In the digital economy, business continuity is inextricably bound to technology. From retail and travel to finance and public sector, services being moved online and employees working remotely means businesses are more reliant on their digital infrastructure than ever before. While organizations can take steps to protect their digital services from incidents caused by user error, system failure, or cyber-attack, some events are beyond the control of any business. Extreme weather events, natural disasters, or regional power cuts can lead to downtime and loss of services.
Every minute of downtime could cause critical damage to the business, such as the loss of sensitive data and customer confidence. According to the Veeam Data Protection Report 2021, the vast majority (96%) of organizations in the Asia Pacific and Japan (APJ) suffer unexpected outages and over one-third (36%) have experienced outages on more than a quarter of their servers in the past 12 months.
When such incidents occur, getting services and employees back online fast is of paramount importance. So, businesses must have a robust, well documented and tested plan with clear owners, roles and responsibilities, emergency contacts, and priority actions. As well as having a plan, businesses also need the technical capability to recover to their pre-incident state. This means recovering data, applications, and services fully, and doing so within a defined timeframe that minimizes impact on the bottom line. All of this amounts to a robust process businesses must go through to ensure they are fully prepared when disaster strikes from both a business continuity and technical recovery perspective.
Preparing your teams
The ability to anticipate and act is what separates those who succeed from those who fail. When it comes to preparing a business to recover from an unforeseen technology disaster, the ability to anticipate exactly what zero hour looks like and the next steps that need to be taken in that moment is vital. IT leaders must put themselves into that situation to understand how they should react, rather than wait for disaster to strike and find out how they do react. These realities can be incredibly different, so it’s important to simulate those events from A to Z before they happen.
Ultimately, the business is reliant on its data systems and infrastructure to fully recover its mission-critical applications within an adequate timescale. But before you get to this stage of recovery, you must prepare teams within the business who will take the key actions to initiate recovery. This can be broken down into stages depending on your organization’s needs. As a general rule, start by ensuring you have a full and up-to-date inventory of the applications and services currently deployed across the business. Once these are fully accounted for, think about prioritizing them in order of importance – aligned to the organization’s most critical functions. This is where you think about what applications you need to get back online first. For example, an online retailer may prioritize the recovery of its stocking and supply chain functions before getting its ecommerce platform back online. Whereas service-based businesses like solicitors and marketers may prioritize email and collaboration applications to enable communications across the company.
Once you understand what applications you need to bring back online first, you can think about putting together an action plan, which is written down, centrally stored, and backed up across at least two other forms of media, one off-site and one offline. These action plans need to be detailed and specific. They must also assume the worst. Assume that your lead sys-admin is on holiday or sick leave and his/her team need to restore data systems without their leadership. As well as key actions and instructions, the plan should detail contact numbers to reignite communication across the business. Who needs to be informed right away? Who will the IT team need to call to gain vital information? This must all be in the plan. Think about practicalities. Will a team of admins need to work through the night restoring servers in a data centre? What are they going to eat and will they need a place to sleep? The most detailed Disaster Recovery (DR) plans leave no stone unturned, including information from pizza delivery companies to taxi firms and hotels.
As well as preparing a plan for recovery based on the critical business functions which must be restored first, organizations must ensure that their data systems are fully protected with Backup and DR across all forms of storage. Off-site and offline backups of data help to mitigate the effects of disastrous events. Veeam advocates the 3-2-1-1-0 backup rule. There should always be at least three copies of important data, on at least two different types of media, with at least one off-site, one offline, with zero unverified backups or backups completing without errors. Of course, backup and DR are solutions are inextricably linked but we shouldn’t conflate the two. DR refers to a set of initiatives and processes designed to ensure the survivability of data, regardless of the scope of a calamity or crisis, with a focus on resuming IT services as quickly as possible.
