Singapore To Cut Off Internet Access For Government Workers From 2017

An anonymous reader writes: Government workers in Singapore will return to a 1990s-level of net connectivity from May of 2017, as the domestic government has decided to block internet access on all of its 100,000 office computers. The decision has been made in the interests of national security, although the Draconian policy will still permit workers to forward work mails to private email addresses as necessary. Workers' own devices will be allowed to connect to the internet normally by special terminals being provided in early trials, while intra-departmental connectivity will presumably be maintained via VPN tunneling. The move comes in the direct wake of a visit to Singapore from the U.S. Secretary of Defense Ashton Carter late last week, promoting stronger security ties with Singapore in the face of the rise of China in the region.BBC News has more details.

Productivity not Security

[EmagGeek]

Government workers will actually have to do their jobs now instead of sit around all day watching cat videos.

Re:Productivity not Security

[Bing+Tsher+E]

We could hope this would spur a global reassessment of the use cases for Internet Access at the workplace. Most workplaces would function well with a whitelist of the small handful of websites a worker needs to be able to navigate to remain a productive worker.

You're at WORK.

Re:Productivity not Security

[funwithBSD]

This concerns me.

I rather have government workers looking at cat videos all day rather than harassing citizens.

Re:Productivity not Security

[__aaclcg7560]

You mean they don't troll the trolls on Slashdot like I do at my government IT job while waiting for a script to finish?

Re:Productivity not Security

If government workers actually spent all day working, we would need about half the number of them. This would cause mass lay-offs from the public sector, flooding the jobs market with unemployed people. This would cause a spiral of wage deflation, reduced spending power, declining tax receipts, spending cuts, leading to civil unrest, and ultimately the collapse of government and social order.

Let them have their cat videos.

Re:Productivity not Security

[nospam007]

"Government workers will actually have to do their jobs now instead of sit around all day watching cat videos."

Hardly, they'll just use their phablets instead.

Re:Productivity not Security

[SumDog]

Not as a developer. I've been at places with filtering where to many sites with information I need end up in the blacklist. Rather than put in a support ticket, I often find it easier to proxy over SSH. I've only been caught doing this once at a company and that was cause some dickhead used my proxy to pump a huge file though. I stopped giving people access to my jumpbox after that. (I wasn't fired either; just given a warning. It didn't matter though -- turned in my notice for a new job a month later :-P)

The past four jobs I've worked at didn't/don't have any filtering what so ever and I haven't found my overall productivity levels have changed at all.

Re:Productivity not Security

[Mikkeles]

Don't forget solitaire!

Re:Productivity not Security

[smooth+wombat]

watching cat videos

Considering how long it takes to get a response from private industry or get them to do what they're being paid to do I can only assume they're the ones making the cat videos.

Re:Productivity not Security

[luis_a_espinal]

Couldn't you just ask them to unblock stackoverflow so you could keep copy pasting your work?

That's what we did at a previous company (defense contractor). We requested things like infoq, stackoverflow/stackexcange, acm and ieee.org for being unblocked, and voila. It kinda sucked not to have access to cnn, dilbert and slashdot, but that's the whole point (to limit dicking around.) Besides, if we really wanted to browse, we simply used our smartphones during coffee breaks.

I can totally see the reasoning behind it.

Re:Productivity not Security

[PrimaryConsult]

Sometimes productivity actually drops once filtering "fun" sites is implemented. Instead of 10 seconds to check facebook and 2 minutes to glance through a few news articles on a computer, it now takes 5 minutes on Facebook and 10 minutes on news sites to do the same thing on a phone.

Re:Productivity not Security

[msi]

If government workers actually spent all day working, we would need about half the number of them. This would cause mass lay-offs from the public sector, flooding the jobs market with unemployed people. This would cause a spiral of wage deflation, reduced spending power, declining tax receipts, spending cuts, leading to civil unrest, and ultimately the collapse of government and social order.

Let them have their cat videos.

To be fair I work in the private sector and I can't see much difference between your example and all of my work places.

Re:Productivity not Security

[luis_a_espinal]

Sometimes productivity actually drops once filtering "fun" sites is implemented. Instead of 10 seconds to check facebook and 2 minutes to glance through a few news articles on a computer, it now takes 5 minutes on Facebook and 10 minutes on news sites to do the same thing on a phone.

