Cybersecurity: A Concentric Approach
Contributed by Vincent Kor
“You can’t do that!”, she exclaims.
His fingers race across the keyboard, he grins and says, “Already done.”.
So goes the memorable opening scene from the 1983 movie “WarGames”, where a high school student (played by a young Matthew Broderick) hacks into the school’s computer network and changes his Biology grade. This box office hit propelled the hacker stereotype to classic status in pop culture — bored geeky teenagers engaging in acts of cyber mischief.
Those early days of pre-Internet innocence are long gone.
In today’s hyper-connected world with over 3 billion people and almost 50 billion devices linked to the Internet, modern day hackers are far less interested in hijinks and more likely to harbour malicious criminal intent. Instead of headline-grabbing hacks, they aim for stealthy cyberattacks which go undetected for months or even years.
Their goal is to penetrate, blend in and move at will inside networks over long periods of time — so as to modify, falsify or steal valuable and sensitive data. The exploding population of Internet-connected individuals, organisations and their devices offer an ever-expanding attack surface for cybercriminals.
Coupled with an arsenal of malware openly shared and traded over the dark web, it is no surprise that worldwide losses attributed to cybercrime have been escalating by billions of dollars year-on-year. New strains of malware are also becoming harder to detect and eliminate with legacy cyber defence methods. For example, the Mirai malware is able to evade detection by deleting itself from infected file systems, while the Drye malware’s ability to morph and add functionalities enabled it to mount MITM (man-in-the-middle) as well as DDoS (distributed denial-of-service) attacks across the globe.
In this Internet age, the threat of costly and potentially devastating cyberattacks is a serious risk shared by nations, organisations and individuals around the world. All parties share the responsibility of working together in a multi-tier response to this shared risk.
At its heart, an effective cybersecurity strategy can be visualised as made up of 3 reinforcing concentric layers. Starting with an outermost ring of tough cybersecurity laws, a middle circle of up-to-date cyber defence mechanisms, and an inner core comprising a healthy culture of cyber risk awareness.
In Singapore, we have a perimeter of cybersecurity laws which was first erected nearly 3 decades ago. Before the 1990s, like many other countries, Singapore did not have specific laws targeting computer crimes.
This was understandable given the nascent state of ICT adoption and the low incidence of these crimes at that time. Between 1988 and 1992, there were only 4 computer crime cases which were prosecuted for general offences under the Penal Code.
The legal landscape changed in 1993 when the landmark Computer Misuse Act (CMA) was enacted by Parliament.
In a parliamentary speech, the then Home Affairs Minister explained that the CMA was needed to “deal with crimes committed with or involving the use of computers, for which existing legislation [was] inadequate”. The CMA introduced specific offences and penalties targeted at computer crimes such as the unauthorised access to and the unauthorised modification of computer programs or data — i.e. hacking into a computer network and infecting it with malware.
The range and scope of CMA provisions were progressively enhanced in 1998, 2003 and in 2013, when it was also renamed the Computer Misuse and Cybersecurity Act (CMCA). Keeping pace with the changing tides of cyber-crime and technology, another amendment Bill was passed in April 2017 to further strengthen the CMCA (e.g. criminalising the acts of dealing in misappropriated personal information such as selling stolen credit card numbers or passwords).
These criminal sanctions in the CMCA reinforce and work in conjunction with another key pillar in Singapore’s cybersecurity legal framework — the Personal Data Protection Act (PDPA) which imposes a number of data protection obligations on organisations holding personal information about individuals.
In particular, the PDPA obliges organisations to put in place reasonable security arrangements to protect personal data from unauthorised access, disclosure or modification. Any breach of this PDPA obligation exposes the organisation to financial penalties up to S$1 million as well as the possibility of being sued for civil damages by affected individuals.
The legal, financial and reputational fallouts stemming from data breaches highlight the importance of having the next layer of effective cyber defence mechanisms.
Conventional cyber defences which depend solely on pre-defined network rules or signatures of pre-identified malware are not effective against determined and well-resourced attackers. Standard endpoint protection and sandbox systems are unlikely to intercept unconventional attacks by polymorphic malware which are designed to conceal their characteristics when examined — and to unleash their malicious payloads only upon entry into the target networks.
Confronting this breed of “smart” malware calls for cyber defenders to deploy methodologies involving the use of artificial intelligence (AI) and machine learning.
By simultaneously scanning multiple data and network traffic, such AI-driven tools augment SEM (security event management) systems by learning the normal activities of network users and devices, so that any departure from the baseline will trigger an anomaly response. They help to identify unusual traffic patterns such as when local user-accounts log in from hitherto unknown locations, or when particular group users retrieve sensitive data from another group server which they do not ordinarily access.
However the efficacy of such technological defence measures can still be seriously hampered if individual users remain careless or oblivious to the dangers posed by cyberattacks. These human-linked limitations bring up the third and arguably most essential part of an effective cybersecurity strategy: To prevent individuals from becoming easy victims, it is vital to develop and inculcate a healthy culture of cyber risk awareness.
This often starts with a campaign to educate individuals about the nature of cyber threats and promoting the adoption of good cyber hygiene habits.
Basic elements of these habits include having strong passwords with a long mixture of letters, numbers and symbols, changing the default factory passwords on IoT devices, and where available, using second-factor authentication (2FA) login methods.
Organisations can also reap significant benefits from their active participation in these cybersecurity awareness campaigns. Not only would their employees become more aware and resistant to potential attacks (e.g. spear phishing attempts), they can also act as sentinels by raising the alarm during the early stages of a cyberattack.
An example of a cybersecurity awareness campaign is one recently launched by the Government Technology Agency (GovTech). As the lead agency for public sector ICT systems and services, GovTech’s campaign involves the use of a friendly mascot, Jaga the cybersecurity hedgehog (Jaga being the Malay word for ‘to guard’).
Through a creative series of outreach programmes, Jaga provides useful reminders and practical tips to over 100,000 public service personnel on how to be cyber safe. The campaign’s positive message “Cybersecurity — Shared Risk, Shared Responsibilities” strongly resonates with the underlying ethos of an effective multi-tier, concentric cybersecurity strategy.
Individuals, organisations and nations share a common responsibility to help each other stay cyber-secure.
And that, we can do, together.
Vincent Kor is the General Counsel of the Government Technology Agency where he heads its Legal Division.