Mind the air-gap: Singapore’s web cut-off balances security, inconvenience | Reuters

A piece I co-wrote on Singapore’s decision to effectively air-gap most of its government computers — beyond security, military and intelligence. This is not something they’ve done lightly, but it does feel as if they might not have thought it all the way through. On the other hand, there were quite a few people I spoke to who said this might be the thin end of a larger wedge. And what does this mean for the cybersecurity industry? 

Mind the air-gap: Singapore’s web cut-off balances security, inconvenience | Reuters:

By Jeremy Wagstaff and Aradhana Aravindan | SINGAPORE

Singapore is working on how to implement a policy to cut off web access for public servants as a defense against potential cyber attack – a move closely watched by critics who say it marks a retreat for a technologically advanced city-state that has trademarked the term ‘smart nation’.

Some security experts say the policy, due to be in place by May, risks damaging productivity among civil servants and those working at more than four dozen statutory boards, and cutting them off from the people they serve. It may only raise slightly the defensive walls against cyber attack, they say.

Ben Desjardins, director of security solutions at network security firm Radware, called it ‘one of the more extreme measures I can recall by a large public organization to combat cyber security risks.’ Stephen Dane, a Hong Kong-based managing director at networking company Cisco Systems, said it was ‘a most unusual situation’, and Ramki Thurimella, chair of the computer science department at the University of Denver, called it both ‘unprecedented’ and ‘a little excessive.’

But not everyone takes that view. Other cyber security experts agree with Singapore authorities that with the kind of threats governments face today it has little choice but to restrict internet access.

FireEye, a cyber security company, found that organizations in Southeast Asia were 80 percent more likely than the global average to be hit by an advanced cyber attack, with those close to tensions over the South China Sea – where China and others have overlapping claims – were particularly targeted.

Bryce Boland, FireEye’s chief technology officer for Asia Pacific, said Singapore’s approach needed to be seen in this light. ‘My view is not that they’re blocking internet access for government employees, it’s that they are blocking government computer access from Internet-based cyber crime and espionage.’

AIR-GAPPING

Singapore officials say no particular attack triggered the decision, but noted a breach of one ministry last year. David Koh, chief executive of the newly formed Cyber Security Agency, said officials realized there was too much data to secure and the threat ‘is too real.’

Singapore needed to restrict its perimeter, but, said Koh, ‘there is no way to secure this because the attack surface is like a building with a zillion windows, doors, fire escapes.’

Koh said he was simply widening a practice of ministries and agencies in sensitive fields, where computers are already disconnected, or air-gapped, from the Internet.

Public servants will still be able to surf the web, but only on separate personal or agency-issued devices.

Air-gapping is common in security-related fields, both in government and business, but not for normal government functions. Also, it doesn’t guarantee success.

Anthony James, chief marketing officer at cyber security company TrapX Security, recalled one case where an attacker was able to steal data from a law enforcement client after an employee connected his laptop to two supposedly separated networks. ‘Human decisions and related policy gaps are the No.1 cause of failure for this strategy,’ he said.

‘STOPPING THE INEVITABLE’?

Indeed, just making it work is the first headache.

The Infocomm Development Authority (IDA) said in an email to Reuters that it has worked with agencies on managing the changes ‘to ensure a smooth transition,’ and was ‘exploring innovative work solutions to ensure work processes remain efficient.’

Johnny Wong, group director at the Housing Development Board’s research arm, called the move ‘inconvenient’, but said ‘it’s something we just have to adapt to as part of our work.’

At the Land Transport Authority, a group director, Lew Yii Der, said: ‘Lots of committees are being formed across the public sector and within agencies like mine to look at how we can work around the segregation and ensure front-facing services remain the same.’

Then there’s convincing the rank-and-file public servant that it’s worth doing – and not circumventing.

One 23-year-old manager, who gave only her family name, Ng, said blocking web access would only harm productivity and may not stop attacks. ‘Information may leak through other means, so blocking the Internet may not stop the inevitable from happening,’ she said.

It’s not just the critics who are watching closely.

Local media cited one Singapore minister as saying other governments, which he did not name, had expressed interest in its approach.

Whether they will adopt the practice permanently is less clear, says William Saito, a special cyber security adviser to the Japanese government. ‘There’s a trend in private business and some government agencies’ in Asia to go along similar lines, he said, noting some Japanese companies cut internet access in the past year, usually after a breach.

‘They cut themselves off because they thought it was a good idea,’ he told Reuters, ‘but then they realized they were pretty dependent on this Internet thing.’

Indeed, some cyber security experts said Singapore may end up regretting its decision.

‘I’m fairly certain they would regret it and wind up far behind other nations in development,’ said Arian Evans, vice president of product strategy at RiskIQ, a cyber security start-up based in San Francisco.

The decision is ‘surprising for a country like Singapore that has always been a leader in innovation, technology and business,’ he said.

(Reporting by Jeremy Wagstaff and Aradhana Aravindan, with additional reporting by Paige Lim; Editing by Ian Geoghegan)

BBC – Cybercrime: One of the Biggest Ever

My contribution to the BBC World Service – Business Daily, Cybercrime: One of the Biggest Ever

Transcript below. Original Reuters story here

If you think that all this cybersecurity stuff doesn’t concern you, you’re probably right. If you don’t have any dealings with government, don’t work for an organisation or company, and you never use the Internet. Or an ATM. Or go to the doctor. Or have health insurance. Or a pension.