It is all a matter of balance and requirements. For a company doing "enterprisey" stuff, who cares about access to the internet. If you are working with a defense-related company (as in the example I alluded to), you cannot play with that shit.

And let's think about the context of this story. Singapore. Government agencies in Singapore are getting flooded by attacks from China, like you would not believe. They are being forced into implementing this policy. So I don't blame them, and that's what I would if I were in their shoes (and so would you.)

Good start

[T.E.D.]

You know what would be even more secure? No printers or photocopiers. If someone wants to write a document, they have to do it longhand. If someone wants a copy, they have to copy it longhand as well. That will really slow down the leakage of information!

Of course a truly secure society would get rid of writing altogether. Important secrets will be passed down using special people with trained memory (often called "bards"). They use song and rhyme to help with the large amounts of memorization required. Ever heard of anyone running off with the vital military secrets of an Amazonian or Pigmy tribe? No? That's why.

Efficient dissemination of information is for suckers.

Re:Good start

[LichtSpektren]

You know what would be even more secure? No printers or photocopiers. If someone wants to write a document, they have to do it longhand. If someone wants a copy, they have to copy it longhand as well. That will really slow down the leakage of information!

Of course a truly secure society would get rid of writing altogether. Important secrets will be passed down using special people with trained memory (often called "bards"). They use song and rhyme to help with the large amounts of memorization required. Ever heard of anyone running off with the vital military secrets of an Amazonian or Pigmy tribe? No? That's why.

Efficient dissemination of information is for suckers.

Very clever, but I point out that local copies -- while still vulnerable to inside leaks and what not -- are NOT vulnerable to hackers across the world. It might be less efficient, but then again, how many billions of dollars are companies/governments pouring into infosec only to get breached anyway?

Re:Good start

I had a boss who wished he could ban most of our users from using the printers but it was more about the sheer waste of paper. We have so many ways to electronically edit and mark-up documents and drawings but so many of the old engineers still want to print everything out and scribble all over it by hand. Some of them are just too stubborn to learn new tools and then complained when they were told by management "no, it's not a good use of time to hand write everything and try to get a younger engineer to then enter it all into the software for you."

Re:Good start

[Solandri]

The difference being that when left unattended, the photocopiers, printers, and people's fingers don't walk around under the command of someone halfway around the world, find secret documents, copy them, and mail them off to the person controlling them.

It sounds like they're going to do what the bank which holds my mortgage has done - eliminated all direct Internet access. Essential communications is maintained via email conducted through a relay, which strips out all suspicious attachments like zip files, Word docs, etc. PDFs are allowed, but based on what my loan officer told me, it sounds like any PDF sent to them is viewable only through a special app which lets them view it, but only sends the image to their computer not the actual PDF.

Re:Good start

[jon3k]

Great example of a logical fallacy.

Re:Good start

The "old engineers" use pen and paper like that because they work faster than any computer-based document or diagramming tool can handle.

It's not a problem with learning the new tools. The problem is that once they've learned the new tools, the new tools are still way fucking slower than a pen and paper.

Maybe you don't understand this, but when a true master is in the zone and cranking out top-notch work, this master can't be burdened with shitty software that doesn't work fast enough just to save a few sheets of paper.

When an experienced engineer like that costs $300/hr, it's better for him or her to be producing $10,000/hr of value using a pen and paper than it is producing just $3,000/hr of value using some shitty software. And it makes perfect sense to have the $25/hr inexperienced engineer, who'd be producing way less value than $7,000/hr, input the hand-written notes instead.

It's simple economics, and experienced engineers actually tend to understand economics and optimization far better than most managers do.

If these experienced engineers want to use pen and paper, it's because that's the optimal way of dealing with the problem. The software you're proposing is suboptimal.

Re:Good start

[tlhIngan]

The difference being that when left unattended, the photocopiers, printers, and people's fingers don't walk around under the command of someone halfway around the world, find secret documents, copy them, and mail them off to the person controlling them.

