It’s all kicking off! FutureGov magazine was hacked earlier this week, with the deletion of several months’ hard work by our journalists. I think it’s rather sad to destroy content - that’s what the Nazis did with their book burning in 1933, which is something that normal, well-adjusted people steer clear of. Happily the saps responsible for hacking FutureGov magazine reckoned without the ability to repopulate this site from our mirror server’s backed-up versions, and the matter is now in the hands of the Singapore Police Force. If only it was so easy for government.
Thailand’s Cyber Security Centre also came under attack this week, and admitted that it is struggling to maintain the infosecurity of the country’s wider public sector. The Philippines’ Department of Defense is under botnet attack. South Korea’s presidential office, the Blue House, fell under attack at the end of last week - along with four Korean broadcasters earlier in the year, and other key ministries. Planning and geophysics data has been hacked in one of the Asia Pacific’s larger countries in the region, resulting in land concessions being bought up at below-market bargain prices.
The Indonesian government is under attack - and according to one senior official has all but given up on securing local government units. Down the road in Jakarta the ASEAN Secretariat is under cyber attack, even though the information it holds is already in the public domain. So it has been a busy few days on the hacking front. Is this the new normal, and if so, what can be done about it?
In answer to the first question, the answer is an unequivocal ‘yes’.
One of Singapore’s leading government CIOs likes to say that his top three priorities are “security, security and security” as a result of his organisation coming under “millions of attacks a year”. A recent visit to an ASEAN Ministry of Defence in the region revealed the real time attacks across the agency’s network, though the screen indicating the provenance of these attacks was diplomatically switched off. These are sensitive times in the South China Sea, afterall.
So if the problem is not going to go away, what can we do about it? The first thing to do is to get your house in order.
I recently caught up with Marsineh binti Jarmin, currently the Undersecretary of Information Management Division for Malaysia’s Ministry of Natural Resources and Environment, and she detailed the work that she has undertaken to boost the information security posture of her organisation, getting ISO certified - one of the first Malaysian public sector organisations to do so.
Elsewhere, and on a slightly larger scale, India is in the middle of rolling out a new cybersecurity policy.
Up until now the Indian government’s approach has been typical of governments in the region - piecemeal and ad hoc. The hope is that following a dramatic increase in the number of cyberattacks, the appointment of Dr Gulshan Rai will bring order to the Indian public sector’s heterogenous information security defences. According to a longstanding friend of FutureGov, Amitabh Ranjan, Head of Finance, Procurement & Administration at the Indian Institute of Public Administration, the new development follows the agreement and consent by some of the key ministries - something that was “on the anvil” for some time - and therefore reflects a powerful acceptance across government of the importance of this issue.
But getting your house in order can only get you so far. If you’re in the sights of the North Koreans, organised crime, or disaffected former employees, hunkering down is not a longterm strategy. As one of the US Generals involved in establishing their Cybercommand explained to me “a passive defence will always lose out in a longterm conflict, because if you defend 1000 attacks, they will get you with the 1001st attack.”
So the answer is to put in place a legal framework - such as Singapore’s extremely comprehensive Computer Misuse and Cybersecurity Act - as a first step to enable legal recourse. Even where hacking occurs extra-territorially, the ability to pursue those responsible starts with establishing a case.
Beyond this there are a number of things that forward-looking organisations can do to go on the offensive, such as putting in place a honeytrap to lure hackers in to a false sense of security. When Chinese hackers recently targeted a major US defence contractor, they thought they were stealing sensitive information - when in reality they were scanning a mock system, isolated from genuine information, and were traced back to their point of origin. In this instance a ‘payload’ was sent back to where the hackers came from, wreaking havoc in their own systems.
While this is an extreme example of what is possible, and an unlikely course of action for most government departments - the ability to quarantine attacks, and observe what information attackers are looking for, gives you a powerful insight in to the objectives of the hacker - enabling you to step up your security in a targeted fashion.
These threats will not go away - but as we gain experience, and put in place the systems and processes to contain the risk, life will go on.
In a visit to Ngee Ann Secondary School yesterday (22 July), FutureGov found students deeply ...
The Infocomm Development Authority and Ministry of Education of Singapore have initiated plans to introduce ...
Ngee Ann Secondary School’s students are on a bid to “change the world” with ...