The Buzz over Going Digital: Too Smart to be Private

By Chandreyee Ray

ILLUSTRATION: CHANDREYEE RAY

- Dr Desmond Wai Chun Tao, a gastroenterologist and hepatologist in private practice speaking to TODAY, 18 November 2017.

- Nick Savvides, Symantec Asia Pacific’s chief technology officer, to TODAY, 23 February 2019.

Singapore is the smartest city in the world, according to the 2019 IMD Smart City Index, which assessed citizens’ perception of the technology applications available to them amongst 102 cities. And that result came just five years after Prime Minister Lee Hsien Loong launched the Smart Nation initiative to integrate technology into public services, business and daily living. You see it in hawker centers which accept card payments or a simple wave of your smart phone in lieu of cash. You see it when your doctor calls up your medical records online or when you top up your MRT card at the train station’s cashless kiosk. In fact, you can track most of your transactions with government agencies on the internet – including fines owed.

A whole slew of alphabet soup-type agencies was formed to power the Smart Nation thrust. You need only know two:

1. GovTech or Government Technology Office, which is the old Infocomm Development Authority of Singapore (IDA), is in charge of delivering government’s digital services to the public.

2. The Smart Nation and Digital Government Office (SNDGO), comprising cyber-savvy civil servants from various ministries, was formed in 2017 to lead the digital transformation of the public sector.

Put them together you have the mother of all alphabet soups: SNDGG or Smart Nation and Digital Government Group. SNDGG is headed by a ministerial committee chaired by Senior Minister Teo Chee Han. Collectively, this group pushed forward Singapore’s Smart Nation thrust, beginning with things like data-sharing.

Most Singaporeans would acknowledge that data-sharing is valuable. The National Electronic Health Records (NEHR), for example, has summary records for every patient who visits an authorised medical institution or practitioner. Any doctor can access this, with no permission required. The longitudinal medical data could help make diagnoses more efficient and accurate, and could even save lives in emergencies. But concerns arise over the security of such personal data and raises the question of whether patients would even like to have their data kept in a central database in the first place.

The speed and convenience that technology brings, therefore, comes with risks. Cashless transactions also make it easier for your bank account to be accessed by cyber-criminals. A weak point in an online integrated system could lead to a crippling of infrastructural networks such as powerlines, water and transportation networks. A 2019 report by US cyber-security firm Carbon Black showed that as many as 96% of organisations in Singapore, including government agencies, have had at least one breach in the past 12 months due to external cyber-attacks.

Moreover, phishing is a growing threat in Singapore, with over 2% of worldwide cases occurring here. Phishing involves fraudulent attempts to obtain sensitive information like passwords and credit card details by posing as a trusted website or institution. For example, students may receive emails from hackers pretending to be their university, and may be duped into clicking a malicious link containing malware.

Beyond these tangible potential outcomes, there is the more insidious impact on privacy. Street lamps that can see you, CCTV cameras trained at taxi passengers and other devices that capture your private self are all elements of a smart nation as well. To defend against these threats, cyber security laws are now more prevalent than ever, forming a new pillar of total defence. Here are two laws you need to know:

1. Personal Data Protection Act: Implemented in 2012, PDPA governs the collection, use, and care of personal data by all private organizations with a series of rules they have to abide by. Failure to comply with the PDPA’s rules results in warnings and fines from Singapore’s privacy watchdog PDPC.

2. Cybersecurity Act: This was introduced in March 2018, providing a legal framework for maintaining national cyber-safety in Singapore.

While the government is exempt from the PDPA, the Public Sector (Governance) Act passed in 2018 tightens up the sharing of info amongst Government agencies. The law stipulates that regular audits must be conducted, personal identifiers must be removed where

appropriate, access to sensitive personal data must be limited.

In spite of these safeguards, experts fear that due to the ever-evolving and fast-paced nature of the cyber-space, Singapore’s defences and laws may struggle to keep up with the growing sophistication of hackers and cyber criminals. Indeed, the recent onslaught of cyber-attacks continued even after the Cybersecurity and Public Sector Governance Bills were passed in 2018.

BUZZ POINTS

SingHealth data breach

The most high-profile and large scale cyber-attack on Singapore was the SingHealth data breach in June 2018, resulting in over 1.5 million patients’ medical data being stolen, including PM Lee Hsien Loong, whose medical records hackers repeatedly targeted.

Patient privacy became a salient issue over which not only patients but many medical practitioners raised concerns over, especially since the government announced that it planned to make it mandatory for all doctors to upload the medical records of their patients to the National Electronic Health Records (NEHR). If the worry of data leaks were hanging over patients’ heads, would they be willing to reveal all their medical concerns or history to the doctors? Doctors also raised the hypothetical scenario where hackers stealthily altered patients’ medical records without detection. This would lead to wrong diagnoses, which could kill you.

One key change that followed the SingHealth attack was that Internet Surfing Separation, a security policy in place from 2016 which cut internet access from all employee computers in government agencies, was now extended to public health agencies as well. This, according to then-Deputy Prime Minister and Coordinating Minister for National Security Teo Chee Hean, could have even impeded the SingHealth data breach had it already been in place prior to the hack. While it does increase security by making staff computers in public health agencies less vulnerable to hacks through the internet, it is not fool-proof against sophisticated attackers. Additionally, the lack of internet access has increased staff fatigue and waiting times at clinics and hospitals.

More troubling yet is the waging of cyberwarfare by state actors. IT security vendor Symantec released a report in March 2019 about the SingHealth attack, in which a hacking group dubbed “Whitefly” was dubbed the culprit. Because of the resources, time, and sophistication required, cyber experts have theorized that the cyberattack was likely to have been state-sponsored. Communications and Information Minister S. Iswaran said in Parliament that the hackers behind the breach were a sophisticated class of attackers who were ‘typically state-linked”. He added that the culprit's continued attempts to access SingHealth’s network even after detection was the “typical signature” of a nation-state actor. The involvement of state actors thus suggests that the cyber-space will increasingly become a domain on which international relations, or even warfare, will be played out.