  It sounds like they're going to do what the bank which holds my mortgage has done - eliminated all direct Internet access. Essential communications is maintained via email conducted through a relay, which strips out all suspicious attachments like zip files, Word docs, etc. PDFs are allowed, but based on what my loan officer told me, it sounds like any PDF sent to them is viewable only through a special app which lets them view it, but only sends the image to their computer not the actual PDF.

Well, this is Singapore, who like a lot of countries, has a nice Great Firewall as well. (I still remember when internet was free and unfettered but there was talk of setting up the firewall... I think it was set up a year or two after I left).

Considering they want to keep contraband out of the country, I'd be surprised if they didn't already have some sort of gateway and all that - can't have illicit access to porn, for example. (Tor, they probably allow - given the penalty for drug use is death (firing squad, IIRC), well...)

Anyhow, it probably doesn't affect people as much as you think - Singapore is a very modern city-island-state and thus cellular data access is common everywhere.

Re: Good start

[LichtSpektren]

I don't understand why no one just uses pgp to sign documents or hash them.

I would venture to say that it's primarily because it's too difficult a process for non-tech people to grasp right now.

Re:Good start

[T.E.D.]

Don't worry. No one person can hold the knowledge for how to make any of that advanced stuff. Even, ironically, a pencil is beyond the capabilities of any single person to understand how to make. So without writing nobody will be able to look up how to make any of that stuff, and nobody will be able to order it from abroad either.

A small kingdom (on the order of 20,000 subjects) is about the most advanced society proven to be possible without any writing.

Re:Good start

[farble1670]

You're very funny, but it doesn't say no network access or no computer access. It's says no INTERNET access. Presumably they still have access to the intranet and all the resources therein which is probably the only thing they need to actually do their jobs.

Re:Good start

[lgw]

The difference being that when left unattended, the photocopiers, printers, and people's fingers don't walk around under the command of someone halfway around the world, find secret documents, copy them, and mail them off to the person controlling them.

Actually, most photocopiers support all of that functionality these days. I could only hope they'll be turning off internet access for the copiers as well, but you never know.

Re:Good start

[luis_a_espinal]

You know what would be even more secure? No printers or photocopiers. If someone wants to write a document, they have to do it longhand. If someone wants a copy, they have to copy it longhand as well. That will really slow down the leakage of information!

Of course a truly secure society would get rid of writing altogether. Important secrets will be passed down using special people with trained memory (often called "bards"). They use song and rhyme to help with the large amounts of memorization required. Ever heard of anyone running off with the vital military secrets of an Amazonian or Pigmy tribe? No? That's why.

Efficient dissemination of information is for suckers.

Why would you need to have access to, say, CNN or youtube when you are on the clock? You are on the clock. You work. You want to do some leisure media consumption, do it with your smartphone on a coffee break or when you get home.

Re:Good start

[Kjella]

The "old engineers" use pen and paper like that because they work faster than any computer-based document or diagramming tool can handle. It's not a problem with learning the new tools. The problem is that once they've learned the new tools, the new tools are still way fucking slower than a pen and paper.

Oh please, a lot of old farts refused to learn how to use a keyboard so the secretary had to type things up for them. I even known some accountants didn't really trust anything but their mechanical calculators. For the longest time, my mom wouldn't use the microwave because OMG radiation. I agree, there's certain kinds of sketches that are done better on paper. But I also know a guy who'll print 50 pages to add a few comments on paper and when the next revision is out, obviously the old is thrown away. He claims it's better, but I think it's like reading dead tree newspapers in the morning, it's just feels good. After a while you get used to anything.

Thumb drives

[justthinkit]

A spokesman added that "Thumb drives should continue to work as before."

Re:Thumb drives

[ITRambo]

Possibly the best attack vector remains in place then. Great idea.

Re:Thumb drives

Never underestimate the bandwidth of a station wagon full of hard drives.

Re:Thumb drives

[SumDog]

Nah, the best attack vector are active virus scanners that run as the system user. If you find a bug, you can just send the person a broken PDF and they don't even have to open it. You just need the AV to scan it and you're in.

"the Draconian policy"

[LichtSpektren]

the Draconian policy

The capitalized 'D' indicates that this is some kind of proper name. I take it this policy was enacted by a man named Draco?

Re:"the Draconian policy"

[Dunbal]

Yes.