Using Disaster-Recovery-as-a-Service (DRaaS) by a third-party DR provider, organizations can automatically test, document and execute DR plans in as little as one-click, recovering everything from a single application to entire sites. Going back to the planning process, businesses can choose the best protection method based on the Service-Level-Agreement (SLA) they need. The fundamental question and objective behind the DR plan need to be: How quickly does the business need to recover? Whether that refers to getting mission-critical apps back online or fully recover data in its pre-incident form. With DRaaS, customers can take advantage of a fully managed, monitored and secure method for protecting critical data, all without needing to maintain an off-site repository. All-in-all, DR best practice combines a business-led and IT-centric strategy for ensuring business continuity across the business. One cannot work without the other and given the reliance of organizations on their digital infrastructure, they need a robust plan as well as Modern Data Protection solutions that fully protect the business.
By Beni Sia, Vice President of SEA and Korea at Veeam Software
Singapore has developed the latest innovations in defence tech and will focus on the future of this sector. The advancement of technology will inevitably have implications for defence tech. Autonomous vehicles, drones, and sensors will play a big role in future warfare and the Defence Science and Technology Agency (DSTA) is keeping a close eye on emerging areas such as Artificial Intelligence (AI), Internet-of-Things (IoT), cybersecurity, and Cloud.
Assisting decision-making is one way that AI can be useful to the military. Algorithms can make sense of increasingly complex and large data, helping to recommend and predict possible next steps. It can also detect threats and unusual activity at a rapid pace. Working with commercial companies to develop tech for military applications is key.
– Loke Mun Kwong, Director, Advanced Systems, DSTA
The younger generation is the future therefore very important. Mervyn Tan, Chief Executive of DSTA conducted regular lectures to up-and-coming engineers at the Temasek Defence Systems Institute at the National University of Singapore. Imparting knowledge to a new generation of defence tech staff is how they can develop a stronger pipeline of talents.
While DSTA can source defence systems from external organisations, engineers do more than just buy off-the-shelves and deliver them to the military. It is key that the technology it buys can be integrated into a common network. This network of interconnected technologies provides greater capabilities than what the individual systems can do alone, meeting requirements that couldn’t be achieved otherwise.
This common network can be compared to a smart home, he explains. While a homeowner can have a virtual assistant device like Alexa, the device can be enhanced when it can control the TV, air conditioner, lights, and front gate. This turns multiple individual devices into a smart home system. But this process is easier said than done. Integrating large-scale systems can be challenging.
The pandemic revealed that DSTA has applications beyond defence. For example, DSTA engineers were able to develop a tech tool to help measure citizens’ temperatures across public spaces when the virus first hit Singapore. These teams were able to rapidly develop temperature self-check systems that are contact-free. This enabled citizens to measure their temperature quickly and conveniently.
The organisation has been investing in building skills across multiple areas for years, enabling it to develop valuable services when crises like COVID-19 strike. The organisation’s recent work has not all been related to COVID-19. DSTA has been helping to boost security at Changi Airport by upgrading its ability to detect and disrupt unauthorised drones in nearby airspace.
As reported by OpenGov Asia, The Defence Science and Technology Agency (DSTA) harnesses science and technology to enhance the Singapore Armed Forces (SAF) capabilities. DSTA also contributes its multidisciplinary expertise in areas ranging from cybersecurity, systems engineering to procurement and protective technology, in support of national-level developments.
In the Simulation and Training Systems Hub (STSH), DSTA taps the latest technologies such as modelling and simulation, extended reality, data analytics and Artificial Intelligence (AI) to experiment and develop new training concepts and capabilities for the SAF.
Recently, One of DSTA’S projects is developing a command and control (C2) system to support the nation’s fight against COVID-19. Back in May 2020 at the peak of the pandemic, testing needs had to be ramped up quickly. Therefore, the Ministry of Health set up the Testing Operations Centre (TOC) to aggregate national testing demands and centrally manage the allocation of testing capacity.
DSTA is committed to its mission of providing technological and engineering support to meet Singapore’s defence and national security needs. Therefore, DSTA has a low operational risk appetite related to business continuity, safety and delivery of capabilities to partners, as well as incidents that affect the credibility to the public and the international community.
Cyberspace is transnational and borderless. This means that cyberattacks can be conducted by anyone, from anywhere in the world. Regardless of who the malicious actor is, putting in place cyber resilience measures to protect ourselves is key.
Singapore needs to take precautions in cyberspace to protect the digital security of Singaporeans against cyberattacks by private firms allegedly at the behest of state actors and state-backed entities. Singapore also should take additional and updated steps to address the risk of such attacks in the wake of developments over the last six months.
