end up regretting its decision.

“I’m fairly certain they would regret it and wind up far behind other nations in development,” said Arian Evans, vice president of product strategy at RiskIQ, a cyber security start-up based in San Francisco.

The decision is “surprising for a country like Singapore that has always been a leader in innovation, technology and business,” he said.