Re:"the Draconian policy"

[LichtSpektren]

Lowercase "draconian" means any (generic) kind of harsh law or treatment. Uppercase indicates that Draco himself issued this protocol.

Re:"the Draconian policy"

[Dunbal]

I beg to differ. You can have a Vesuvian eruption of a volcano, and Vesuvian (or Plinian for that matter) is capitalized even if it's a different volcano.

The 90s is calling.

[Rande]

I used to have to work like this back in 1998. Internet access was severely restricted and only 1 person per division had access and you'd have to tell them what you were looking for and they'd do the search for you.

In practice, it was faster for me to walk home, search for the information I needed and walk back than to do this or reinvent the wheel when 100 people had found the same problem and had already posted a solution.

Honestly I'm more productive with internet access, even if I'm currently at work posting this while waiting for my script to finish running.

Re:The 90s is calling.

[xxxJonBoyxxx]

>> I'm more productive with internet access,

Name a national government concerned about "productivity."

Re:The 90s is calling.

[shippo]

I had similar experiences, also in 1998. I started working in the support department of a smallish PC manufacturer and supplier. We had no access at all to the web from our desktops, not even access to any of the support sites of our main suppliers. My support resources were just an old copy of a Microsoft Technet CD, and I had to look other things up at home after work, which was 30 miles away. Even E-mail access was restricted, and I could only send an external E-mail by using a PC on a desk situated next to the managing director. This naturally made the whole process of downloading patches and drivers to pass on to customers completely impossible, and I walked out after two days.

Re:The 90s is calling.

[antdude]

What role did you have and which company? During my days, I had full Internet access as a web designer at a dotcom company (RIP in 2001). :P

Productivity issues?

[Dunbal]

It's not going to help much if they still leave a copy of Solitaire on government workers' computers.

I predict

[rossdee]

that the Singapore Govt may have difficulty retaining skilled staff.

Re:I predict

[Bing+Tsher+E]

True. They will lose all their staffers who are no longer able to update their Facebook.

Re:I predict

[Zontar_Thing_From_Ve]

that the Singapore Govt may have difficulty retaining skilled staff.

Unlikely. People who take government jobs aren't doing so for the paychecks. Very few of the people who would leave over this are working for the government anyway. It will be annoying, but the workers will adapt. Those who work for the government often do so because government jobs rarely get cut so it will take a lot more than this to get people to leave. Heck, I've known of people in private industry who were told bluntly "Your job WILL end. We're moving your job to another state and you won't be kept once that happens. The only problem is that we don't know when exactly that will happen. It could be 6 months from now. It could be 12 months. It could be longer. But when that day comes, you'll be lucky if you get even a few days notice that your employment is over. Most likely you'll just show up to work and be told to pack your things and leave." And even after all of that, some people still wouldn't leave the job until they actually got sent home and the doors were permanently locked.

So no os updates?

[Joe_Dragon]

So no os updates? so if some can get into the network then it will be very easy to hack the systems then?

Re:So no os updates?

Why would you think this means no OS updates? That makes no sense. They have 100,000 seats. Obviously they don't rely on the user to update their system or deal with the vagaries of Windows Update. They will be using some enterprise solution. Probably WSUS or SCCM, but other options are certainly available. With something like SCCM, only one server has to have internet access, and only to a couple of IP addresses.

Re:So no os updates?

[ADRA]

Yeah, I mean they'd never have a DMZ and a replication server anyways. I'm sure that every single update gets downloaded from Microsoft's servers today... And if windows breaks, lets go down to the local bazaar and pick up a new copy from the back to a cart!

How backward do you see this country?

Re:So no os updates?

[Joe_Dragon]

But then the AD servers will need to be online but who knows what will happen when some non IT guy makes this call and things brake down / some small office can't be cut off from the internet with out running an private line to keep it working. The internet blocked systems have ports 80, 8080, 443 cutoff and WSUS fails.

Other Perspective

I work in I.T. for a small subsidiary of a massive Singaporean defense company and I really had no idea what I was getting into, the attacks from China/APTs are completely ridiculous in terms of scale and quantity. We've had everything from traditional external attacks, stolen certificates used against us to physical attacks on-site in just the last 4 years and we're comparatively tiny with only a few hundred staff serving mostly the private sector. From what I heard, it's even worse for MINDEF. This doesn't surprise me at all and frankly, it's probably a good thing for the Singaporeans.

