With the growing demand for digital services during the COVID-19 pandemic, Singapore allowed access to citizen services via a digitalised identification certificate called Singpass. The national digital identity is critical to achieving the country’s vision of improving the lives of citizens, creating opportunities for businesses and transforming the capabilities of government agencies. To do this, the government must ensure secure, reliable, and complete online citizen identity and centralisation of databases across different government services.
Mohit Sagar, Group Managing Director and Editor-in-Chief, OpenGov Asia, believes Singaporeans trust their government as, over the last 50 years, it has been working to instil confidence and create an environment of transparency. However, Mohit acknowledges this is an exception, not the rule as other Southeast Asian countries do not enjoy the same level of trust from their citizens.
Despite a quite high level of trust from Singaporeans, the government still needs to improve in many aspects, including data management. Mohit emphasises that it only takes one or two critical breaches to radically diminish faith. Therefore, the public sector needs to take this issue seriously.
OpenGov Asia had the opportunity to speak exclusively with Sascha Giese, Head Geek™ at SolarWinds, to talk about how the public sector can optimise and secure sensitive data. Sascha has more than 10 years of technical IT experience, four of which have been as a senior pre-sales engineer at SolarWinds. As a senior pre-sales engineer, Sascha was responsible for product training for SolarWinds channel partners and customers.
In the previous article, Sascha talked about transforming digital services in the public sector and how SolarWinds can help governments in their digital transformation journey. He explained most organisations, both public and private, want to increase their presence with more services and better access. Hence, they’re always exploring ways to provide more digital offerings across any platform and device—anytime, anywhere.
For this to happen, he says, the public sector must leverage technology across the entire gamut of services, from birth, education, and living to taxes, business, registrations, and more. Technology is no longer an enabler but a disruptor of business models. It can improve lives in a way previously unimaginable.
Digitalisation and Citizens’ Trust
Digitalisation at a national level, including developing secure digital services, must be a participatory process, The question is how can governments involve the public in the digitalisation process and bring citizens into the ecosystem? Mohit believes this will be the next step for Singapore to increase the trust of its citizens.
Sascha first acknowledges that in many countries, there is still a trust issue. This apart, one or two generations are still not tech-savvy, which hampers involving them in the digitalisation processes. Sascha feels governments need to explain the necessity of digitalisation in a better way—to all audiences.
The public sector needs to make sure nobody is left behind and everyone understands how digital services work. Governments need to be open and communicate to the public about the reason why they implement certain projects or initiatives. They must clearly spell out the specific benefits of digitalisation, so citizens are aware of the positive impacts of governments’ projects.
As citizens demand more digital services, the government needs to be using Application Programming Interfaces (APIs) to ensure agencies offer the right services seamlessly. The Cloud First initiative in the Middle East is a good example. IT experts deployed a multi-cloud strategy: sensitive data is kept on a private cloud hosted in-country with no external access and then used the public cloud for other things as it offers more resources and high-end tech.
Managing Sensitive Data Securely and Reliably
Trust in government is fragile, Mohit says. While it takes a long time to build, it is easily broken. Against this backdrop, how does the public sector convince citizens that their sensitive data is used for their benefit safely and reliably?
The answer to this, Sascha opines, is understanding the massive difference between merely collecting data and managing data. The latter involves a specific plan to intelligently, securely, and consistently collect data and then use it efficiently, safely, and appropriately. The other aspect of managing data is how long the agencies can keep it and who has access to it.
Government agencies need to be extremely open about how they use the data and must do everything in their power to keep the data safe. Ideally, they should be able to explain the use of data to citizens. While almost every country has a Data Protection Act to regulate data management, the issue is what happens when there is a problem.
Sascha reiterates that there is no such thing as 100% security, but governments can mitigate risks. Many technologies are available to help minimise the chances of breaches, including SolarWinds cybersecurity risk management and assessment tool, Access Rights Manager (ARM). Simple IT risk assessment software helps enforce cybersecurity policy with automated secure account provisioning. By simplifying cybersecurity risk management, organisations can scale to meet many security and compliance mandates.
With so many constantly evolving compliance standards, scaling to meet IT risk and security assessment requirements can feel impossible. As a lightweight cybersecurity risk assessment tool, ARM is built to enable scalability by providing a central place for IT compliance management and to assess organisations’ greatest security risks: user authorisations and access permissions to sensitive data. ARM generates custom cybersecurity risk management reports on user access to sensitive data and alerts organisations if accounts are created with insecure configurations.
Sascha realises discussing specific technological tools is too complex for the average citizen to understand, so governments need to simplify the explanation by using layman terms. Open communication will enforce trust as citizens will appreciate governments take the time to ensure public participation. Sascha says risks are the price we have to pay for convenience.
Risk Assessment of Sensitive Information
With the privilege of having a massive amount of citizens’ data comes the responsibility on how to use it, Mohit stresses. While he concurs, Sascha explains the issue is complex and tricky. Irrespective, doing a risk assessment on the level of sensitive information to ensure its protection is essential and crucial.