2021 put cybersecurity under the spotlight with a spate of cyberattacks and serious vulnerabilities discovered around the world; the most recent event of concern being the vulnerability found in an open-source Java package that is widely used by software developers. When there are known incidents and vulnerabilities, the Cyber Security Agency takes immediate steps to ensure that our Critical Information Infrastructure and enterprises are secure.
CSA called for two emergency meetings with CII sectors to issue technical details and mitigation solutions and heightened monitoring for unusual activity. Public advisories and alerts were issued; trade associations and chambers were also briefed on the urgency for enterprises to implement the mitigation measures.
To strengthen Singapore’s cybersecurity, CSA encourages adopting a “zero-trust” posture. This comprises two key principles: first, do not trust any activity on your networks without first verifying it and second, ensure constant monitoring and vigilance for suspicious activities. To raise standards, CSA is developing the CII Supply Chain Programme to ensure that CII owners and their vendors adhere to international best practices for supply chain risk management.
At the same time, CSA also developed actionable cybersecurity toolkits and resources for businesses under the SG Cyber Safe Programme to improve their cyber defences. These toolkits and resources can be found on CSA’s website.
CSA has consistently advocated that the best defence against cyberattacks is a population that is vigilant and adopts good cyber practices. Businesses and organisations are responsible for their own cybersecurity and must take action to strengthen their posture.
This includes regularly updating their software and systems, and practising incident response and business continuity plans to ensure that employees are well-prepared when incidents happen. Individuals should practise good cyber hygiene and stay vigilant against phishing links. We must all strengthen our defences to participate in the digital domain safely and securely.
As reported by OpenGov Asia, CSA has launched a series of tool kits for enterprises, which guide cybersecurity issues tailored for senior business leaders, owners SMEs, as well as employees. The new toolkits help to simplify cybersecurity and enable businesses to make more informed trade-offs between security, system usability and cost.
The toolkit for enterprise leaders and SME owners will focus on the business reasons for business leaders and SME owners to invest in cybersecurity, such as rationalising investment in cybersecurity, and how fostering a culture of cybersecurity would enable enterprises to reap the benefits of digital transformation.
Although 80 per cent of Singapore SMEs embrace digital transformation and have digital transformation in place, cybersecurity has been the key reason for small enterprises not digitalising. Topics include the cultivation of cybersecurity leadership and guidance for employee cybersecurity education.
The programme is one of the major initiatives under the Safer Cyberspace Masterplan, which was launched last year. The master plan was developed in consultation with the cybersecurity industry and academia, to raise the general level of cybersecurity in Singapore for individuals, communities, enterprises, and organisations. Key areas of focus include securing Singapore’s core digital infrastructure, safeguarding cyberspace activities and empowering a cyber-savvy population.
Following the recent spate of SMS-phishing scams targeting bank customers, The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) are introducing a set of additional measures to bolster the security of digital banking.
MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam. The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.
MAS is deeply concerned about the recent spate of scams and the financial losses suffered by victims. The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem. MAS, together with the Police, IMDA and other relevant government agencies, is working closely with the financial industry, the telco industry, consumer groups, and other stakeholders to strengthen our collective resilience against scam attacks. We will ensure that digital banking remains secure, efficient, and trusted.
– Ravi Menon, Managing Director, MAS
Banks in Singapore, in consultation with MAS, will work to put in place more stringent measures within the next two weeks, including:
- Removal of clickable links in emails or SMSes sent to retail customers
- The threshold for funds transfer transaction notifications to customers to be set by default at $100 or lower
- Delay of at least 12 hours before activation of a new soft token on a mobile device
- Notification to an existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address
- Additional safeguards, such as a cooling-off period before implementation of requests for key account changes such as in a customer’s key contact details
- Dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis
- More frequent scam education alerts.
Customer vigilance remains of paramount importance. Scammers are quick to adapt in targeting unsuspecting consumers. To avoid falling for online banking scams, customers must:
- Never click on links provided in SMSes or emails;
- Never divulge internet banking credentials or passwords to anyone;
- Verify SMSes or emails received by calling the bank directly on the hotline listed on its official website;
- Verify that you are at the bank’s official website before making any transactions or transact through the bank’s official mobile application; and
- Closely monitor transaction notifications so that any unauthorised payments are reported as soon as possible to increase the chances of recovery.
