You are here

Guy Fawkes and the nightmare before Christmas

Singapore Inc's month of terror happened, well, not too long after Halloween

Singapore

IF you had listened very carefully on the weekend leading up to Nov 5, you would have heard the sound of fear. Fear - the corporate kind - sounds an awful lot like waiting for the phone to ring.

That weekend, as Singapore braced itself for the hacking threat of Guy Fawkes Day, employees were put on standby and whole IT divisions kept their smartphones on, ready to go back to the office at the slightest whiff of online trouble.

"They were waiting for a call that they hoped wouldn't come," a spokesman for a large publicly listed firm told The Business Times.

Then, his firm had beefed up its IT department with 20-30 per cent more staff than it usually has in more peaceful times.

Weeks before that, masked individuals threatened the Singapore government with "financial loss" and "aggressive cyber intrusion" - terms that became shorthand for every business's worst fears. Guy Fawkes Day on Nov 5 - the festival that hacktivist group Anonymous has co-opted - became synonymous with a day of online reckoning.

At first, it seemed as though the public sector had borne the brunt of hacktivist season, with government websites defaced with taunting messages and images so embarrassing that officials would struggle to describe them to the media later.

A month later, we now know several things that we did not during the panic of Guy Fawkes Day. On Thursday, Standard Chartered Bank revealed that the statements of 647 of its private bank customers were found on the laptop of James Raj Arokiasamy, the alleged "Messiah" hacker who has been charged with defacing the Ang Mo Kio town council website.

We now have to consider how James - thus far suspected of blowing digital raspberries at the government - might have had serious money on his mind. He has not been charged with anything related to this incident, so far. We also now know that these statements were stolen months before the vaunted Nov 5, taken off the server of the bank's printer, Fuji Xerox Singapore.

Up and down the CBD, financial institutions did urgent checks with their own third-party vendors - a figurative frantic patting of their own pockets - desperate not to be the next StanChart.

To the private sector's credit, many heavyweights had sprung into action as Nov 5 loomed. Prominent businesses overhauled their Web storefronts. Whole systems were re-engineered so that if disaster struck and had to be contained, they could be shut down in 30 minutes instead of 60.

Other firms activated more servers, prepared for abnormal volumes of traffic from distributed denial-of-service (DDoS) attacks - a hacker's way of overwhelming a server through repeated electronic requests.

Firms which relied on the telephony network started having regular conversations with the telcos. "If (the telcos) deem themselves to be under threat, they would alert us . . . by extension, we are under threat as well," one firm told BT.

Wary eye

On their end, the telcos have kept a wary eye on developments. "To secure our network and protect our customers, we rely on a defence-in-depth approach with multiple security layers to identify and mitigate any malicious activity on our network," StarHub's chief technology officer, Mock Pak Lum, told BT.

"This includes the use of our StarHub Internet Clean Pipe service to minimise the impact of potential DDoS attacks."

SingTel, too, has a "multi-layered approach" and has been adopting different means of addressing "emerging threats", it said.

This has been a sobering time for corporations. "The hacking attacks can break down the company's IT system . . . interrupting internal business activities and its connection with the outside world," said CV Jagadish, CEO of semiconductor firm Systems on Silicon Manufacturing Co. His firm regularly reviews its risk assessment against cyber attacks, he told BT.

While some firms unfurled continuity plans last month, others made frantic calls to technology security firms.

"The last two weeks, the number of calls I've been receiving? It's been pretty amazing . . . all that from not doing any marketing," Stree Naidu, vice-president for data centre security firm Imperva in Asia Pacific and Japan, told BT last month. Then, the number of enquiries his company received had trebled.

Elsewhere in the industry, security firm Trend Micro had to start selling a Web application scanning service not yet launched in Singapore to some of its customers, so pressing was the need for one in the wake of the hacking threats.

This might seem like hysteria, but to Imperva's Mr Naidu, there is not enough of the right kind. Firms, he believes, have focused on problems with trendy buzzwords such as malware protection and anti-spam software, but neglected the need for data-loss prevention.

"CIOs in Singapore need to push away the marketing jargon . . . and ask themselves: is anti-spam software going to protect their data?"

"The difference between what the organisations have and what they need . . . (is) extremely frightening."

While some large firms are long on funds but short on knowledge, the majority of firms - small and medium-sized enterprises (SMEs) - are short on everything. For SMEs, this has been a terrible year for beefing up on the cyber-esoteric as rising business costs, the manpower crunch and a deterioration in sentiment close in.

"Day to day, (SMEs) are bogged down by very simple operational issues. Infocomm and hacking - you can imagine that (these issues) will fall numerous rungs in terms of being a concern," said Victor Tay, chief operating officer of the Singapore Business Federation (SBF).

Bleak outlook

So bleak is the outlook this year that the proportion of SMEs expecting double-digit growth hit an 11-year low - just 7 per cent of those surveyed - according to the SME Development Survey last month.

Asked about the reluctance of SMEs to invest in cyber security, Trend Micro Singapore's country manager, David Siah, said: "Oh, you have no idea. I see that every day. The business users feel that this doesn't add value."

Much can happen, even to a firm whose business does not revolve around data. "Organisations who sell physical products could get their invoices hacked into and the payment instructions changed. That's a real possibility," Mr Siah warned.

With some firms, there is some resignation over an ostensibly indefatigable threat.

"Most companies would have a basic level of IT security, however I'm frankly not sure how effective it would be in deterring skilled hackers if they are intent on causing such mischief," a spokesman for a recruitment agency told BT.

Already, firms in Japan and China are ahead of Singapore on the data protection curve. There, the connection between data and security is seamless, claimed Imperva's Mr Naidu. As local companies struggle to catch up, they already fight the cyber battle on multiple fronts, combating a resource shortage, information asymmetry and, sometimes, blind panic.

The StanChart debacle has opened up yet another distressing front of this battle - that of the third-party chink in the armour. It is not enough that your own house is in order; everyone else in the supply chain has to lock their doors as well.

For many firms, Nov 5 might be over, but the nightmare has just begun.