Re:Other Perspective

[T.E.D.]

It sounds to me like the main part of Singapore's defense budget should probably be going to cyber-defense, since that's where the attacks are coming from.

Standard where I work

[houghi]

Where I work this is standard. Whitelisting for the PCs. And you can ask for sites to be added. This will depend on your department, function and what not.

However there are plenty of PCs available throughout the company that DO have internet access. They are on a separate network and separate Internet connection. So we do have two networks and two internet connections.

So if you do need to do search for your work, you are still able to do so. However not at your desk. If you need it all the time, you will have access all the time.

The majority of the people does NOT need Internet access all the time. Want to check your email? Do that before you start, during your lunch break, you 10 minute break in the morning or the afternoon or after work.

This is not even about wasting time, because you can do that reading a newspaper. This is about people clicking on a file and unwilling let a trojan in and we become another company on /. who was hacked, We know we are being targeted. Nothing serious till now.

Re:Standard where I work

[luis_a_espinal]

"However not at your desk"

Why not? Why not get everyone laptops and let them use WiFi? Your company sucks.

Dude, if you have laptops connected with wi-fi, you are opening the same attack surface (if not a greater surface) than when you were connected directly to a LAN. There are legitimate reasons to only allow whitelisted sites (stackoverflow for example.) Why would you need access to CNN or youtube when ON THE CLOCK, clicking random websites loading trojans?

developers ?

[sxpert]

do they employ any developers there ?

how in hell are they going to be able to do the work they're paid for ? printing thousands of pages of paper documentation ?

Re:developers ?

[godrik]

You could have local install of documentations. We used to have dumps of main part of MSDN coming with visual studio. I don't see why you could not have a similar thing. Once you decide to adopt a framework/library, install a local copy of its documentation.

Re:developers ?

[pete6677]

Backwards 1990s way of working. Modern development happens way faster than this, plus many things now are cloud-based. How exactly do you do web development without internet access?

Re:developers ?

[luis_a_espinal]

do they employ any developers there ?

how in hell are they going to be able to do the work they're paid for ? printing thousands of pages of paper documentation ?

Whitelist selected sites like stackoverflow. That's what I've seen done. It doesn't impair development productivity. After all, you do not need wholesome access to the internet, do you?

Re:developers ?

[Cro+Magnon]

Awhile back, I had to do something on the IBM mainframe, after several years away from it. Some of the JCL wasn't working right, all the old JCL books were gone, and most of the people who knew more than I did were retired, dead, or both. I found the solution via a Google search.

to the extreme

[CimmerianX]

This is the extent to which some people want to keep win 10 off their systems..... cut off the entire internet.

GET BACK TO WORK!

[Thud457]

"The agriculture ministry is not in charge of Gundam."

So ..

[jon3k]

Basically the same policy we have with secure government networks in the US?

Why not VDI in some capability?

[mlts]

I have seen VDI used to keep criticial infrastructure walled off, so a compromised workstation is less of an issue.

I have also worked on having individual machines, which had zero net connectivity to the outside world, patches were done by WSUS, SCCM, software was pushed out via those means or VMWare ThinApp, and the only machines that the workstations could communicate with, were a RODC, software server, and a terminal server.

The terminal server allowed people to run their Web browsers via seamless RDP to pretty much any sites they felt like (within reason -- pr0n sites were blocked due to the legalities of sexual harassment, for example). This way, all the web browsing to external sites was done on a well controlled VM, and if it got compromised, malware couldn't propagate to the internal machines. This seemed like a good compromise between allowing users to browse the web when need be, while keeping security tight.

Re:Why not VDI in some capability?

[tnk1]

Deploying VDI is not without its challenges, and I suspect that rather than work it out, the simple governmental response was to ban things. It also makes them look tough.

It may well be that they end up with VDI when they tire of being back in the 1990s, but it is just as likely that they'll open themselves in a hodgepodge, case-by-case way that makes them even less secure than they were previously.

Re:Why not VDI in some capability?