Banks will continue to work closely with MAS, the Singapore Police Force, and the Infocomm Media Development Authority (IMDA) to deal with this scourge of scams. This includes working on more permanent solutions to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders. MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.
As reported by OpenGov Asia, Singapore’s Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS) and the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM), in collaboration with commercial partners have successfully concluded the world’s first cross-border digital trade financing pilot of its kind.
The pilot used IMDA’s TradeTrust framework to facilitate the transfer of electronic records between jurisdictions that have adopted the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Transferable Records (MLETR). This harmonises the legal recognition of digital documents such as electronic bills of lading (eBLs) across both jurisdictions and complements the larger global trade movement by the G7 economies on adopting electronic transferable records in international trade.
Fraudsters have been running schemes on government programs essentially since those programs were first created. However, COVID-19 created an environment especially ripe for fraudulent activity. When the pandemic hit in early 2020, government unemployment offices were flooded with both legitimate requests as well as hits from scammers looking to take advantage of the system and the chaos caused by the flood of claims.
Access to new technology like bots and Artificial Intelligence has given criminals, both those acting individually and larger organized crime syndicates, the power to submit fraudulent benefit applications on a tremendous scale.
First, fraudsters either buy stolen IDs, many of which are purchased from the dark web or create synthetic IDs by combining various bits of identity data from different sources. Then, they employ bots to completely inundate government systems and slip in fraudulent applications, which often go unnoticed among the flood of legitimate ones.
As the government attempts to limit criminal activity, many agencies are working to deploy technology solutions that allow them to capture anomalies and detect fraud in programs like UI, Medicare/Medicaid and even the Supplemental Nutrition Assistance Program.
With nearly 30% of the fraudulent UI claims in larger states based on stolen Social Security numbers, it’s much more difficult for government agencies to catch anomalies. Implementing an automated identity verification (AIV) system can be a lifesaver for agency IT teams that are understaffed and overworked for several reasons:
- Improved processing time – By automating ID verification, government agencies can quickly process more applications. Using real-time credit data can help eliminate fraudulent claims before they get into the system. Faster processing also contributes to a higher user satisfaction rate among legitimate applicants who experience a more efficient turnaround.
- Reduced human error – AIV eliminates the potential for human error common when staff are feeling the stress of doing more with less. Even with well-trained and experienced employees in place, errors, omissions and misunderstandings can let fraudulent claims pass.
- Less expensive than deploying new workers – The growing demand for qualified IT professionals makes these positions very competitive and often cost-prohibitive for agencies on a set annual budget.
- Scalability – Even government IT shops that can find, hire and train qualified new employees must still deal with seasonal (end of quarter, end of year) or event-based (disaster, pandemic) scaling challenges that test their normal day-to-day workload. AIV can provide flexibility during times of peak demand.
A 2020 report commissioned by researchers at the Administrative Conference of the United States found that federal agencies were closing the gap and that 45% of the 142 agencies surveyed were also using AI and/or machine learning to assist in fraud analysis in two key areas:
- Using data analytics to detect and diagnose fraud after the fact.
Data analytics can help supplement IT and financial auditing teams and improve the overall efficiency and effectiveness of their post-mortem audits. Analytics make it possible to quickly and efficiently compare the data from disparate systems, more confidently identifying anomalies between them.
- Implementing behavioural analytics to prevent fraud.
As important as fraud detection, prosecution and recovery are, using behavioural analytics to help prevent fraudulent activity by verifying identity before a claim is ever paid out is the real opportunity.
As reported by OpenGov Asia, bipartisan members of the house recently introduced legislation that would require the government to drastically modernise the United States’ digital identity infrastructure. This bill establishes the Improving Digital Identity Task Force to establish a government-wide effort to develop secure methods for governmental agencies to validate identity attributes to protect the privacy and security of individuals and support reliable, interoperable digital identity verification in the public and private sectors.
