Singapore Healthcare cyberattack: Not revealing hacker still a ‘puzzler’

715

RIGHT or wrong? Sensitive or sensible? Transparent or hiding cards closest to chest?
Not revealing the identity of the perpetrator behind Singapore’s worst-ever cyberattack by Minister-in-Charge of Cybersecurity S. Iswaran on Tuesday has drawn contrasting views.

Delivering his Ministerial Statement on the aftermath of the 2018 SingHealth cyberattack, which saw the personal particulars of almost 1.5 million patients stolen from the agency’s database, including significantly those of Prime Minister Lee Hsien Loong, who is a two-time cancer survivor.

Mr Iswaran acknowledged that the identity of the attacker was known. “Appropriate action has been taken…but, for national security reasons, I will not comment further,” he abruptly closed the matter.

This was despite being edged on by Members of Parliament Vikram Nair and Cedric Foo – the latter noted that “there seems to be a vacuum as far as the sense of justice” – Mr Iswaran would not provide more details of the “skilled and sophisticated” attacker.

Sources close to the probe, believed to be the largest in Singapore’s history, say it is not in national interest to nab or even name the perpetrator of a cyberattack that breached 1.5 million health records. It called for hearings and considered factors like the attacker’s persistence, resources and advanced tactics.

“The attacker had a clear goal in mind, namely the personal and outpatient medication data of the Prime Minister in the main,” said the source, who declined to be identified.

Minister Iswaran instead urged the House to look at the totality of the government’s response to the attack. For example, the incident was revealed “within days”, and extensive measures have been taken to plug the cybersecurity gaps.

“We have to exercise judgement: what is in our national interest, and whether a public attribution serves our best interests.”

Of graver concern, from 27 June to 4 July last year, the personal particulars of Prime Minister Lee were “specifically targeted and repeatedly accessed” during the cyberattack, according to the report of a Committee of Inquiry (COI) tasked with looking into the incident.

COMMITTEE OF INQUIRY REPORT

Issued last Thursday, the COI report listed 16 recommendations to improve Singapore’s cybersecurity landscape, following 22 days of public hearings last year on the incident.

Mr Iswaran told the House that the government has accepted all of the committee’s proposals.

The COI also highlighted system vulnerabilities and key lapses by staff at Integrated Health Information Systems (IHiS), the central IT agency for the healthcare sector. On Monday, IHiS announced that two of its senior managers have been sacked for being “negligent” and “in non-compliance of orders” during the cyberattack.

But readers of The Independent generally find it puzzling that the government has not been guileless in revealing the identity. Likewise, on the other side of the cyber-coin, for reasons of national security the government may not see any justifiable need for the identity of the cyber attacker to be revealed.

Retiree Roland Pereira of Bedok North says: “Transparency has always been one of the corner-stones of this government. I think all public crimes should be disclosed to the general public.”

Sales executive Raymond Leong of Tanglin Halt adds: “Being transparent is a powerful thing, if you can trust yourself and be trusted by others. Why can’t the minister be more open-minded? It’s a puzzler, if not disappointing, that they keep the identity to themselves.”

But George Han, Founder of Far East Advisory, who is a branch activist at Nee Soon East Constituency, sees the merits in the Minister’s close-guarded reply. He says: “The Minister has to consider Singapore’s strategic interests when it comes to revealing the identity of the hacker/s. Withholding the identity, I feel, is telling, and an indication of the closeness present relationship with the hacker.”

Meanwhile, IHiS and SingHealth, which owns the compromised patient database system, have been fined a combined $1 million by Singapore’s privacy watchdog for the lapses which contributed to the success of the cyberattack.

CYBERSECURITY: ‘CONSTANT BATTLE’

Minister Iswaran reminded his parliamentary colleagues that Singapore’s networks are “continually probed for weaknesses, and regularly attacked”. He stressed that cybersecurity is a “constant battle against cunning adversaries with advanced capabilities”.

He concluded the session by stressing that the key issue was to ensure Singaporeans continue to have trust and confidence in public sector systems.

“I don’t think we should reduce whether we have confidence in the sense of justice to just one specific point: that there’s no public attribution of the perpetrator.”

PM Lee was quoted as saying that he did not know what the attackers were hoping to find. He has been treated for intermediate-grade malignant lymphoma and prostate cancer. In 2015, he underwent surgery to remove his prostate gland and was subsequently given the all-clear sign by doctors.

“My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it,” Lee said on Facebook last year after news of the breach broke.

In the same parliamentary sitting, Health Minister Gan Kim Yong also delivered a Ministerial Statement and apologised again to the affected patients. He noted that the various health agencies such as IHiS have implemented measures to improve cybersecurity.

End of the day, the talking-point in the streets will remain the non-revelation of the identity of the perpetrator behind Singapore’s worst-ever cyberattack.