Singapore is awesome. Since starting Authentic8, I haven’t been back, but I was lucky enough to visit regularly in previous jobs. The island city-state is known for taking care of business and of its citizens, as well as for its “Smart Nation” technology initiative.
But now Singapore has announced that it plans to block internet access for 100,000 government workers, in the name of cybersecurity. It’s not clear that this approach is a practical way of ‘taking care of business’.
It doesn’t look like the smartest move to me. And Singapore’s Prime Minister already seems to have second thoughts, too. I wonder why?
According to the Gallup organization, 84% of Singapore’s residents have expressed confidence in the pragmatic and speedy approach their government takes to steering the affairs of the nation.
But that’s from a survey that was taken a while back, long before this week’s announcement by the nation’s Infocomm Development Authority (IDA), which handles cybersecurity.
In a BBC interview last week, a spokesperson announced: "We have started to separate internet access from the work stations of a selected group of public service officers, and will do so for the rest of the public service officers progressively over a one-year period."
100,000 public service computers will be disconnected from the internet by May 2017, according to IDA. Talk about a cut-off date.
As in, “cutting off the nose to spite the face.” Sounds ridiculous, doesn’t it? It sounds ridiculous, but the logic is sound.
While they didn’t specify the exact reason for the move, speculations abound. Perhaps Singapore is learning from its data breaches faster than our own government has from the massive data breaches affecting U.S. federal agencies.
Since most government workers use regular internet browsers, they become easy targets for data theft and intrusion attempts. Local browsers have inherent security weaknesses. Their design is rooted in the late 1980s, when web security was not a concern.
Even the best-reputed websites can be infected with malicious software, like password-stealing “keylogger” programs or exploits that open the door for state-sponsored and criminal hackers. As long as the browser fetches code and executes it locally, the threats will persist. Or, as one of our Federal customers puts it: “We spend tens of millions of dollars per year on network security, and we still have these problems.”
Right idea, wrong strategy
Judging by Singaporean’s public outcry on social media, the city-state’s government approval ratings may have suffered a severe blow from the announcement. Government employees who need the internet for work now will be assigned specialized machines, or may use their mobile devices.
It’s not that Singapore’s Prime Minister Lee Hsien Loong doesn’t feel their pain. “[A] nuisance”, “inconvenient“, "it will slow us down in terms of day to day productivity”, he told Channel News Asia. “But in terms of security, safety of our system, safety of our citizens and information concerning them, it’s absolutely necessary."
We’ve seen this strategy before - in commercial markets where IT needs to restrict user access, and in government areas where employees access the web from secure facilities. It’s never a popular policy, and can add to the recruitment and retention challenge in the battle for talent. Top performers who grew up with the internet don't want to be relegated to an IT environment that feels like a step backward in time.
That’s why those organizations subsequently solved the internet access-from-work conundrum with more grace - by deploying our product, Silo. Silo is a one-time use browser built in the cloud. It executes all web code in a secure container, delivering only a rich display of the web to the user.
No web code ever reaches the device, IT can easily manage policies to restrict or enable features like file upload/download, copy/paste, and more. Once the user is done and terminates the web session, the browser is destroyed.
Silo creates perfect insulation between sensitive government or business IT environments - device, network, data - and the user’s access to websites. IT can define all sorts of rules of what employees can do online, but isn't forced to "go all Singapore" on them and block access.
We think that’s a much better strategy.
About the author: Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott was the founder of Postini.