The fact is, governments and authorities might not know what and how much data they have. This then becomes the first step—learn what data is on hand and where it is. Governments then must categorise data by specifying the data they have, the purpose of the data, and what they want to do with the data. Based on this, risk levels for the data can be assigned. The more sensitive the information is, the security needs to be higher.
There are various methods and tools to assess risks, including SolarWinds Security Event Manager (SEM). The tool can improve security posture and quickly demonstrate compliance with a lightweight, ready-to-use, and affordable security information and event management solution. SEM is, in essence, another pair of eyes watching 24/7 for suspicious activity and responding in real-time to help reduce impact.
SEM comes with hundreds of pre-built connectors to gather logs from various sources, parse their data, and put it into a Common Readable Format, creating a central location to easily investigate potential threats, prepare for audits, and store logs. It includes features to quickly and easily narrow in on the needed logs, such as visualisations, out-of-the-box filters, and simple, responsive text-based searching for both live and historical events. With scheduled search, users can save, load, and schedule their most commonly used searches.
Regrettably, governments are under attack 24/7 from bad actors across the world and cannot be expected to manage everything entirely in-house. Out-of-the-box thinking could mean governments hire white hat hackers to see if there are loopholes in the system. Fortunately, most cyberattacks are unsuccessful. The caveat to this is that agencies may not know right away if an attack was successful or, in the event of a breach, the extent of the damage.
Cooperation and sharing of information on attacks and risks is one way to stay ahead of the issues. Laws and policies go a long way in international and regional cooperation. There are laws about cyber safety; Singapore’s Personal Data Protection Act (PDPA) provides a baseline standard for the protection and storing of personal data both online and offline. In January 2021, the PDPA Act was updated with further stipulations where organisations are obliged to notify the Personal Data Protection Commission in the event of a significant data breach. Similarly, Europe’s General Data Protection Regulation (GDPR) regulates the protection and processing of personal data; one of the many parts of GDPR is that if there is a successful breach, organisations have to report it to the local authority.
The Trade-Off Between Safety and Sharing
Since there’s no such thing as total protection from cyberattacks, especially as they are increasingly more sophisticated, the question becomes what is the government doing or need to do if sensitive data gets compromised? Should governments be vocal or be circumspect?
Sascha recognises the trust will decrease if citizens are informed of a breach. But if governments do not go public, sooner or later, the truth will come out. When people get to know at a later stage, it could prove to be disastrous reputationally and trust-wise. The sooner governments take citizens into confidence, the sooner they can put in place countermeasures.
The pandemic has been instrumental, indeed catalytic, Mohit firmly believes, in driving digital transformation and, to a large extent, sharing of information. To contain outbreaks, manage cases, and render services, COVID-19 has literally forced agencies, that may not have otherwise, to share data. While this has been useful, the challenge is how does the government ensure consistency, interoperability, and ease of sharing of databases across departments while retaining security? Is there a trade-off between safety and sharing?
When it comes to sharing data between different agencies, there is a collective responsibility, albeit tiered, Sascha feels. Even if the data gets compromised in a different department, the department that is the original holder of the data will be held accountable. The final responsibility rests with whoever owns the data in the first place even though the security incident happens in another department. When requiring data, it is incumbent on the requesting (other) agency to prove data will be secure and report its risk management strategy/measures to the sharing (first) agency.
In Singapore, citizens use their National Digital Identity (NDI) for almost all transactions. To improve NDI, Sascha recommends end-to-end encryption (E2EE)—a system of communication where only the communicating users can read the messages. While it’s not always easy to prove the authenticity of the information, E2EE would be the preferred option. Moreover, the government must continually remind citizens to secure themselves while using digital technologies.
One SolarWinds product that could be helpful for the public sector is NetFlow Traffic Analyzer, which provides an overview of data traffic flow inside the organisation. The tool collects traffic data, correlates it into a useable format, and presents it to the user in a web-based interface for monitoring network traffic. Organisations can also set alerts to be notified if a device stops sending flow data, so you can efficiently remediate the problem.
Another tool is the permission management tool. New Technology File System (NTFS) controls the specific shared resources end-user accounts have access to. By configuring the user account, group member, and domain access permissions applied to network drives, files, and folders, administrators enable individual end-users to share and exchange resources and can improve security by restricting access to sensitive or confidential materials.
Currently, machine learning can spot and analyse anomalies in the systems faster. The adoption of machine learning does not mean organisations don’t need analysts, but analysts are still required to improve the situations and provide more creative solutions that machine learning cannot offer.
While in most cases, technical reasons are the cause of issues or glitches, governments must not become lax to potential security lapses. Even if the instances look harmless, governments need to still watch out for those scenarios. At the end of the day, the buck stops with the government, and the public sector must be vigilant all the time, round the clock.
While this is the bottom line, looking into everything meticulously and comprehensively is resource-intensive and practically impossible, if it is entirely dependent on people and done in-government only. Partnering with experts that have the technology, the tools, and the infrastructure will save time, money and free up human resources for more critical tasks, allowing governments to better serve citizens and deliver on their mandates.