Singapore has embraced technology as a crucial engine of the nation, where digitalisation is a key pillar of its public service transformation efforts. It leverages data and harnesses new technologies to continuously better citizen services as part of broader efforts to build a digital economy and digital society. Against this backdrop, digital technologies and solutions need to be made secure to ensure there’s no disruption to citizen services and to make sure citizen data entrusted to the government is protected.
Mohit Sagar, Group Managing Director and Editor-in-Chief, OpenGov Asia, acknowledges the work culture is shifting significantly due to the COVID-19 pandemic, especially in the Asia-Pacific region. Remote working or hybrid working has become the new default and will likely stay this way for the foreseeable future.
In the early stages of the pandemic, government agencies and corporations understandably used Band-Aid measures—ad hoc technology and make-shift solutions—to stay afloat and ensure continuity. Considering the suddenness, sheer scale, and severity of the situation, many of these provisions can’t be seen as genuine digital transformation.
This raises two fundamental questions: what will modernising the delivery of citizen services look like in 2022 and beyond? And how can governments improve security and infrastructure to deliver seamless citizen-centric digital services?
OpenGov Asia had the opportunity to speak exclusively with Sascha Giese, Head Geek™ at SolarWinds, to talk about transforming digital services in the public sector and how SolarWinds can help governments in their digital transformation journey.
Sascha has more than 10 years of technical IT experience, four of which have been as a senior pre-sales engineer at SolarWinds. As a senior pre-sales engineer, Sascha was responsible for product training for SolarWinds channel partners and customers.
Culture Shift to Remote Work
Sascha started by exploring the big question about the direction of the workforce and its evolution. In his role, he works with IT professionals in different countries and contexts and has gained a wider and richer understanding of the remote working shift. Most people, he feels, don’t want to go back to the days of fully working from the office after experiencing the benefits of remote work during the pandemic.
Another phenomenon is the “Great Resignation,” which is the ongoing trend of employees voluntarily leaving their jobs. According to The Great Resignation Update, three main reasons why employees quit are burnout, inflexible jobs, and leaving for a more caring culture providing organisational support for employee well-being.
To solve this problem, many companies have adopted hybrid work, which allows employees to alternately work from the office and their home. As the whole workforce shifts, however, it’s particularly difficult for IT teams, as organisations generally weren’t prepared for this massive transition. In the best of times, IT usually takes a long time to deploy or accommodate any change, upgrade, or platform. The pandemic demanded instant change, so mistakes were bound to happen.
The fact is, even now, this is an evolving situation. With new strains and seasons come new measures and needs. This lack of certainty and clarity means no one fully knows what the work model is going to be. Regardless, Sascha firmly believes the future of work is hybrid—a fluid mix of remote and in-office working. Whatever the case, he’s confident IT teams can manage the situation.
Helping the Public Sector Undergo Real Digital Transformation
Mohit believes 2022 is the year where genuine, long-term digital transformation will happen in the public sector. In this constantly evolving digital landscape and VUCA environment, how can governments simultaneously deliver digital services quickly and keep them safe? And how does SolarWinds help the public sector in attaining a secure digital transformation?
Sascha explained most organisations, both public and private, want to increase their presence with more services and better access. Hence, they’re always exploring ways to provide more digital offerings across any platform and device—anytime, anywhere. For this to happen, he says, the public sector must leverage technology across the entire gamut of services, from birth, education, and living to taxes, business, registrations, and more. Technology is no longer an enabler but a disruptor of business models. It can improve lives in a way previously unimaginable.
Singapore is an excellent example of an advanced country when it comes to delivering digital services, in Sascha’s opinion. Through Government Technology (GovTech), it harnesses the best info-communications technologies to make a difference in the everyday lives of Singaporeans. The nation also regularly involves citizens in participating and co-creating technologies with the government, determining the services they wish to have.
An important and indistinguishable aspect of digital services is security, especially for citizen data in the public sector. Citizen data is extremely valuable and needs to be simultaneously secure and available. Maintaining the balance between the two aspects is especially challenging.
To store and secure citizen data, many organisations adopt a cloud strategy. Due to different regulations and compliance requirements in every country, however, organisations can’t put everything in the cloud.
