fbpx

Thoughts in regards to the Singhealth Saga

by Lee Yew Tian James

Recently, I found about this govt agency called SingCERT, courtesy of this letter to TOC.

In this commentary, the writer, Ghui, questioned on the purposes of SingCERT as it was supposed to be an agency that it was set up to facilitate the detection, resolution and prevention of cyber security related incidents on the Internet. The question then was where was SingCERT when SingHealth was hacked. Also, where was SingCERT during the 2013 hacking of SIAS member details.

To be frank, I have never heard of SingCERT, nor knew of their existence till today. From their website, their mission is as described above - to facilitate the detection, resolution and prevention of cyber security related incidents on the Internet. Ghui asked where was SingCERT when SingHealth was ‘spectacularly hacked’. I am not sure if this was referring to the detection of the attack, or the response to the attack.

If it was the latter, it might not have been fair to SingCERT since they are only responsible for detection. Even in detection, it would not be easy because the internet is a vast lawless space when hackers can hide in anonymity anywhere. Moreover, the SingHealth hacking was due to one of the workstations being infected with malware which allowed for the hackers to gain access to the database.

I am not an IT guy, but from my understanding that if a workstation had been compromised, the hacker is already inside. To explain in layman terms, SingCERT could be the security detail patrolling outside the bank doing security screening of suspicious characters. But when a workstation inside the bank has been infected or compromised, no amount of security screening outside will ever detect the inhouse hack.

The system probably is not designed that way. So to pin the blame solely on SingCERT might not be fair to them.

In terms of prevention, most government agencies had undergone internet separation. It is not known why SingHealth did not follow the guideline. Perhaps, that could be one of the things the COI could establish.

For the SIAS case, I really do not have the facts of the matter, so it would not be appropriate to jump to conclusions. In that, Ghui might be right in asking what had SingCERT done back then.

What is more alarming to me, arising from the SingHealth COI, was the nonchalant attitudes of the senior management in response to the knowledge of a possible system loophole. TL;DR, a system loophole was found by one of the staff, who then exploited that knowledge by informing a rival system vendor about it. The senior management, who upon finding out of that disclosure of sensitive information, immediately sacked the staff who contacted the rival vendor. AND they did not follow up to patch that loophole.

It made me wonder if working for a government entity fostered some kind of yes-man attitude. One of the deputy directors, Mr Clarence Kua, even admitted that he only ‘act on instruction’. This is truly damning if a deputy director can profess to have zero leadership, zero situational awareness and hundred percent yes-man. Was it something about working for an ‘iron rice bowl organisation’ that dulls one’s senses, luring one into some form of mediocrity? I recall MP Louis Ng Kok Kwang once mentioned in Parliament that public servants were afraid of speaking up in case they anger their superiors, have their appraisals affected and get passed over for promotion, just because they rocked the boat and upset the status quo.

That earned him a sharp rebuke from 4G leader, Ong Ye Kung, who warned Ng not to tar the entire civil service with the same brush.

That was six months ago. Looking at the COI findings, I cannot help but feel that Louis Ng was right, and that probably that problem is more prevalent than previously thought. And now, this supposed mediocrity in our civil service has caused a direct effect on Singaporeans for the second time - the first being the SMRT flooding incident.

Is it time to once again talk about the elephant in the room? At the end of the day, we can have the best detection and prevention systems, but if the system is being maintained by mediocre staff who want nothing more than get their monthly salary and annual bonuses without rocking the boat, then the best systems are doomed to fail. It has already been proven in the SMRT flooding case, and now the SingHealth hacking case.

Maybe I’m overthinking but are such mediocre attitudes prevalent and persistent in government or government linked organisations? It is not so much making a generalisation, (lest Minister Ong gets me wrong) but perhaps it is something worth thinking about.