Singapore, fearing cyberattacks -- especially ones related to the ongoing South China Sea cold war -- will, as of next May, disconnect its entire civil service from the internet, airgapping the whole government.
Staff will be issued separate, internet-connected devices for personal business and work duties that require the net.
This will not work.
Here's what will happen, in no particular order:
* Some employees will risk termination by recklessly bridging the airgap network to the public internet, through some combination of connecting a mobile hotspot to a laptop on the airgap, plugging a mobile or broadband modem into an airgap machine, etc -- this will allow attackers access to a network whose primary line of defense is the presumption that it is disconnected, and is thus easier to compromise;
* Many more employees will simply shift an ever-greater proportion of their work to their internet-connected devices, including personal devices. The security model for these devices will be that they do not have sensitive information on them, and thus they will be unable to adequately defend themselves against attacks.
How do I know this? Because it's what happens to every airgap system. It's not that people don't want to protect their employers' data, but disconnecting computers from the internet just makes doing your job harder, and sometimes impossible. The best employees, the people most invested in doing their jobs well, are the ones who will trade the short-term benefit of getting the job done for the long-term, speculative cost of compromising network security.
Abstinence-based policies are wishful thinking, as millions of teen parents can attest.
Some security experts say the policy, due to be in place by May, risks damaging productivity among civil servants and those working at more than four dozen statutory boards, and cutting them off from the people they serve. It may only raise slightly the defensive walls against cyber attack, they say.
Ben Desjardins, director of security solutions at network security firm Radware, called it “one of the more extreme measures I can recall by a large public organisation to combat cyber security risks”. Stephen Dane, a Hong Kong-based managing director at networking company Cisco Systems, said it was “a most unusual situation” and Ramki Thurimella, chair of the computer science department at the University of Denver, called it both “unprecedented” and “a little excessive”.
(Image: ParliamentHouse-Singapore-2007, Yoshimasa Niwa, CC-BY)