Following the SingHealth data breach, the community of inquiry that was convened found that the cause of the breach was not only vulnerabilities within the system, but also lapses from employees who did not understand cybersecurity. The PDPC then fined SingHealth and Integrated Health Information Systems (IHiS), SingHealth’s IT vendor, $250,000 and $750,000 respectively, leading to cumulative fine of $1 million. Penalties issued by the PDPC has been on the rise. Here is the list of penalties issued in November 2019.

HIV data breach

The fear that data-hungry hackers and criminals were targeting Singaporean’s private information was heightened with the 2019 HIV data breach, when the confidential information of 14,200 people with HIV, including their names, contact details and medical information, were stolen and leaked online by American Mikhy Farrera-Brochez. Ferrera-Brochez obtained the information a few years prior from his then-partner, Ler Teck Siang, a Singaporean doctor. Ler was head of MOH's National Public Health Unit from 2012 to 2013, and had access to the online HIV registry. Brochez then sent parts of this confidential data to various government agencies, threatening to release them online publicly if his demands were not met. Brochez was deported and subsequently convicted in the US for extorting the Singaporean government.

Blood donor registry, Email Log-in Info, Mindef

Most recently, MINDEF was affected by two separate data breaches. In December of 2019, it was reported that the personal data of 2,400 MINDEF and Singapore Armed Forces personnel could have been affected by an ST Logistics personal data breach. The possible breach resulted from recent email phishing activities, containing malware sent to its employees’ email accounts.

Separately, the HMI Institute of Health Sciences, a vendor of the SAF, said that it found that a file server was encrypted by ransomware on Dec 4. The affected system contained personal data of 120,000 individuals, of which about 98,000 are MINDEF and SAF personnel. Their full names and NRIC numbers were backed up in the affected server.

In March of 2019, a Russian cyber-security company, Group-IB, revealed that the E-mail log-in information of employees in several government agencies and educational institutions, as well as details of more than 19,000 compromised payment cards from banks here, had been put up for sale on the dark web by hackers. These agencies included MOE, MOH, and the Singapore Police Force. A spokesman from the SNDGG disclosed that credentials were leaked from the use of these government email addresses for the officers' personal and non-official purposes, and not not from government systems.

Yet another health-related data breach occurred in 2019, when it was discovered that the personal information of over 800,000 blood donors in Singapore was left exposed on the Internet for nine weeks starting on January 4. This information, which included names and NRIC numbers, number of blood donations, dates of the last three blood donations and, in some cases, blood type, height and weight, was leaked after the data was uploaded to an unsecured database by an IT vendor of the Health Sciences Authority (HSA).

What would hackers do with personal information anyway? Individual fears can extend from being bombarded by nuisance calls and emails, being blackmailed, or targeted for some kind of attack. Collectively, personal information can be sold for a price on dark web marketplaces, using untraceable currency like bitcoin. In the above case, Group-IB valued the compromised credit card information at more than $600,000. Other known examples of data sales include the MyHeritage data breach, where data from 65.7 million accounts was sold for around $3,500, and the MyFitnessPal data breach, where 50 million accounts were sold for around $4,200.

Digital issues do not consist only of hacks and data-breaches. In February 2019, software errors at MOH resulted in 7,700 individuals receiving inaccurate healthcare and intermediate- and long-term care subsidies. Among the affected individuals, about 1,300 individuals received lower subsidies than what they were eligible for. MOH announced that the discrepancies would be rectified via collections and reimbursements.

Despite the various incidents, the government has shown no signs of slowing Smart Nation initiative down. There are, however, new legislation and guidelines to bolster data safety in Singapore. From September 2019, new rules regarding NRICs stipulate that it will be illegal for organisations to physically hold on to an individual's NRIC and collect its full number.

This rule also extends to birth certificate numbers, foreign identification numbers and work permit numbers. This was put in place as a response to overwhelming use and storage of NRIC numbers by various companies and organizations, which according to the PDPC, posed danger to data safety. "As NRIC numbers can be used to retrieve data relating to individuals, there is a need to reduce indiscriminate or unjustified collection and negligent handling of NRIC numbers," the PDPC said in its statement.

Leaving the old behind

Even as the move seems inexorable, the pace seems to have left some older folk behind. While most of us enjoy the benefits of cashless hawker centers that allow us to pay for our kopi with just a few clicks on our smart phone, new technology can alienate the older generation. Studies have shown that many elderly, especially the less educated, face anxiety when it comes to trying and learning about new technology. NUS sociologist Tan Ern Ser noted that due to lack of digital literacy among older folk, they are likely to be intimidated by a steep learning curve. This digital divide could lead to a growing “sense of alienation and helplessness”. Given that essential government services will increasingly be involved, questions can be raised about the inclusiveness of these Smart Nation Initiatives.

And it’s not just the elderly who worry. Low wage workers worry too as robots become an increasingly common sight in Singapore, taking the roles of servers, cleaners, and even assistants in hospitals. According to Local robotics firm LionsBot International, 300 cleaning robots will be rolled out in Singapore by March 2020. These robots will take the roles of human cleaners, who will presumably be out of a job once they are replaced. With automation slated to replace so many human employees, how are they going to continue to make ends meet?

Nevertheless, the government has its eyes set on expanding the nation’s cyber-security by ramping up on the number of individuals trained in cyber-security, and data security experts. In fact, a study showed that in 2019, job postings for data security experts jumped 32%, with most of the demand driven by the government.

Read Chandreyee’s take on this here.