One of the customers SolarWinds supports is a national health organisation linked to a European Ministry of Health, and SolarWinds has helped them improve the delivery of public health services. The customer initially started with basic server monitoring nearly eight years ago and has subsequently moved on to the management of applications and databases. As the organisation continued to grow, the support SolarWinds offered expanded to supporting the network team, where it monitored connectivity between regional branch offices and its headquarters.
In line with the wider government’s direction to create a “cloud-first” initiative, this organisation is shifting resources to a private cloud and uses SolarWinds tools to forecast the impact of data transfer from various locations. This includes placing parts of the monitoring system in the cloud.
In terms of data management, the organisation moved all sensitive data to a private cloud with limited access. It uses the public cloud for the rest of its data, as the public cloud has limitless resources and numerous technologies a private cloud doesn’t offer.
Maintaining Cyber Resilience Amid Perpetual Ransomware Attacks
As cyberattacks continue to happen, maintaining cyber resilience is a critical part of the modernisation of digital services in the public sector. Without a doubt, the most common of these is ransomware. Bad cyber actors are getting more ruthless as they target critical infrastructures, including public health systems and water cleaning facilities. Such attacks suggest human lives don’t matter anymore—they’ll do whatever it takes, even if the attacks cause real danger to people.
Sascha believes mitigating ransomware attacks is a big step towards better security and elaborated on two ways to diminish the damage. As soon as there’s an indication of suspicious activities, the first step is to shut down the machines before any further degradation or infection can occur, preventing the worst. The second line of defence is backups. These backups must also be regularly tested and updated to ensure their efficacy.
Due to the huge amount of data governments have, the backup process is much more complicated. Moreover, data is likely to be highly distributed because branches of local authorities have different sets of data. Additionally, the level of expertise of the IT teams in each agency might vary significantly. Therefore, governments need to find a baseline for security measures.
Mohit points out there’s no such thing as 100% safe from ransomware attacks, so the pertinent question is “how do agencies measure their level of security, and how can they be reasonably safe from such attacks?”
Nearly every industry was confronted with the rise of high-level cybersecurity breaches, highlighting the potential risk of incomplete security policies and procedures. SolarWinds makes a yearly IT Trends Report and polls thousands of IT executives about certain topics—this year’s topic is about security, reveals Sascha.
The findings of the IT Trends 2021 Building a Secure Future uncover a reality in which exposure to enterprise IT risk is common across organisations, but perceptions of apathy and complacency surrounding risk preparedness are high as businesses exit a year of pandemic-driven “crisis mode.”
The findings are based on a survey fielded in March/April 2021, yielding responses from 967 technology practitioners, managers, and directors from public and private sector small, mid-size and enterprise organisations worldwide. Most IT leaders feel their organisations are prepared to manage and mitigate cyberattacks. For Sascha, when people feel secure, they lower their shields and become complacent.
To measure the effectiveness of security protocols, certain tools can be used to check for network security threats, including penetration testing tools and vulnerability checkers. Sascha offers an interesting and progressive idea for security measurement: organisations should hire a group of hackers on the dark web to hack them so they know the vulnerabilities in their systems.
Another thing organisations can do is rely on proper tools for basic mitigation. Sascha believes organisations need to adopt a zero-trust model, which is a security framework requiring all users—whether they’re inside or outside the organisation’s network—to be authenticated, authorised, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
Rooted in the principle of “never trust, always verify,” organisations must assume they’ve already been breached. Instead of providing permanent access, organisations should provide temporary access for project-based work, external employees, or contractors to minimise the risk of a breach.
Mohit agrees zero trust is the future. The problem is there’s a lot push back from team members, as it complicates their tasks. The question then becomes “how do you implement this unpopular yet crucial methodology?”
In response to this question, Sascha reflected on the December 2020 SUNBURST cyberattack on the SolarWinds software build environment, which illustrates a concerning new reality for the software industry and illuminates the increasingly sophisticated threats made by outside nation-states to the supply chains and infrastructure on which we all rely. The breach was a wake-up call for the software development community, and one of the biggest learnings is security requires constant vigilance and learning and must be part of the mindset of every security team member.
