“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one.” —Dennis Hughes, FBI [attributed]
From May 2017, the Singapore government intends to block internet connectivity for the work computers of its 100,000-strong force of public servants. The government has opted for the drastic measure on account of security concerns. Is it really necessary and is this the best way of keeping things safe?
A key principle that information security managers learn is that security must work to enable business and not prevent it. Attempts to add security that appear to work against the normal functioning of the business are doomed to fail. This will be critical to whether the Singapore government’s efforts succeed or fail. It is not only the technological aspect of this new setup that must be taken care of, but also the ‘people’ and ‘process’ aspects. The latter appear to be lacking, at least in what has been covered in the news.
Did the government get the technology aspect right? Among other things, companies that have information security-aware management perform a ‘blacklisting’: for instance file-sharing activity, chatting, pornography sites and known malware sites and activity may be blacklisted and cannot be accessed by employees. Some security experts recommend a tougher measure called ‘whitelisting’: only the specific sites in the whitelist may be accessed by employees. This list could contain the top 1000 sites on the internet known to be safe and, upon business justification, additional sites could be added to the list. Entirely blocking internet access is the toughest possible measure and might be a bit heavy-handed.
Disconnecting a computer from the internet is called air-gapping. It is a legitimate security measure for the very paranoid / persons under surveillance. Security expert Bruce Schneier explains here what he did to stay secure from the NSA while working on the Snowden documents. Air-gapping requires a huge amount of effort to get right, primarily because the information that you work with tends to come through the internet. Air-gapping will make life harder for an attacker who wishes to access information in/through your computer. Information on one’s computer may still be accessible in certain ways, but accessing the office network through that device does get considerably more difficult for an attacker.
Air-gapping is not foolproof. An air-gapped computer owned by a non-technical person is less likely to be updated with security patches than one that is connected to the internet. It may make the device more susceptible to attacks through vectors outside of the internet. Targeted attacks have been carried out against air-gapped devices as long ago as 2010 using USB drives. The Singapore government currently does allow its employees to use the USB ports on their devices. USB drives are well-known transmission vectors for malware and many companies prevent their usage by locking them down. This would be a pragmatic step to take before the more desperate measure of taking away internet access.
The initial announcement of the upcoming policy also stated that employees would be allowed access to the internet on their personal devices and devices kept specifically for internet use. The Infocomm Development Authority (IDA) clarified in a Facebook post that “only unclassified emails for purposes such as accessing URLs” could be forwarded to private email accounts. This is going to be tricky. An employee who has habituated himself to transferring emails between his work and personal emails is going to do more and more work when directly connected to the internet on their personal devices, especially when the work requires research or benefits from information found on the internet. This in turn could lead to the personal devices becoming targets of attack, reducing the need to attack the office-issued devices in the first place. Considerable effort will need to be made to ensure that employees are aware of what information may absolutely not be transferred to devices outside the office-issued computers. These are serious flaws in the ‘people’ and ‘process’ aspects of the new policy.
I have already encountered people discussing how to subvert this ‘problem’ of no internet access. Singaporeans are technically savvy enough to get the internet that they need. The government has to ensure that their work does not get too painful and that access is had where they require it or the subversion will eliminate the positive security effects of removing internet access.