You get the picture. These reports of so-called data breaches — essentially when some bad guy gets into a computer network and steals information — are becoming more commonplace. And that’s your data they’re stealing, and it will end up in the hands of people you try hard not to let into your house, your car, your bank account, your passport drawer, your office, your safe. They may be thieves, or spies, or activists, or a combination of all three.

And chances are you won’t ever know they were there. They hide well, they spend a long time rooting around. And then when they’ve got what they want, they’re gone. Not leaving a trace.

In fact, a lot of the time we only know they were there when we stumble upon them looking for something else. It’s as if you were looking for a mouse in the cellar and instead stumbled across a SWAT team in between riffling through your boxes, cooking dinner and watching TV on a sofa and flat screen they’d smuggled in when you were out.

Take for example, the case uncovered by researchers at a cybersecurity company called RSA. RSA was called in by a technology company in early 2014 to look at an unrelated security problem. The RSA guys quickly realized there was a much bigger one at hand: hackers were inside the company’s network. And had been, unnoticed, for six months.

Indeed, as the RSA team went through all the files and pieced together what had happened, they realised the attack went back even further.

For months the hackers — almost certainly from China — had probed the company’s defenses with software, until they found a small hole.

On July 10, 2013, they set up a fake user account at an engineering website. They loaded what is called malware — a virus, basically — to another a site. The trap was set. Now for the bait. Forty minutes later, the fake account sent emails to company employees, hoping to fool one into clicking on a link which in turn would download the malware and open the door.

Once an employee fell for the email, the hackers were in, and within hours were wandering the company’s network. For the next 50 days they mapped the network, sending their findings back to their paymasters. It would be they who would have the technical knowledge, not about hacking, but about what documents they wanted to steal.

Then in early September they returned, with specific targets. For weeks they mined the company’s computers, copying gigabytes of data. They were still at it when the RSA team discovered them nearly five months later.

Having pieced it all together, now the RSA team needed to kick the hackers out. But that would take two months, painstakingly retracing their movements, noting where they had been in the networks and what they had stolen. Then they locked all the doors at once.

Even then, the hackers were back within days, launching hundreds of assaults through backdoors, malware and webshells. They’re still at it, months later. They’re probably still at it somewhere near you too.

Some Early Lessons from The Georgian Cyberwar

image

illustration fron Arbor Networks

There’s some interesting writing going about the Georgian Cyberwar. This from VNUnet, which seems to confirms my earlier suspicion that this was the first time we’re seeing two parallel wars: 

“We are witnessing in this crisis the birth of true, operational cyber warfare,” said Eli Jellenc, manager of All-Source Intelligence at iDefense.

“The use of cyber attack assets in conjunction with kinetic military operations in the current crisis now stands among the most significant developments ever seen in the field of information security or cyber conflict studies.”

Others suggest that in fact there are examples of earlier parallel conflicts: Kosovo, among them, says Arbor Networks’ Jose Nazario.

ZDNet’s Dancho Danchev takes the idea that this is all about denying participants a chance to get their message out a stage further: those put out of action are being forced to get their message out through other channels. Georgia’s foreign ministry, for example, has set up a blog at Blogger and the website of the Polish president.

The mainstream press is having a go at the story, too, including the Journal and the NYT. The main culprit, the articles suggest (following Georgia’s own claims), is the Russian Business Network, a St. Petersburg-based gang.

But as this article points out, finding out who is responsible is a slow business. Indeed, this is a strange feature of cyberwar that makes it more akin to terrorism than to warfare. This kind of makes the notion of establishing responsibility a little beside the point. Cyberattacks are a chance for ordinary (well, sort of ordinary) citizens to do their bit for the war effort. In this sense the government is a customer for the services of botnet and hacker groups or individuals with skills the government is happy to see deployed on its behalf, while able to plausibly deny it has anything to do with.

Indeed, we may be missing the more interesting aspect of this, one that predates South Ossetia. Now we’re just seeing cyber attacks work alongside the physical, or kinetic, attacks. A sort of psywar, since it’s mainly about getting the word out and winning hearts and minds.

But what about a cyberwar conducted on its own, but one that leads to a physical war—at least, a cold one? Joel Hruska at arstechnica points out in a piece written a week ago, that an uncovered little cyberwar—or rather cyber-hacktivism—in Lithuania, led to a serious cooling of relations between its government and that of Russia. As with Estonia last year, the attack “marked the first time I was aware of in which a single individual with a computer was able to notably impact relations between two neighboring nations.”

Georgia, however, represents the first time we’ve seen a government almost wiped off the Internet. Whether this is a prelude to it being wiped off the map is something we’ll have to wait and see. But already some conclusions are becoming obvious:

  • Cyberwar is too powerful a tool for any government to ignore, both offensively and defensively;
  • Cyberwar is not just about putting citizens of a target country in the dark; it’s about making it impossible for the target government, and its citizens, to get their side of the story out.
  • As these tools get more powerful, when will we see cyberwar as a specific phase in a physical war designed to achieve what used to be done by the physical bombardment of communication centers?
  • Botnets, and their owners, are powerful players beyond the underworld of spam and phishing. A government that has them operating within their borders must surely know of their existence; if it hasn’t shut them down already, is it too great a leap of logic to suggest there must, at some level, be a relationship between them?

Georgia gets allies in Russian cyberwar – vnunet.com