Advertisement

Revealing identity of SingHealth cyberattacker not in Singapore's national interest: Iswaran

Minister-in-Charge of cybersecurity S. Iswaran. PHOTO: Screengrab from Gov.sg YouTube channel
Minister-in-Charge of cybersecurity S. Iswaran. PHOTO: Screengrab from Gov.sg YouTube channel

Revealing the identity of the perpetrator behind Singapore’s worst-ever cyberattack would not be in the Republic’s national interest, said Minister-in-Charge of Cybersecurity S. Iswaran on Tuesday (15 January).

Delivering his Ministerial Statement on the aftermath of the 2018 SingHealth cyberattack, which saw the personal particulars of almost 1.5 million patients stolen from the agency’s database, Iswaran acknowledged that the identity of the attacker was known.

The minister said, “Appropriate action has been taken…But, for national security reasons, I will not comment further.”

Despite being pressed by Members of Parliament Vikram Nair and Cedric Foo – the latter noted that “there seems to be a vacuum as far as the sense of justice” – Iswaran would not provide more details of the “skilled and sophisticated” attacker.

The 56-year-old instead urged the House to look at the totality of the government’s response to the attack. For example, the incident was revealed “within days”, and extensive measures have been taken to plug the cybersecurity gaps.

“We have to exercise judgement: what is in our national interest, and whether a public attribution serves our best interests.”

Singapore faces “cunning adversaries”

Health Minister Gan Kim Yong. PHOTO: Screengrab from Gov.sg YouTube channel
Health Minister Gan Kim Yong. PHOTO: Screengrab from Gov.sg YouTube channel

From 27 June to 4 July, the personal particulars of Prime Minister Lee Hsien Loong were “specifically targeted and repeatedly accessed” during the cyberattack, according to the report of a Committee of Inquiry (COI) tasked with looking into the incident.

Issued last Thursday, the COI report listed 16 recommendations to improve Singapore’s cybersecurity landscape, following 22 days of public hearings last year on the incident. Iswaran told the House that the government has accepted all of the committee’s proposals.

The COI also highlighted system vulnerabilities and key lapses by staff at Integrated Health Information Systems (IHiS), the central IT agency for the healthcare sector. On Monday, IHiS announced that two of its senior managers have been sacked for being “negligent” and “in non-compliance of orders” during the cyberattack.

Five members of the IHiS senior management, including CEO Bruce Liang, have also been given a “significant financial penalty” for their collective leadership responsibility. A “moderate financial penalty” will be imposed on two middle management supervisors, said IHiS.

Meanwhile, IHiS and SingHealth, which owns the compromised patient database system, have been fined a combined $1 million by Singapore’s privacy watchdog for the lapses which contributed to the success of the cyberattack.

Iswaran reminded his parliamentary colleagues that Singapore’s networks are “continually probed for weaknesses, and regularly attacked”. He stressed that cybersecurity is a “constant battle against cunning adversaries with advanced capabilities”.

Plugging cybersecurity gaps

In the same parliamentary sitting, Health Minister Gan Kim Yong also delivered a Ministerial Statement and apologised again to the affected patients. Gan noted that the various health agencies such as IHiS have implemented measures to improve cybersecurity.

For example, Database Activity Monitoring, which blocks database queries from unauthorised sources, has been put in place for the SingHealth electronic medical record database. The Health Ministry has also initiated independent security reviews on key public healthcare IT systems.

Health agencies are also experimenting with a tiered model of Internet access, including what is called a Virtual Browser, which allows access to the Internet through strictly controlled and monitored client servers.

In response to the Ministerial Statements, Aljunied GRC MP Png Eng Huat noted that while the COI’s report comprehensively addressed the technical side of the cyberattack, it has fallen short on “damage control” for the victims. He asked what the government would do to reassure the affected patients that they would not fall prey to scammers making use of their personal information.

While acknowledging that Png had a “reasonable concern”, Iswaran said that various agencies have been been monitoring the Dark Web to see whether the compromised data has emerged. “To date, there has been no evidence of that.”

He concluded the session by stressing that the key issue was to ensure Singaporeans continue to have trust and confidence in public sector systems.

“I don’t think we should reduce whether we have confidence in the sense of justice to just one specific point: that there’s no public attribution of the perpetrator.”

Related stories

Workplace cultural issues need addressing: IHiS chief executive

SingHealth cyberattack: Suspected malware incident in January not reported

Initial responses to SingHealth cyberattack ‘piecemeal and inadequate’: Solicitor-General