Today newspaper reported on July 14 that only authorised USB storage devices will be allowed for use at all public sector agencies from July 25 onwards, as a cybersecurity measure. This was learnt from the the Government Technology Agency of Singapore’s (GovTech) response to TODAY’s queries.
The public sector agencies will use a bulk tender, which has a list of portable storage devices that meet the specified security requirements. The devices will be distributed to public officers on a working need basis.
In June 2016, the Singapore government started separating Internet access from the workstations of public servants, progressively over a one-year period. Officers would still be able to access the Internet on separate devices, government-issued tablets or common computers.
Concerns over productivity were raised. In this article, Today reported GovTech saying that several IT solutions, such as file transfer tools, have been deployed to Government agencies to maintain public sector productivity.
The convenient and ubiquitous plug-and-play USB devices or flash drives pose huge security risks through possibility of data leakage from the inside or malware infections from the outside. An USB device being used for storing personal as well as official files, as they often are, could open up the way for malware to enter government networks and cause significant damage. Then there is malware like BadUSB which resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions. So, the attack code continues to stay hidden and as potent as ever, even after the device’s memory would appear to to be deleted to the average user. Another big risk is losing a drive with sensitive information.
In 2008, the Pentagon's classified military networks were reportedly infiltrated by an attack, which was caused by a computer virus that was loaded on a flash drive. Subsequently, restrictions were imposed on the use of flash drives.
Private sector organisations, with sensitive data and subject to strong regulations and requirements on management of information, such as banks, have long restricted the use of USB storage devices, commonly disabling the USB ports on workstations of employees.
This latest step appears to be a logical extension of the Internet separation strategy, as the latter would leave an obvious loophole in the attempt to protect government networks from cyberthreats.
Read the report on Today here.