Rationale for Delinking Civil Servants' Computers with Government Email Capabilities from Internet

17 Mr Alex Yam asked the Minister for Communications and Information with regard to IDA's requirement that all public servants' computers with Government email capabilities be delinked from the Internet (a) what are the reasons that prompted such a major review; (b) what are the other solutions that have been considered before arriving at the current guidelines; (c) whether inputs from other Ministries and agencies have been sought in terms of its implementation; and (d) what potential impact will the requirement have on the productivity and service delivery of our public servants.

18 Assoc Prof Daniel Goh Pei Siong asked the Minister for Communications and Information (a) how will the Government help businesses and organisations protect themselves against the threats behind the move to delink Internet access on public servants' computers; (b) whether the move will affect the development of the Smart Nation platform and its pervasive connectivity; and (c) what steps will be taken to restore public confidence in the Smart Nation vision.

The Minister for Communications and Information (Assoc Prof Dr Yaacob Ibrahim): Madam, can I take Question Nos 17 and 18 together?

Mdm Speaker: Yes, please.

Assoc Prof Dr Yaacob Ibrahim: And congratulations, Madam, on your recent re-election.

Mdm Speaker, the cybersecurity threat level is significant and shows no sign of abating. In May 2015, I informed Parliament that the Government had detected a security breach in MFA's IT system. Immediate steps were taken to remove the threat and to remediate affected systems. Since then, there have been more targeted cyberattacks on Government networks. While these attacks were successfully contained, we can expect more to follow. Cybersecurity firms, such as Mandiant and Microsoft Research, have published reports explaining in detail how such attacks are carried out. It is clear from these reports that the attackers rely on the Internet to introduce malware into a network, to send instructions to infected machines, to infect more machines within a network and, finally, to steal data from the network.

IDA studied this issue together with the agencies for several years. When we spoke to other governments, some indicated that they set up isolated networks, whilst some have explored limiting Internet access only to the necessary functions. Due to security reasons, these measures are generally not publicised. Many options were deliberated. In the meantime, agencies assessed to be at higher risk, such as MTI and MFA, went ahead with separating Internet surfing. But agency-level arrangements do not make the whole Government network safer, because an attacker can still enter the network via another agency which continues to allow Internet surfing when connected to the Government network.

Madam, IDA's decision may not be popular, but it is, ultimately, the right decision. The Government has a duty to do all it can to protect the data it possesses, especially since such data often contain personal information of our citizens.

Separating Internet surfing will make it much more difficult for an attacker to succeed in its various stages of attack. It will mean that public officers have to make some changes. They will now have to access the Internet via a different device, rather than from a single device. The device that they use for Internet surfing must only be used for unclassified work. But the key point, Madam, is that they can still surf the Internet for work, using either separate devices provided by their organisation or their own mobile devices.

Madam, there will be no change for the public. They will still be able to send and receive e-mails from Government officers. Government e-services and transactions by the public and businesses will not be affected.

There is no reason to believe that the effectiveness of agencies will be adversely affected. Agencies like MTI and MFA have already implemented the separation of Internet surfing for some years, while MINDEF has implemented even more stringent requirements. These organisations have not become less effective as a result.

Madam, Assoc Prof Daniel Goh asked how the Government can help local enterprises protect against cyber threats. The Cyber Security Agency (CSA) has been working closely with industry associations to promote the importance of cybersecurity. It has organised conferences with the Singapore Business Federation (SBF) on cybersecurity. The Government worked with SBF to develop an Employee Cyber Security Kit. This free toolkit features a simple quiz which provides an initial assessment of a company's cybersecurity readiness and follows up with a recommended cybersecurity education programme tailored to meet business needs. There have been over 3,000 downloads of the resources and tools. CSA and the Singapore Infocomm Technology Federation co-chair a Cyber Security Awareness Alliance, which does good work in increasing awareness and adoption of cybersecurity practices. So, help is available to our businesses who want to do something to improve their cybersecurity.

Madam, far from affecting the Smart Nation initiative or our reputation, strong cybersecurity provides a strong and sure foundation for building a Smart Nation. In fact, other countries have expressed interest in learning from our experience. We cannot be a Smart Nation that is trusted and resilient if our systems are exposed and vulnerable.

Mr Zaqy Mohamad (Chua Chu Kang): I thank the Minister for the clarification and the answer. I just want to ask the Minister in considering this solution – because some in the industry would consider it quite extreme – were there more elegant solutions that were thought through? For instance, did they consider tiered networking or a lockdown environment?

The second question is: would the Ministry be looking into what is the productivity impact on civil servants? For example, today, if I send the Minister an email with a link on it, the Minister would have to email it somewhere else, to another device, just to surf, to know what is this link about, for example. So, there is definitely impact on productivity, even for the simplest of things. What will the productivity impact be, and will the Ministry be studying the impact on civil servants?

Assoc Prof Dr Yaacob Ibrahim: I thank the Member for those two questions. The first answer is yes, we did explore other solutions. I am not at liberty to discuss today in Parliament what solutions we explored because we have a whole range of efforts that we can put in. Clearly, putting in enough anti-viruses into our system is not sufficient because the experts will tell you it can only stop about, maybe, 20% to 30% of the malware. We deliberated this for a very, very long time and we decided that the best way is to do an Internet separation. We have to balance this against costs and usability and given the fact that Internet facing is always a challenge for us, we thought it was better to have a separate system altogether, allowing, of course, public officers to still surf the Internet on different devices. For example, the Prime Minister and some Ministers have already gone on with the separation. I have a separate laptop altogether – it allows me to surf the Internet. So far, it has not affected our work.

On the issue of productivity, I think this is something which we will continue to monitor. Certainly, we do not want to affect the work of our public officers. As I have mentioned in my reply, we have given ourselves one year. There is a whole series of workshops that we are conducting with senior management right down to the IT division within each of the Ministries for them to work together and find the best way forward. I think we recognise that there may be some instances where separation may not be possible now because of the nature of the work. So, we will leave this to the agencies to work with IDA to determine exactly how we are going to proceed. But as a policy, the Government has adopted this as the best way forward for us to ensure that we do not have any more attacks.

At the same time, you and I know; I cannot promise there will be no more attacks because the hackers are becoming more sophisticated, new hacking tools are being developed and it is always very difficult for us to keep ahead. So, we think this is the best approach going forward. But like all governments, we will never close off other options. We will continue to explore what are the available options out there and see whether we will review our strategies down the road.