The Singapore government has moved to prevent officials from accessing the internet on devices that have access to civilian data. Vishanth Weerakkody, professor of digital governance at Brunel University, says it is not the retrograde step some think it is.
The Singapore government will stop its public sector workers accessing the internet at work from May next year – Photo credit: Flickr, solidariat
Singapore’s decision to disconnect its civil service operational system from the internet needs to be put into context.
Among the enthusiasts for digital everything, there is a widespread underestimation of the capability of cyber-attack agencies, which range from lone hackers to well-resourced military units.
And, as data losses reported in the media illustrate, political and governmental targets are particularly juicy – quite probably the news we see is just the tip of the iceberg.
Related content
The six types of security threat
GDS trials secure Whitehall WiFi solutions
The protection of sensitive networks in governments is a constant and expensive battle between attack and defence capabilities. There is no law requiring that all systems and workers to be connected to the internet.
Given the cyber-security threat level and the cost and continuing challenges of defence, it seems reasonable for government to ask two questions.
The first is about whether you take an operational system that deals with sensitive data offline, and the second is about whether your employees need internet access in the workplace.
Singapore appears to have considered that, for its internal civil service system – presumably both sensitive and operationally critical, therefore making it a target – the balance of risk, costs and benefits makes it necessary to disconnect it from the internet.
And it must be remembered that the Singapore government has not blocked all internet access. It has said that, for someone whose job needs the internet, a second system can be made available.
This is quite feasible, and could be done using a system that would be less restrictive than the secure systems they use at the moment. Providing WiFi in public sector building for the use of staff and visitors is one way of achieving this.
Of course, this might be a real inconvenience to the staff, which will have to be factored in to the overall decision to disconnect the primary system.
But if it does not prevent them from doing their job it might be deemed better than running the risk of an attack on the sensitive data; unauthorised access to internal systems, and loss of sensitive data, can easily disrupt the role and efficient functioning of the civil service.
A smart nation?
One should not jump to the conclusion that this announcement is a move away from Singapore’s efforts to be a smart nation.
On the contrary – Singapore is only doing what smart nations do by mitigating potential risks of cyber-attacks that could compromise their critical information systems.
The country’s decision is reasonable – and, it should be noted, not unique to Singapore – some public institutions have similar blocking policies that stop people using the internet at work.
Indeed, as we see both public and private sector organisations experiencing more successful penetration attacks and data theft, it won’t be a surprise to see more governments thinking critically about what they isolate from the internet.
The crucial point here is the distinction between having an ‘air gap’ between internal systems that hold sensitive data and the internet and restricting employees’ access to the internet completely.
Hostile forces are an ever-present danger for organisations, and it is easy to imagine that, over time, the first question posed will no longer be, ‘Should we take services offline?’
Instead, it will be, ‘Why should we connect our systems to the internet?’
And this will be particularly true if it is not enabling a citizen-facing transaction process.
We must remember that doing that doesn’t mean stopping employees doing their shopping online at lunchtime, or even engaging in social media while at work.
Separating out the two activities could lead to safer systems – and more public trust – without having a negative effect on morale.