VDI sounds great but it's rarely economical in all but some very narrow cases.

It's one of those products deemed "Enterprisey" and thus earns the "Because fuck you, that's why" pricing tears.

You need a fairly robust server farm with lots of resources. Servers need lots of memory, fast cpu, fast storage, and in some cases graphics acceleration. - All the things that make a server as expensive as possible. You can't skimp on any one aspect like most applications.

Then there's the server software. None of it is cheap. Windows server licenses and CALs like normal..

Then you need the VDI software and lisences. No matter who's solution you go with, it costs a fucking arm and a leg.

Then you need the licenses for your desktop windows and office and crap. Just like normal. (You can skip desktop windows pro/ent/whatever if you're doing old school RDS/TS but what's the point in 2016. VDI is so much better)

Point is it's no cheaper than rolling desktops, except in a few narrow cases where you have a lot of roaming users with lots of robust connectivity. The initial investment is HUGE and you need more specialized staff to manage your farm.. But you still need the regular staff too because thin clients exist in meat space and they need to be managed/inventoried/replaced/etc. Easier, but you really don't save a whole lot of staff hours over desktops.

You gain some ability to telecommute and have mobile staff, and some degree of centralized management.. But not much. It's really not much better than a modern managed fleet of desktops and you lose a bit of flexibility.

And it does nothing for laptops. At all.

Re:The U.S are only interested

[gtall]

Yes, pay no attention to those spanking new Chinese islands in the S. China Sea, nor to their claims to own the entire S. China Sea because their ancestors used to piss in it 2000 years ago. Also please ignore the threatening moves across the Taiwan strait, those have nothing to do China acting like a bully to get Taiwan and thus provide alleged Chinese leaders (sic) a reason for being allowed to continue to run the Chinese fascist state. And those nice Norks should not be persuaded by the Chinese to stop building nukes since the Norks are so well adjusted, the Chinese are in no way accountable for their lapdog's actions.

No public cloud or web-based sites and services?

[calgarynerd]

So - they don't plan on using public cloud and combining with perhaps more than one vendor and/or using publically hosted websites? (i.e. Github, etc.) If they stick with one or two vendors, then private connections are possible, but this seems to be quite a step backwards in todays network-neutral, cloud, SaaS & managed web services connected world...

Pretty harsh way of controlling access

[ErichTheRed]

The only positives I can see from an approach like this are the elimination of a vector for ransomware and viruses, and maybe some illusion of control. There was a story about JCPenney corporate headquarters users watching endless hours of YouTube in the 2013 timeframe. This was the same time the company was on the verge of going bankrupt after the Apple Store guy took over as CEO and tried to turn an old-school department store into a hipster haven. I'm very busy at work and have kids to get home to, so my breaks are usually pretty short; I can't imagine sitting for hours on YouTube all day. But, if I was a government worker in a pretty sleepy department, and really only had a couple hours of work to do a day, I would probably goof off a little more. Users with lots of goof-off Internet time are probably a little more susceptible to phishing-style attacks than tech workers, so that's a pretty good vector for spying right there.

The problem with things like ransomware is that they're easy to get, and easy to spread around the network, destroying data. Completely banning the Internet is probably not the best solution, but if China really is serious about asserting its dominance in the region, Singapore is a pretty juicy target. It's smack in the middle of a strategic trade route -- that's why the British were there in the first place.

I think it can be done right

[Hevel-Varik]

not every department need access to the internet nor do the departments that do need access need it to the extent that one might imagine.

I am increasingly finding that I can with forethought identify the domains hosting the information I need, e.g, stackexchange or wikepedia or javadocs or safari, there is no reason the prime aggregations of useful domain specific information can't be aggregated and downloaded with diffs maintained, the noise to signal ration on the internet is growing in the wrong direction and you could in theory have dedicated personal to keep on top of this.

That said I doubt this will end up as draconian as the statement suggests.

Good move!

[Schaffner]

That'll make it so that their systems won't keep trying to "upgrade" to Windows 10! Smart move Singapore!

The real story

[dosun88888]

Is that Singapore apparently has workers from the future.

Want to block the internet?

[wkwilley2]

Ports 80 and 8080.

Done deal.