Don’t let complacency and bureaucracy jeopardise IT security
By Edwin Yapp November 15, 2013
- Those in charge of public Internet infra whether politicians or civil servants must take national IT security more seriously
- Expert views need to be heeded; bureaucracy must not stymie security expertise -- if not, Malaysia suffers
THOUGH I’ve said it more than once and it certainly sounds like a cliché, I’m going to say it again: Security is only as strong as its weakest link.
Yesterday, my colleague A. Asohan painstakingly brought to the fore the issue of how security in today’s online-dominated world is not only of paramount importance but also how people – especially those in authority – should not claim that everything is under control and that Malaysia is able to fend off cyber-attacks and intrusions.
I won’t repeat the points he made in his commentary but what prompted me to follow up with my own thoughts stems from a comment a guest reader made on the story.
A person by the name of ‘Name’ said, “no system is perfect & fullproof [sic], period. that statement applies globally. what the writer did is not helping the situation at all. foolish rant!”
I don’t exactly know what this comment was trying to get at but IMHO, it misses the whole point of Asohan’s argument completely.
Sure no system is fool-proof, that is to say, nothing is 100% of the time impregnable or unbreachable. Take two cases for example.
On April 26, it was reported that Japanese electronics giant Sony's data from more than 70 million customers was stolen from its PlayStation and PC games network, including customer names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, online user handles and usernames.
And in June last year, LinkedIn, the professional social networking site, also suffered a data breach in its systems resulting in user passwords being stolen. The company, however, did not reveal how many passwords were stolen but the number was believed to be in the region of over six million accounts.
As far as telecommunication companies are concerned, they too are not impervious to attacks from those who are committed to the cyber-criminal path. As Digital News Asia (DNA) has reported and commented here and here before, the most secure of networks can also be breached given enough motivation and time.
The aforementioned companies are by no means your mom-and-pop shops setting up their amateur services on the web for the first time. They are giants who own multibillion-dollar businesses and have no doubt spent heavily on safeguarding their online presence – yet, breaches and compromises do happen.
Closer to home, the Malaysian registrar for the ‘.my’ top level domain MyNIC may have failed to prevent an attempt to breach its Domain Name Server (DNS) by a hacker group known as Madleets, which had led Google Malaysia to experience, for a second time this year, a re-direction of its search pages late on Oct 10.
The brutal truth is that in today’s online world, organisations, both commercial and governmental entities, can scarcely afford to take a laissez-faire attitude towards security issues. This is especially true of public sector entities, which was one of the major points Asohan was trying to make in this commentary.
But I would venture to take it further: Ministers and those in charge of governmental agencies must realise that in line with the country aspiration to become more digital, more serious efforts must be made to ensure that our infrastructure – both software and hardware – is constantly being monitored and defended against any potential attacks on a 24/ 7/ 365 basis.
Simply put, bureaucrats must not downplay security incidents and pass them off as trivial matters.
Case in point. The Star Online reported in June last year that a barely week-old price watch portal called the ‘1Malaysia Pengguna Bijak (1MPB)’ website had been breached by hackers who got away with the private details of about 2,000 registered users.
According to the Star, the Domestic Trade, Cooperatives and Consumerism Ministry Deputy Secretary-General Mahani Tan Abdullah, while admitting to the breach of security, downplayed the matter, saying that only the “the first layer” of the website’s security was penetrated.
Following that, a news report also had her defending her position and again downplaying the severity of the breach by saying that what hackers got was only ‘test data,’ which ominously still contained the email addresses of ministry staff.
“Hackers only went into the first layer where they could just read data which contained the names and the email addresses of staff, which, by the way, is in the public domain,” she was quoted as saying.
Whether the data was insensitive or not, what seemed like innocuous and innocent comments are anything but.
As I’ve said before, a breach in a public sector website’s security and the theft of information — regardless whether it was test information comprising internal staff email addresses — no matter how seemingly harmless, is still a breach and should not be downplayed.
And what makes it worse is that instead of acknowledging the weaknesses in how this web service has been introduced — one that is fraught with errors and vulnerabilities — a senior spokesperson tried to pass it off by saying the ministry is “not unduly worried” about the whole episode.
This is exactly the kind of attitude that we can ill afford to have in those who are in the corridors of power.
Complementing this point is another one brought up by another reader and DNA columnist Dr Shawn Tan, who noted that there are “some good people working on info-sec in the gov [sic], but often times, their recommendations fall on deaf ears simply because it is troublesome.”
The question that must be asked now is whether security is being compromised because the powers-that-be aren’t listening to the people who are competent and know their stuff.
It’s well known that Malaysia unfortunately has a cultural norm that promotes the ‘who you know’ rather than the ‘what you know’ scenario.
While I’ve no evidence suggesting that the people in charge of security in the public sector aren’t the people who should be sitting in those positions, it is my hope that the people who do truly know their security stuff and are sounding the alarm bells aren’t drowned out by the people who may be there because of reasons other than that of their security expertise.
Because to leave our public Internet infrastructure to those who can’t or aren’t able to do the job means that the rest of us depending on it for our livelihood, business and commerce in Malaysia will end up paying too high a price.