Reading a report on Channel News Asia that an Integrated Health Information Systems (IHiS) employee hesitated before reporting a suspected breach made me wonder if the prevalent attitude of fear for "higher ups" and authorities has contributed to the largest cyber security breach to ever hit Singapore?
CNA reported the testimony of Han Hann Kwang, IHiS’ assistant director for infrastructure services - security, who noted that the activation of a response team to investigate a security incident is something that is “not to be taken lightly”, and would require an assessment by the officer to ensure that it is a legitimate security incident.
Mr Han said in response to the questions from a Committee of Inquiry that he would form a bigger team to gain more understanding of the situation first, before escalating the incident.
CNA also noted that Mr Henry Arianto, who is in charge of the team taking care of the electronic medical records database for SingHealth, said that he did not want to create a “false alarm” and “unnecessary work for senior management”. He added that he had to rely on his intuition because he has never been informed of the standard operating procedures in the case of a security incident.
In Singapore, we are so conditioned to think that the authorities will look after us, make all the decisions and be in charge of everything that we cease to have ownership over our own choices and responsibilities. I say this not as a criticism of this particular IHiS employee but rather, as an observation of our attitudes towards responsibility and ownership.
On the one hand, the government wants to be seen as the hand that feeds. On the other hand, it also wants us to take responsibility for our own lives instead of blaming them for everything. The ideal situation for both us and them is of course somewhere in the middle of these two extremes. However, is the government guilty of wanting the credit of being the hand that feeds without the responsibility of being seen as such? Being so conditioned, have we become too fearful to assume ownership of our own responsibilities to society?
To me, the situation with this particular IHiS employee sums up the general situation very well. We see a problem but we choose not to deal with it because we are so scared of the repercussions of being seen as the whistle blower, the person who causes problems for the authorities. Within our government departments, are we too focused on ensuring uniformity at the expense of encouraging employees to take initiatives? Has our government and by extension the civil service been placing too much emphasis on toeing the line to such a point that even when an error is spotted, an employee would hesitate?
Arguably, our government is not one that applauds those who stand out for being contrary. Has this led to the harmful effect of leading employees to think that pointing out mistakes would be seen as contrary behavior that could be career limiting? Could this harmful trend have led to a hack that resulted in the theft of the personal data of 1.5 million people including the Prime Minister of Singapore?
If our pervading attitude of fear – fear of correcting higher ups, pointing out mistakes made by authorities has indeed contributed to this cyber security breach, then we really need to take urgent steps to rectify this fear. Perhaps the government ought to reconsider the way it handles people it considers "contrarian". May this be a wake up call!