Infocomm Dysfunctional Authority

Yaacob the Info minister wrote on Facebook a few days ago that many agencies have worked hard in the past weeks to strengthen the security of Singapore’s computer systems and websites*, and those responsible for the recent hacking incidents have been arrested or are being investigated**.

Taz gd, but what about making sure that IDA works hard and competently to give the public info on cyber security accurately, and in a timely manner? Rather than inaccurately, and only after cyber leaks and DRUMS.

Going by its recent ingloriously track record, Infocomm Development Authority of Singapore (IDA) should be renamed   Inforomm Dysfunctional Authority  because it’s so dysfunctional  in communicating info on cyber security and ICT matters.

It can’t even explain to our constructive, nation-building local journalists that the PMO’s website was not hacked. Granted that our well-paid hacks are not the most intelligent people in S’pore, but surely Yaacob’s finest could have told them in simple English, “PMO’s website was not hacked into”?

Singapore ICT regulator Infocomm Development Authority (IDA) was cited by local media reports to blame a vulnerability in Google’s search bar, embedded in the two websites, as the cause of the breach. In a media briefing to which only local media were invited …

… a Google spokesperson told ZDNet in an e-mail Wednesday: “It has come to our attention that the PMO’s website recently experienced an attack in the search functionality of the site run by Google’s Custom Search Engine site-search widget.

“After investigation, it appears that the code in the Google custom search engine is safe and the vulnerability lies with the coding on the webpage.”

While IDA declined to comment further on this issue as it is currently under police investigation, ZDNet understands the regulator was misquoted in local news reports. Rather than Google’s search bar, it had instead pointed to a vulnerability in the search function which the hackers were able to exploit and redirect visitors to the external webpages.

(http://www.zdnet.com/sg/google-denies-its-search-bar-caused-singapore-websites-breach-7000023129/)

At the very least, IDA gave the impression that our cybersecurity machinery was the equivalent of the flood prevention team  when Yaacob was “flooder-in-chief”.

Now onto an earlier, and more major, failure to communicate. Remember the Saturday a few weeks ago when govt websites suddenly closed for “routine maintenance’? Although they were soon up, netizens suspicions were aroused and they started playing DRUMS in the absence of authoritative info.

And they were correct to think that there problems, only not hacking but cock-ups.

Only on Monday evening (after a memo surfaced on the internet), IDA admitted the problems in accessing several Singapore government websites over the weekend were due to technical problems that arose during maintenance on Saturday afternoon. While the glitches have been rectified, people accessing these websites may continue to face intermittent access as maintenance was still ongoing.

In this day and age, IDA should communicate openly with the public. After all, this is not North Korea, even if our media ratings are close to that of the North Koreans than that to the US or UK.

I leave it to this blogger who wrote before IDA admitted that there were cock-ups, not juz “routine maintenance” to explain what I mean:

“It’s strange that the IDA did not deem it fit to update people more regularly when so many sites were out of service. Not only were they unable to transact, say, on SingPass, they were also wondering if indeed a cyber attack had been carried out against government agencies, as part of a bigger wave of attacks.

…

Ironically, the IDA can look at the way SingTel updated its customers in the hours after a fire at a telephone exchange just weeks ago. Though the damage was way bigger, angering a lot more customers, at least they knew what was going on.

…

And fall short, it definitely did this time. While there is speculation on why and how the sites could have been down, one thing is clear – this maintenance caused the sites to go down longer than expected.

That itself reflects badly on the nation’s cyber security efforts. “Self pwn” is the phrase that comes to mind when you bring down your own networks inadvertently.”

(http://www.techgoondu.com/2013/11/03/commentary-should-maintenance-bring-down-government-websites-for-hours/#.Ungbl1Nfp-d)

Recently, CNA reported, Singapore’s Acting Minister for Culture, Community and Youth, Lawrence Wong, has said that countries in Asia need to adapt to emerging trends in social media, in order to get the new generation more engaged in literature and the arts.

Maybe he sould have a talk with  Yaacob and s/o Devan Nair who seem clueless about the effect of social media and the internet on public communications and PR in general. Strange this cluelessness, given their roles in govt as public communicators and PR. or they juz there for wayang.

One final tot. I’m surprised that neither GG nor TRE nor TOC tot it fit to ask if the people responsible for website security in general or the maintenance cock-ups, in particular,  were FTs or true-blue S’poreans.

This blogger has argued we need a S’porean core in cyber security.

One “career path” often joked about, but taken somewhat seriously, is to get into an IT management role in a bank then outsource the dirty work to vendors, sit back and enjoy a Dilbert moment every day.

Now, when that dirty work is cyber security, there is a problem. It’s an area where you can’t be an expert without getting your hands dirty. Yes, there are security solutions out there to tap on, but it is important to know your own servers well. How can you secure your home if you don’t know where the holes are in your fences?

Similarly, when it comes to defending national infrastructure, it pays to have a ready pool of experts, with actual hands-on experience.

This work cannot be easily outsourced, since it may involve getting access to sensitive information, say, military secrets. A Singaporean core, to borrow the government’s term, may be needed in such as an operation.

http://www.techgoondu.com/2013/11/12/commentary-singapore-hacking-cases-show-importance-of-deep-infocomm-expertise/comment-page-1/#.Uofv9idfp-c

But will our FT-loving govt listen? Worse it seems the govt’s model of “Talent is two-timing new citizen Raj or Tammy’s killer or the FTs that beat up S’poreans and then fled S’pore (one was even given PR after the beating), or a violent, cheating PRC shop assistant, or PRC hawkers or a looney, violent bank director.

—

*“A quote from a decade and a half ago: ‘Secure web servers are the equivalent of heavy armoured cars. The problem is, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights and there are no police.’”
—Richard Guy Briggs on “Besieged”, Nov 9th 2013

**Taz before the latest reported hack of schools’ sites and a local museum’s mailing list was made public in NZ. Don’t know if you notice, but the local media is downplaying the security implications of the hacks by making them sound trivial.The schools’ hack is “defacement” and the mailing list was described as being on the website. The Hard Truth is that in these cases, servers were broken into.

This is in contrast to the “hack”of PMO’s site which was over-sensationalised. (There was no hack there as reported above. In the PMO’s case, at no time was there any server intrusion. The server was secure.) One wonders if IDA has finally educated the hacks on the basics of cyber security or did it order them to downplay the hacks as the hacks would imply that contrary to Yaacob’s comments about working hard to fix security issues, the cyber security teams are not working hard, or worse, working hard incompetently.