Early on, SolarWinds recognised it was likely a target because of its position as a market leader in monitoring and because it serves a plethora of companies – private, public, small, and large – worldwide. It’s a gateway of sorts, making it a highly valuable target. And while the company believed its prior security practices were representative of the practices within the larger software industry, armed with what they learned from this attack, they further sought to secure their environment and systems against vulnerabilities through its Secure by Design initiative. This includes, among other things, adopting zero-trust and least privilege access mechanisms, addressing risks associated with third-party applications, and, most recently, implementing a triple-build process that aims to set the new standard in secure software development.
From the beginning, SolarWinds has been open in its communication with its customers. The company published its findings from the cyberattack weekly, has worked with various agencies to offer information and remains committed to sharing its learnings broadly given the common development practices in the industry and their belief that transparency and cooperation are the best tools to help prevent and protect against future attacks.
Sascha’s main advice to the public sector is to manage their supply chain, as many organisations don’t even know who has access to their resources. Although organisations might have perfect control of their own environment, they usually don’t know what happens with external parties.
Building Citizens’ Trust in Government Services
When talking about trust in government services, Sascha recognises there’s still a generation not used to the digital world—mobile phones, the internet, online transactions, etc. Governments can’t instantly become fully digital, as there are still those who won’t or can’t cope with these changes. The more they’re pressured, the more they’ll resist giving their personal data to governments, creating a further lack of trust from this community.
Governments need to explain to the public why they’re going digital and how it benefits citizens—all citizens. The public needs to be involved from the beginning, and they need to understand why these changes are necessary to make each citizen’s life better and easier.
Sascha spoke about a SolarWinds product designed to solve a problem for which solutions are still lacking in the market. Many technologies are available to monitor data in the data centre and the cloud separately. However, many organisations don’t monitor the connectivity between on-premises environments and the cloud. When something isn’t working, organisations have to start troubleshooting and figure out what went wrong.
SolarWinds NetPath™, a network path analysis feature included in SolarWinds Network Performance Monitor, SolarWinds Network Configuration Manager, and SolarWinds NetFlow Traffic Analyzer, warns IT professionals where a problem is located. NetPath measures the performance characteristics of each network node and link, making it easy to spot slowdowns. It monitors connectivity from the users to the services and determines what infrastructure is in the path and where traffic slowdowns are occurring. It provides additional infrastructure data only when it appears to be related to a real problem.
With NetPath, organisations can isolate network slowdowns and determine the actual person they need to contact to solve them. This tool fills the gap in the market, as Sascha points out. At the end of the day, troubleshooting is a game of responsibility.
In closing, Sascha emphasises SolarWinds has done a lot to offer excellent digital products and put various security measures in place at the same time. SolarWinds establishes trust by putting significant investment into providing excellent and secure services.
The Indian Institute of Technology in Guwahati (IIT-Guwahati), in partnership with a private player, has announced the launch of a postgraduate (PG) certificate programme in cybersecurity and a PG certificate programme in artificial intelligence (AI). The demand for cybersecurity domain experts has increased two-fold in the past year as tech-enabled solutions and digitalisation became a staple addition to institutions, governments, and organisations. This has globally increased the risk of security breaches as well.
The 8-month-long course focusing on cybersecurity will equip students with subjects that will help them become adept for careers as network security specialists, cybersecurity analysts, cybersecurity architects, cybersecurity managers, etc. The 9-month-long course on AI and deep learning will cover fundamental modules such as Python programming, data analytics, neural networks, computer vision, image recognition, etc. The course will prepare students for careers as AI and ML engineers, computer vision experts, software R&D engineers, cloud support engineers, etc.
A news report stated that the PG programmes have designed their pedagogy to cater to the latest industry requirements. Leading faculties from IIT-Guwahati and the industry player will conduct live instructor-led sessions over the weekends, along with prominent experts from relevant industries. The students will showcase their learnings and skills by participating in a Capstone project and solving real-world business problems.
The courses are currently accepting applications from candidates who have scored at least 50% marks in a relevant bachelor’s degree and have a minimum of two years of work experience in IT or software development. After the course, the students will receive certificates issued by the partner organisations. Speaking at the launch event, an official noted that IIT-Guwahati has been working to offer professional courses in futuristic areas of technology, science, and management. Since data science and AI-based technology have made rapid inroads through its seamless mechanisms and improved productivity through reduced human intervention, IIT-Guwahati has initiated undergraduate and doctoral programmes in the fields through its new Mehta Family School of Data Science and Artificial Intelligence.
