* Public servants' computers to be segregated from May
* Staff can still surf Internet, but on separate devices
* Move has met with mixed reactions among cyber experts
By Jeremy Wagstaff and Aradhana Aravindan
SINGAPORE, Aug 24 Singapore is working on how to
implement a policy to cut off web access for public servants as
a defence against potential cyber attack - a move
closely watched by critics who say it marks a retreat for a
technologically advanced city-state that has trademarked the
term "smart nation".
Some security experts say the policy, due to be in place by
May, risks damaging productivity among civil servants and those
working at more than four dozen statutory boards, and cutting
them off from the people they serve. It may only raise slightly
the defensive walls against cyber attack, they say.
Ben Desjardins, director of security solutions at network
security firm Radware, called it "one of the more extreme
measures I can recall by a large public organisation to combat
cyber security risks." Stephen Dane, a Hong Kong-based managing
director at networking company Cisco Systems, said it
was "a most unusual situation", and Ramki Thurimella, chair of
the computer science department at the University of Denver,
called it both "unprecedented" and "a little excessive."
But not everyone takes that view. Other cyber security
experts agree with Singapore authorities that with the kind of
threats governments face today it has little choice but to
restrict internet access.
FireEye, a cyber security company, found that organisations
in Southeast Asia were 80 percent more likely than the global
average to be hit by an advanced cyber attack, with those close
to tensions over the South China Sea - where China and others
have overlapping claims - were particularly targeted.
Bryce Boland, FireEye's chief technology officer for Asia
Pacific, said Singapore's approach needed to be seen in this
light. "My view is not that they're blocking internet access for
government employees, it's that they are blocking government
computer access from Internet-based cyber crime and espionage."
AIR-GAPPING
Singapore officials say no particular attack triggered the
decision, but noted a breach of one ministry last year. David
Koh, chief executive of the newly formed Cyber Security Agency,
said officials realised there was too much data to secure and
the threat "is too real."
Singapore needed to restrict its perimeter, but, said Koh,
"there is no way to secure this because the attack surface is
like a building with a zillion windows, doors, fire escapes."
Koh said he was simply widening a practice of ministries and
agencies in sensitive fields, where computers are already
disconnected, or air-gapped, from the Internet.
Public servants will still be able to surf the web, but only
on separate personal or agency-issued devices.
Air-gapping is common in security-related fields, both in
government and business, but not for normal government
functions. Also, it doesn't guarantee success.
Anthony James, chief marketing officer at cyber security
company TrapX Security, recalled one case where an attacker was
able to steal data from a law enforcement client after an
employee connected his laptop to two supposedly separated
networks. "Human decisions and related policy gaps are the No.1
cause of failure for this strategy," he said.
"STOPPING THE INEVITABLE"?
Indeed, just making it work is the first headache.
The Infocomm Development Authority (IDA) said in an email to
Reuters that it has worked with agencies on managing the changes
"to ensure a smooth transition," and was "exploring innovative
work solutions to ensure work processes remain efficient."
Johnny Wong, group director at the Housing Development
Board's research arm, called the move "inconvenient", but said
"it's something we just have to adapt to as part of our work."
At the Land Transport Authority, a group director, Lew Yii
Der, said: "Lots of committees are being formed across the
public sector and within agencies like mine to look at how we
can work around the segregation and ensure front-facing services
remain the same."
Then there's convincing the rank-and-file public servant
that it's worth doing - and not circumventing.
One 23-year-old manager, who gave only her family name, Ng,
said blocking web access would only harm productivity and may
not stop attacks. "Information may leak through other means, so
blocking the Internet may not stop the inevitable from
happening," she said.
It's not just the critics who are watching closely.
Local media cited one Singapore minister as saying other
governments, which he did not name, had expressed interest in
its approach.
Whether they will adopt the practice permanently is less
clear, says William Saito, a special cyber security adviser to
the Japanese government. "There's a trend in private business
and some government agencies" in Asia to go along similar lines,
he said, noting some Japanese companies cut internet access in
the past year, usually after a breach.
"They cut themselves off because they thought it was a good
idea," he told Reuters, "but then they realised they were pretty
dependent on this Internet thing."
Indeed, some cyber security experts said Singapore may end
up regretting its decision.
"I'm fairly certain they would regret it and wind up far
behind other nations in development," said Arian Evans, vice
president of product strategy at RiskIQ, a cyber security
start-up based in San Francisco.
The decision is "surprising for a country like Singapore
that has always been a leader in innovation, technology and
business," he said.
(Reporting by Jeremy Wagstaff and Aradhana Aravindan, with
additional reporting by Paige Lim; Editing by Ian Geoghegan)