Singapore’s data breach: What are the lessons for Malaysia?

The Singapore government hasn’t been resting on its laurels, after news of a serious personal data breach in Singapore, which involved 1.5 million SingHealth patients’ records including the prime minister’s, being accessed and copied.

Last March, a review committee was appointed, and the outcome was a recommendation of 13 technical measures.

According to Channel News Asia, The committee said the current security regime has “strong fundamentals” but there is a need to strengthen it for the future, given the increasing complexity of the IT systems, the greater demand for the use of data to provide digital services to the public and the need to use data for better policy-making.”

Synopsys’ Software Integrity Customer Success Manager, Ian Hall and HackerOne’s Security Engineering Lead, Laurie Mercer have separate conversations with EITN about what these 13 technical measures could achieve.

EITN: What is your opinions of the 13 technical measures that were recommended recently to counter data breach attacks?

Ian: These measures each address slightly different areas, each of them making it more difficult to gain access to and also make use of the data even if they are able to extract it. For example, if an attacker was able to gain access to a privileged account the control for volume- and time-limited data access looks to ensure that only a subset of data can be exfiltrated.

Within that subset of data that may have been stolen, the additional encryption controls may render the data useless unless the attacker is also able to crack the encryption or has obtained a key. As you can see, the controls hope to add extra layers of protection to either prevent the recent leaks or at least reduce the scale.

Laurie: The 13 cybersecurity technical measures announced by the Singapore Government are clearly aimed at the protection of citizens’ personal data, with 80% of the controls promoting the confidentiality of data, and 20% ensuring the integrity of data in distribution and data being used. Implementation of the 13 cybersecurity measures will reduce the impact of a data breach.

EITN: What was the outcome of a previous measure to air-gap computers of Singapore employees in public service?

Ian: I think that it is hard to say from someone on the outside whether it was definitively successful or not.

It is going to be quite difficult to completely cut off the external world and you can see that from the control announced that will require an additional prompt for emails with sensitive data. This control attempts to prevent inadvertent data leaks for users that have computers which are not air-gapped. This is why it is important to continue with the efforts on both people and processes after the technical measures that were announced.

Laurie: At first glance, air-gapping seems like a simple and effective solution. In practice, air gapping computers can reduce the efficiency of workers without demonstrating real security benefits, and can provide a false sense of security. Air-gaps will always have their place, especially in military and industrial control systems. However,
the recent breaches in Singapore Health Services, Equifax and British Airways would not have been prevented by air gaps.

EITN: Besides the 13 technical measures, what else needs to happen?

Laurie: The 13 technical measures are designed to reduce the impact of a data breach. It will be interesting to see what measures the Smart Nation & Digital Government Office propose in the future to reduce the risk of a data breach.

For example, the Vendor Security Alliance (VSA) lists 28 questions on Data Protection and Access Control alone. In addition to technical controls, there are several more important areas to think of, including:
* Policies and Standards;
* Proactive Security;
* Reactive Security;
* The Software Supply Chain;
* Customer Facing Application Security; and
* Compliance.

A second question relates to international cooperation. For instance, the Smart Nation & Digital Government Office in Singapore, the National Cyber Security Centre (NCSC) in the UK, the National Institute for Standards and Technology (NIST) in the USA, and the European Union Agency for Cybersecurity (ENISA) are all producing excellent recommendations on how to enhance security and protect our data: Is it possible to harmonise and standardise recommended security controls of both public and private sectors across these different geographies?

Ian: The biggest challenge I see is the implementation. The technical measure are very good when you talk about them from a theoretical standpoint.

However, the government agencies have vast amounts of data on many different systems from many different applications. How will the measure be retrofit onto the applications to protect the data? This could be a long process and require much effort in terms updates to applications both internal as well as those developed externally.

While making the necessary updates, the developers will need to ensure that they have the right tools to help them build the software securely.

EITN: Do these 13 measures require purchasing more cybersecurity solutions? Or is it an awareness and training issue?

Ian: The measures cannot be implemented by training and awareness measures alone. In order for measures such as field-level encryption or dataset partitioning to be implemented there will need to be back-end changes made to how the data is stored and also changes to the applications that access the data. A specific solution may not need to be purchased but I do see there being additional spending required to implement the updates.

Laurie: There are products and solutions that can help, for example, Identity and Access Management and Email data protection tools, but the majority of the 13 measures are technical controls that need to be implemented by software and infrastructure engineering teams.

EITN: Who will be held responsible for these recent data leaks in the public sector? For the private sector, there is cognisance that the business has to take some responsibility instead of putting wholesale responsibility upon the CTO or CIO or the IT departments. In the public sector, who should be held accountable?

Synopsys and HackerOne declined to comment.