How the government chief information security officer keeps cyberspace secure — Part 2

This is the second part of an article discussing how the Singapore government is crafting policy, tapping on technology and engaging with the community to strengthen the defence of government IT assets and citizen data.

“Not if, but when” is a common refrain in cybersecurity circles, used to highlight the inevitability of an organisation falling victim to a major hacking incident. Given the increasing frequency of cyberattacks, government chief information security officer Mr Chai Chin Loon highlighted that technological solutions are needed to better deter, detect, diagnose and deal with threats.

“For example, we have put in place automated security information event management systems with rules to process voluminous logs to automatically flag incidents to our cybersecurity analysts,” he said. To avoid overwhelming the analysts, some of these systems can even decide whether fishy online activity constitutes a valid threat.

“If the system detects suspicious traffic at one layer of our defences but that traffic gets dropped at the next defence layer, then the threat did not compromise anything, so we should be able to automatically close the case and not trigger more human action,” Mr Chai explained.

Having said that, such systems are currently configured to err on the side of caution and still involve cybersecurity analysts to review. The government is always on the alert to reduce the number of false positives without sacrificing sensitivity to real threats, he added. The greater use of Machine Learning is one such rapidly evolving area.

A walk in the enemy’s shoes

While it is important to focus on defence, being able to think like a hacker is just as critical for shoring up cybersecurity. This is the role of the Red Team in GovTech, which adopts an adversarial mindset in trying to bypass the government’s cybersecurity measures, said Mr Chai.

For example, the Red Team is emulating phishing attacks, posing as hackers who impersonate legitimate organisations to extract private information from unwitting individuals via emails, text messages or voice calls. This has, in turn, pushed GovTech to develop the Jaga platform—a play on the Malay word for ‘to guard’—for easy reporting of phishing emails.

GovTech has also recently released an official government URL shortener—go.gov.sg—to reduce the likelihood of phishing URLs being disseminated. “Other URL shorteners like Bit.ly allow anyone to mask links to dubious sites. Users can trust the gov.sg domain name as one needs a government email to configure a URL, preventing abuses,” Mr Chai said.

Collectively, these developments demonstrate how having an adversarial mindset within the government can lead to better countermeasures against emerging threats.

Reinforcements on the ground

As much as the government is doing to shore up its cybersecurity efforts, citizens can also play their part in helping to identify vulnerabilities in government IT systems as well. To better engage with the community of ‘white hats’—a term that refers to individuals who hack to expose cybersecurity risks—GovTech has rolled out two initiatives: Government Bug Bounty Programme and the Vulnerability Disclosure Programme (VDP).

The former awards monetary prizes for reporting on vulnerabilities for systems under tests during the BBP period. The latter opens all year round and individuals are recognised with reputation points and non-monetary tokens such as our own version of Arduino called C01N. VDP reporting can be done through the link at the bottom of government web pages.

“Software and IT systems are all set up by humans, and humans make mistakes. The key thing is whether we can catch those mistakes faster than the baddies? And if we can find them through responsible reporting means and not after they have been exploited, then we’re better off,” said Mr Chai.

As a token of appreciation to those who report vulnerabilities via the VDP, a programmable medal will be awarded to them. “These limited-edition medals have built in Wi-Fi and Bluetooth, which not only allow us to recognise people for their efforts, but also complements the hacking instinct of such individuals,” Mr Chai quipped.

Hence, with sound policy, strong technical expertise, an adversarial mindset within government and active involvement of the white hat community, Mr Chai is optimistic that the delicate balance of cybersecurity, cost and functionality is achievable.