COMMENT: Restricted Internet access may see public servants adopting ‘Shadow IT’

(Photo: Time)

By Benjamin Ang

The Singapore government’s recent announcement that it will restrict Internet access in the public sector amid rising cybersecurity risks has sparked debate about how employees can maintain a high level of work efficiency under such conditions. An unintended consequence of the plan could be the increasing adoption of “Shadow IT” by public servants.

What is Shadow IT? It is not a dark art practised by computer programmers. Rather, it is the use of unauthorised services like Dropbox, Google Drive and Skype by employees when they lack the technological resources to work productively.

In a large organisation with many complex departments and tasks to handle, the deployment of Shadow IT is highly probable if public servants have limited access to the Internet. But this can result in the creation of new cybersecurity risks even as IT managers in the public service battle existing ones. As such, it is critical that the public service – Singapore’s biggest employer – manages these risks effectively to protect its IT infrastructure.

Certain local industries, such as banking and military, have established practices to limit Internet access for security reasons. Their employees use the Internet via computers that are connected to separate networks. These practices are similar to the public service’s plan, which will be fully implemented by May 2017.

The move is understandable when cybersecurity threats are rising at a rapid pace. In recent years, IT security experts have highlighted risks such as spear phishing, or fake e-mail addresses that mislead recipients into clicking on links with the intent of stealing passwords, and ransomware, a type of malicious software that can paralyse an organisation’s entire network. Industry reports have shown that Singapore is a prime target from hackers who create such malicious tools.

Highly secured systems are, however, not immune to cyberattacks. An Iranian nuclear plant experienced extensive damage to thousands of its centrifuges after it was attacked by Stuxnet, a malicious computer virus, between late 2009 and early 2010 even though it was not connected to the Internet.

To stay connected to the digital world and help the people they serve, public servants have to use the Internet to handle numerous tasks on a daily basis, ranging from research, procurement and training to inter-agency collaboration.

As such, many netizens have questioned if the public service can still achieve high productivity with the new curbs in place. Prime Minister Lee Hsien Loong has commented on the issue, saying that it is about finding the “right balance” between security and productivity. “If we make our system so secure, that it becomes a bother to use, the civil servants will either stop working or will find some way around it,” Lee said.

If their productivity is affected, some employees might adopt Shadow IT to circumvent the curbs. They might use cloud services such as Dropbox or WeTransfer to receive large documents on personal devices and transfer them to their workstations.

Studies have shown that more employees around the world are using unauthorised IT tools. However, this could result in the unintentional infiltration of new cybersecurity threats. Employees might use personal devices or unsecured services to create documents and, in the process, cause malicious viruses to infect the entire system.

Public sector organisations should communicate with their employees and identify the unauthorised tools that are being used for work. They could either approve such tools for use or develop alternative solutions without compromising security and productivity.

By keeping an open mind and tapping the creativity of its employees as it transitions to the new IT ecosystem next year, the public service can take a significant step toward propelling Singapore to become a world-class Smart Nation.

Benjamin Ang is a Senior Fellow at the Centre of Excellence for National Security (Cybersecurity Programme), S. Rajaratnam School of International Studies, Nanyang Technological University. He is also Education Chair of the Singapore chapter of the Internet Society.