Public sector cyber security a shame
published : 11 May 2014 at 00:20
newspaper section: News
Thailand’s internet security is woeful, and nowhere are the flaws more obvious and dangerous than the websites of government agencies and state institutions. Not only has personal data on Thai government websites been exposed, but criminals are using the sites as springboards for attacks on others.
According to one analysis, more than 500 malware attacks were launched from nearly 100 hacked Thai government websites last month alone. This represented the vast bulk of government-hosted malware attacks around the world, internet services company Netcraft reported, with Thai domains in general the fourth most likely to host phishing attacks that target usernames, passwords, credit card details and other sensitive information.
They are hardly the first to sound the alarm about the porous state of the country’s cyber security — Thailand regularly features in top 10 lists of most infected nations.
After assessing the attacks it detected around the world in 2013, anti-virus software giant Symantec ranked Thailand as the 28th most risk-prone from 157 countries, with healthcare facilities, educational institutions and public companies representing more than half the data breaches.
Symantec called for a data privacy law, which is long overdue, and stressed that delays to cyber security investment would only enhance the risks and further erode confidence in the public sector. Symantec does stand poised to profit from any investment, and tends to be more active with its public relations than its competitors, but it is still worth paying attention to its advice.
Despite the warnings, it is easy to wonder whether the Thai institutions in question — government agencies, the police and military among them — are even aware that their websites are playing host to phishing spambots and malware used by criminals.
Criminals who are responsible for the attacks are the ones who should be held most accountable. However, those operating websites should not be unwittingly complicit in these crimes through negligence.
The fact government agencies are involved makes the situation all the more disappointing as their security should be the most trusted.
This is not simply a matter for the IT help desk to deal with — real people get real money stolen through identity theft and credit card fraud. More than half a billion people had some form of information exposed last year through online criminal activity, and the trend points to an increase in large-scale data breaches.
Calculating the economic impact of cyber crime is fraught, but last year McAfee assessed it would most likely be measured in the hundreds of billions of US dollars. The loss of sensitive information, intellectual property and credit card numbers do not automatically translate to an equal gain for those who steal them, but McAfee estimates identity theft alone is a US$1 billion (32.6 billion baht) global business annually.
While many countries are keenly aware of the risks and have enacted laws to strengthen privacy protection, in Thailand it has long been neglected. In fact, by accident, Thailand’s public sector has been contributing to the problem.
This has broader implications than the appearance of the words “Hacked by MR.Moein” on the then Yingluck government’s anti-corruption website in October, confusing and vaguely amusing as that was. The impact on investor confidence and the country’s reputation as a forward-thinking part of the 21st century is no laughing matter.
That nearly 100 websites were hacked in a month speaks poorly of the institutions involved, and the absence of a holistic government approach that might have prevented it. After October’s attack on the anti-corruption site, it was asked whether they could be trusted to keep the country safe from corruption if they couldn’t secure their own servers. The financial sector and big business are doing their parts and invest in internet security because they realise the importance of protecting customers’ information and their own reputations. Sadly, they are being let down by their counterparts in the public sector who are left looking backwards.
There are many possible responses to the ever-evolving threat of cyber crime. The US takes the matter seriously, with a holistic government strategy spearheaded in part by the Department of Homeland Security. China has its Great Firewall, which is far from foolproof and designed to stop political dissent and the spread of information rather than criminal activity. Thailand’s internet security, meanwhile, resembles the ruins of Ayutthaya, and criminals can pick their way through the rubble and take whatever they want.