SingHealth Cyberattack: Another military general, another epic failure?

SingHealth Cyberattack: Another military general, another epic failure?

The practice of parachuting military generals into top civilian organizations has been questioned recently.

Secretary-General of the Singapore Democratic Party Dr. Chee Soon Juan noted that these military men are given “a meteor-like rise through the ranks [and] many of these high-achievers are farmed out as corporate chieftains to one of a plethora of government-linked companies (GLCs).” However, the “reality is never quite as awesome”

Citing examples such as Ng Yat Chung, Desmond Kuek and Lui Tuck Yew, Dr. Chee believed that these Ministers have led their parent organisations to failure but were shielded from any negative repercussions.

“[Former Chief of Navy] Lui Tuck Yew, joined the PAP and stood for elections in 2006. He was subsequently appointed transport minister whose unfortunate portfolio included having to do battle with a devilishly uncooperative train system”.

“The trains won, of course. After a major system disruption in 2015 that caused much public unhappiness just before the elections, Mr. Lui threw in the towel and chose not to stand for re-election. No worries, though, he was appointed ambassador to Japan in 2017”.

2017: Former Army General to lead 2 new cybersecurity organisations

Last year, it was reported that another former military general – BG David Koh – will be in charge of two newly created cybersecurity organisations.

The first was the new Defence Cyber Organisation (DCO) to bolster the nation’s defences against online attacks. The second was the Cyber Security Agency (CSA), which came under the Prime Minister’s Office and was tasked with “coordinating public- and private-sector efforts to protect critical national systems”.

With these new organisations, the budget for cyber-security spending in Singapore would be increased. From 5% of the entire info-communications technology budget, it will now take up  8%. The Straits Times reported that Singapore spent S$408.6 million on cyber security for the fiscal year of 2014. In other words, BG Koh’s two organisations would be spending as much as $650 million a year on cyber-security.

The report also added that BG Koh graduated from King’s College London with a bachelor’s degree in electrical and electronics engineering and a Master’s in public administration from Harvard University. Amongst his previous roles include: Chief Signal Officer and Head of Joint Communications and Information Systems Department in the Joint Staff.

David Koh in April 2018: We must be vigilant and resilient towards cyberattacks

In an interview with Channel NewsAsia earlier this year (17 Apr), BG Koh had warned that the internet was not designed for cyber-security and vigilance was needed.

He cited an example on how his daughter would leave her computer in “sleep” mode instead of shutting it down; he felt that this was not safe as hackers would be still able to access the computer so as long as it was not turned off.

Above all these, he acknowledged that it was a matter of when – rather than if – a major cyberattack would hit Singapore. When that happened, the onus would be on the Government to ensure that they are able to detect the breach, while keeping the networks and recovery as resilient as possible.

“When something goes wrong… then the issue is how we react to the incident. The assurance that I will give is that we will put out information as quickly and as accurately as we can.”

In July 2018: timeline of cyberattacks on SingHealth does not inspire confidence Friday

Indeed, BG Koh was proven right when he predicted the major cyberattack when it happened barely less than 2.5 months later. Unfortunately, the sequence of events does not inspire confidence. Several key questions are raised by the whole incident which was not answered in the press release.

Why did it take 7 days for IIHS to realise that unusual activity has taken place?

According to media reports, the breach came when it malware infected a “front-end workstation” (such as registration counter) before obtaining privileged access. This would raise critical questions about the security and user access rights of the integrated health system.

Why was the front-end workstation not segregated between the internet and intranet? If the malware had managed to spread itself into the intranet or database, then why did the anti-virus systems and firewalls not detect the breach? If the information of PM Lee was “repeatedly” targeted, was there not high-level security controls in place?

Why did it take 7 days for IIHS to realise that unusual activity has taken place?

The theft of personal information started from 27 Jun, but the database administrators only detected unusual activity the IT databases on 4 Jul. Why did it take 7 days to realise the unusual activity and a further 5 days of monitoring the activity before an actual breach was determined?

Why was there a lapse before a police report was filed? 

Even though a police report was made 2 days later, would this be acceptable in context? Should the report have been made immediately? The preliminary investigations had shown that the hackers tried to conceal their tracks and delete all information. In a time-sensitive contact such as this, a delay of 2 days would be critical.

Why did it take 10 days for the public to be noticed? 

Given that a data breach was confirmed on 10 Jul, why did the government only notify the public 10 days later especially since the breach involved as many as 1.5 million people? Would it be better if an initial briefing was made before more details are provided later?

Despite the promise of a COI and in-depth investigations, one should remember that this is not a small-scale breach but should be taken into the context of 1.5 million victims.

The circumstances itself in which the case was handled clearly do not inspire confidence in the 4G leadership in a time where lapses occur more frequently than ever, in all aspects of administration from train reliability to succession planning.

Notify of
Inline Feedbacks
View all comments