With the greater adoption of technology, there is a growing need for people with the best-in-class technical skill sets to meet this demand. This public-private collaboration will fulfil the requirements for AI, deep learning, and cybersecurity across all sectors. The official informed that the curriculum is meticulously developed with foundational and advanced subjects to provide learners with comprehensive knowledge leading across these specialised domains conforming to industry requirements. These programmes will enable professionals to upgrade their skills, knowledge about evolving technologies, and upscale their career graphs.
Earlier this month, OpenGov Asia reported that IIT-Madras and an Indian Institute of Management, Ahmedabad (IIM-Ahmedabad)-incubated start-up, GUVI, are offering Python and AI upskilling courses for free. They are available to more than one million socially and economically disadvantaged youngsters in India. The Python and AI skills included in this initiative focus on face recognition technology that any beginner can master. The courses will be taught in various vernacular languages including English, Tamil, Hindi, and Telugu, among others. Free access to the courses will be available through a registration process enabled on GUVI’s official website.
With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, as well as private sector organisations, the United States needs trustworthy secure systems has never been more important to the long-term economic and national security interests. Engineering-based solutions are essential to managing the complexity, dynamicity, and interconnectedness of today’s systems.
National Institute of Standards and Technology (NIST) titled “Engineering Trustworthy Secure Systems”, addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose those systems and the capabilities and services delivered by those systems.
The need for trustworthy secure systems stems from the adverse effects associated with a diverse set of stakeholder needs that are driven by mission, business, and other objectives and concerns. The characteristics of these systems reflect a growth in the geographic size, number, and types of components and technologies that compose the systems; the complexity and dynamicity in the behaviours and outcomes of the systems; and the increased dependence that results in a range of consequences from major inconvenience to catastrophic loss due to adversity within the global operating environment.
Building trustworthy, secure systems cannot occur in a vacuum with isolated stovepipes for cyberspace, software, and information technology. Rather, it requires a holistic approach to protection, broad-based thinking across all assets where loss could occur, and an understanding of adversity, including how adversaries attack and compromise systems.
– Ron Ross, NIST Author
The update provided an excellent opportunity to reflect on the past five years of the publication’s use by systems engineers and systems security engineers and to apply targeted lessons learned during that timeframe. The publication takes a holistic approach to systems engineering. NIST researchers give an overview of the objectives and concepts of modern security systems, primarily regarding the protection of a system’s digital assets.
One of the key updates NIST authors made in the latest version of the publication was a fresh emphasis on security assurances. In software systems engineering, assurance is represented by the evidence that a given system’s security procedures are robust enough to mitigate asset loss and prevent cyberattacks.
Evidence generated during the system life cycle is essential to building assurance cases for systems being deployed in the critical infrastructure. Assurance cases can turn security into something concrete, measurable, and shareable. Building and delivering assurance is the way to drive the culture of security.
The newest draft also looks into the fundamental elements of how to build a trustworthy secure design, which hinges on the proactive elimination or mitigation of vulnerabilities. It also compiles the various loss control design principles in one section and outlines how they each function.
NIST has published similar guidelines in recent years. One guidebook focused on how federal agencies can secure legacy information technology systems against cyberattacks. Officials published a broader document on cyber-resilient systems for public and private-sector organisations.
As reported by OpenGov Asia, NIST has drafted a set of cybersecurity criteria for consumer software in an effort to improve consumers’ ability to make informed decisions about the software they purchase. The criteria in this document are based on extensive input offered to the NIST workshop and position papers submitted to NIST, along with the agency’s research and discussions with organisations and experts from the public and private sectors.
The document, “Draft Baseline Criteria for Consumer Software Cybersecurity Labeling”, forms part of NIST’s response to the Executive Order (EO) on Improving the Nation’s Cybersecurity. The EO specifies that NIST “shall identify secure software development practices or criteria for a consumer software labelling program” — criteria that reflect a baseline level of cybersecurity and that focus on ease of use for consumers.