The Committee of Inquiry (COI) on the SingHealth cyber attack has uncovered a perfect storm of inexperience, ineptitude, and poor decision making in the IT agency responsible for Singapore’s healthcare, IHiS. The COI’s findings are detailed in this 450-page report, and an overhaul of the IHiS’s cyber security and threat reporting system has been prescribed by the Cyber Security Agency (CSA).
The following punitive measures have been taken:
– Two employees have been fired
– One employee was demoted
– Five senior executives, including IHiS CEO Bruce Liang, have been subjected to unknown financial penalties
– The Personal Data Protection Commission (PDPC) has fined IHiS $750,000 and SingHealth $250,000
… and as usual, a shitstorm has erupted online.
Starting from the bottom, the fine is downright funny. SingHealth and IHiS are owned by MOH Holdings (MOHH), itself wholly owned by the Ministry of Finance. SingHealth and IHiS will pay these fines into the government’s Consolidated Fund, which is owned by the Ministry of Finance.
Out of left pocket, into …?
The penalties on the five senior executives are unknown, so they could simply be a token gesture. Two employees were fired, but one was simply demoted, despite a lack of aptitude in performing the role assigned to him. Many are questioning whether the measures go far enough to hold the negligent parties accountable, asking how the government can allow this case to go unpunished.
The simple fact, however, is that this is an unprecedented event in Singapore, and we have no local standard for the reckoning that companies or individuals should face to atone for their cyber defence failures.
By what standard should we judge the government’s response following this cyber attack?
As a violation of the Health Insurance Portability and Accountability Act, Anthem was fined US$16 million, and further settled a lawsuit from affected clients for US$115 million. Additionally, Anthem had to accept a slew of changes to its cyber monitoring system, and submit regular reports to a relevant US Government agency.
Of course, the US$121 million forked out by Anthem for this muck-up is enormous compared to the paltry S$1 million paid by MOHH.
However, one has to remember that US$121 million is actually but a slap on the fingernail for a company worth US$60 billion, and ranked #29 on the Fortune 500. Furthermore, the settlements meant that Anthem admitted absolutely no wrongdoing or misdemeanour on their part, hence there was never a full investigation into the incident. No managers were (however tokenistically) fined, no negligent employees were fired; in fact, the US still has no idea what lapses led to the hack.
In comparison to Singapore, the COI’s report sets out in excruciating detail the actions and communications going on in IHiS during the cyber attack, down to the smiley face emojis used in individual WhatsApp messages (I kid you not). IHiS also admitted to mistakes made, and was in general taken to task much more strongly than Anthem.
Okay, but that’s the United States, and as people keep telling me, they do things differently there. Asian values, Asian values, Asian values …
So for an Asian example, one must look no further than the Philippines. COMELEC is a comedic portmanteau for a very serious organisation: the Philippines’ Election Commission, charged with overseeing the country’s polling process. In what has since been dubbed the COMELeak, hackers targeted the website and database of COMELEC, obtaining the personal particulars of 55 million people, and the passport details of 1.3 million overseas Filipino voters. The very next month, two local hackers were identified and arrested for the cyber attack, with a third unknown partner still at large. However, the damage had already been done, as the entire 340 gigabyte database had been published online.
After the attack, COMELEC promised to tighten its security and consulted with security experts from Microsoft, the US, UK, and Singapore on how to improve its defences. Additionally, after an internal government investigation, several unidentified staff members were transferred to non-sensitive positions; we can assume these ‘transfers’ were demotions. So far, very similar to the Singapore’s government (except that the Philippine government did not see fit to fine itself).
While we can see that the government organisation responsible (COMELEC) was held to account, similar to the SingHealth case, we do not know the specifics or details of the internal investigation, like in the Anthem case. Filipinos have no way to know exactly what transpired to cause this breach, as opposed to Singapore’s COI, which placed the entire organisation responsible under an electron microscope.
When it comes to punitive measures, chairman Andres in the Philippines was charged with negligence. IHiS CEO Bruce Liang, meanwhile, has not been publicly held accountable for the SingHealth security lapse.
Andres’ words, in his defence, can however apply to both cases: “Officers each have their own areas of responsibility, and a head of agency has to rely on the experts.” If a CEO is to be imprisoned for the crimes that his subordinates engaged in without his knowledge, the masses might be satisfied, but it would also be a miscarriage of justice, insofar as a CEO is not expected to micromanage all his employees’ actions. And so it does not seem fair that he should spend time behind bars for this.
However, a fine seems fair, and IHiS has implemented one, except we don’t know what it is. How are the people supposed to know that justice has been carried out when the fine numbers are not released? Do you want people to speculate on how unfairly low they are? Is there some critical national security secret lurking behind those digits, preventing the numbers from being declassified?
There is no reason for IHiS to not release the financial penalty it placed upon its executives, and we should be allowed to discuss how appropriate they are. The current opacity of these penalties sets a dangerous precedent that managers can oversee the crimes of their firms with little to no retribution, which shouldn’t be the case. After all, the possibility of retribution personally incentivises managers to ensure their staff are guarding the gates instead of admitting Trojan horses.
This is especially significant in IHiS’s case, as the COI uncovered that the firm prioritised business efficiency over security, something that was embedded into the organisation’s structure. For this, the responsibility for such an oversight certainly falls on the managers.
Of course, the perpetrator is a state actor: that much is clear from the sophistication of the attack.
Of course, the country is one considerably more powerful than Singapore; countries with such advanced cyber warfare capabilities are few and far between (several members of G8 come to mind).
The Singapore government’s choice not to reveal the attacker suggests a considerably more long-term approach. In the US, such prosecutions may be essential to a larger ongoing investigation, but in Singapore, the powers that be (dressed in white) have chosen to let the attacker know that we are aware of their identity. To what end this information can be used to wring some geopolitical bargains or otherwise forward our strategic interest, or whether this chip has already been played, only time will tell. I suspect it will be a long time before we know the truth of this matter.
In summation, Singapore’s punishment for those involved in the SingHealth cyber attack may seem small compared to penalties for other negligent offences, but our investigation process was highly transparent and open to public scrutiny. This is in stark contrast to other countries’ opaque investigations.
However, the exact penalties imposed are hidden from us, which hinders an open debate on the issue. Cyber is the new dimension for business, crime, and law enforcement. All Singaporeans need to have a say in the regulations and deterrent measures in place that prevent negligence in our security apparatus, as it affects every individual’s personal data and privacy rights.