SINGAPORE, 12 JUNE; I read the news today, oh boy.
The Prime Minister is quoted in The Straits Times of 10 June 2016 saying, “We have become completely dependent on our IT systems… and we have to make sure that our system is secure. We can’t get infiltrated, data cannot be stolen, somebody can’t come in and wipe out your data or cause some other mischief.”
Since the decision to prohibit Internet use on about 100,000 public servants’ workplace computers was announced a few days ago, there has been no shortage of commentary regarding whether or not this is an effective cyber-security enhancement measure.
In this short time the discussion has spread far beyond Singapore’s shores as news services throughout the world reported this ‘unique’ approach.
Here I will focus only on two aspects; the potential reaction of hackers and the methods used by hackers in some of the examples that have been cited by officials in conjunction with the Internet-ban policy announcement.
Provoking the beast
Hackers are a mixed lot. Some seek monetary gain using ransomware. Some, like Anonymous, hack systems in pursuit of political change. Then there are those who seek nothing more than the glory of a successful hack. No cash. No toppled leader. Just street credibility as a hacker to be reckoned with.
It is the latter breed who may have been awakened by all the press coverage of Singapore’s efforts to protect its state databases and related systems. As the implementation date of May 2017 approaches, such glory-seeking hackers may be plotting their strategies aimed at thwarting the IDA’s defensive strategy.
Cyber defences will have to be bolstered perhaps beyond what had been planned (and budgeted) in anticipation of this enhanced and unwanted attention.
Lessons from the past
With the Internet ban announcement came several examples aimed at illustrating the capabilities of today’s hackers and the consequences of the hacks.
What seemed to be missing was one simple question from the pack of journalists busy taking frantic notes; Were any of these attacks facilitated by an employee using an Internet browser at his workstation?
Since the journalists did not ask that question, let’s have a look at the examples and see if there are any clues available.
These three examples were reported by The Straits Times on 9 June;
- In 2015, hundreds of flights had to be grounded in Sweden following a cyber attack on its air traffic control system.
- Hackers knocked a Ukraine power station offline, plunging vast areas into darkness.
- The Russian government itself looked at going back to typewriters after its computers were infected with spy programs.
Ok, what happened in Sweden?
On 4 November Swedish air traffic controllers were not able to use their displays. The official explanation was that a solar storm was to blame, but suspicions arose that Russian Military Intelligence was testing cyber warfare capabilities in the Baltic area resulting with the display malfunctions.
Reference to a link between the Swedish air traffic controllers use of the Internet and this hack has not been found. However, just think about the job of the air traffic controllers. They spend their shifts tracking flights on big displays. Do they have time to shift their attention to websites on Internet Explorer, Google Chrome, Safari or Firefox to surf the web during their shifts?
Let’s move on.
The Ukraine Power Station Hack
To make a long story short, hackers remotely took control of the Ukraine’s power management control center computerised operations systems. They shut down the power grid as well as back-up power units, leaving about 230,000 Ukrainians without electricity on a cold December night in December 2015.
The details of the cyber attack have been summarised by Wired magazine.
Were the hackers able to do this because the staff of the power utility had access to the Internet from their workstations? No. According to the Wired article, “workers logging remotely into the… Supervisory Control and Data Acquisition network that controlled the grid, weren’t required to use two-factor authentication, which allowed the attackers to hijack their credentials and gain crucial access to systems that controlled the breakers.”
It is probably safe to say that we cannot put the blame on any website here either.
Russia to revert to typewriters as cyber security defence
This one is kind of entertaining. The initial Google result shows not only Russia, but also Germany and China referenced as considering such a cyber attack preventative strategy.
Seeking a trusted source, an article that appeared in The Economist in November 2014 does mention that Russia had reportedly ordered 20 typewriters due to the vulnerability of computers to cyber attack.
If that is true, it would mean that the vast majority of Russian civil servants are still using computers. In both Russia and China there are already many Internet filters in operation, but these have been put in place primarily to limit access to subversive information rather than to protect from cyber attack.
In any case, the Russian example does not show any evidence of a successful cyber attack against Russia that was executed with the help of an innocent public servant using a web browser at his workstation.
A useful lesson from The Economist
The Economist article does serve well to remind readers that the most dangerous hackers of all are the state actors, and Russia, China and the United States are leading the pack when it comes to cyber-warfare.
In doubt? Then have a chat with an Iranian nuclear engineer.
Ask him about ‘Regin’.