By Alex Cruickshank
Sept. 16, 2016
Any risk analysis has to take into account consequences as well as probability. In Singapore's case the risk is non-zero and the consequences are potentially calamitous. So by disconnecting 100,000 public sector workers' computers from the internet, Singapore is removing - or at least reducing - 100,000 potential threat vectors that could result in a catastrophic breach of citizens' private information, or worse.
Inevitably, this move will make some aspects of life more difficult. Although there will be separate internet-connected machines for employees to access the outside world, this will increase staff workload. But there will be benefits too, above and beyond the security aspect:
- Email can be a productivity sink, the internet in general even more so. Expect higher productivity and probably better customer service. Sure, there's a tier of society used to interacting with government workers online, but those people may just have to pick up the phone instead, or write a letter.
- IT support costs should drop. One of the most time-consuming aspects of maintaining a network of computers is the constant updating required to maintain security, or at least the fig-leaf of security. Remove internet access and that massive headache goes away.
- Then there's the huge saving on IT consultants with four-figure day rates. They'll be forced to find more gullible governments to which they sell their "Connect and centralise everything!" snake oil.
Some pundits have commented that this decision won't make the Singapore systems completely secure. Of course it won't. No computer can ever be completely secure, unless you encase it in concrete and sink it in the ocean. But references to the Stuxnet worm propagating via USB stick are not hugely helpful here. Even USB ports can be disabled - with epoxy resin if necessary.
It won't be the end of the world for Singaporeans and their government. Fifteen years ago few government computers were connected to the internet anyway, and people got by. It will be inconvenient and there will be an awkward transition period, and then it'll be business as usual.
This move won't make Singapore's government computers completely secure. But it will make themmore secure. Singapore may be the first government to take this apparently drastic step, but it's unlikely to be the last.