Malaysia & Singapore Security Magazine - Special Edition by MySecurity Marketplace

Print Post Approved PP100003227

FOR SECURITY PROFESSIONALS IN SOUTHEAST ASIAN NATIONS | www.malaysiasecuritymagazine.com Aug/Sep 2017

Malaysia Security & Risk Environment

Malaysia's changing cyber security framework India Tackling the turmoil within Demonisation spurs cybercrime

Security in Singapore

Cyber Security week in Singapore Australian Delegation in Singapore Digitalisation in China

PLUS $8.95 INC. GST $8.95 INC. GST

TechTime, Quick Q&A, Cyber Security and much more...

Contents

Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Prince Lazar Jane Lo Sarosh Bana

MARKETING AND ADVERTISING T | +61 8 6465 4732

Editor's Desk

MALAYSIA FEATURE

SINGAPORE FEATURE

INDIA FEATURE

SRI LANKA FEATURE

CHINA FEATURE

TECHNOLOGY FEATURE

MARITIME EATURE

TERRORISM FEATURE

promoteme@mysecuritymedia.com SUBSCRIPTIONS

Page 46 - Malaysia's changing Cyber Security framework

Page 32 - Tackling the turmoil within

www.malaysiasecuritymagazine.com Copyright Â© 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: promoteme@mysecuritymedia.com All Material appearing in Malaysia & Singapore Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher.

Page 50 - Now is the time for multi-modal biometrics

CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

OUR NETWORK

www.youtube.com/user/MySecurityAustralia

www.australiancybersecuritymagazine.com.au

www.asiapacificsecuritymagazine.com

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Page 56 - Artificial intelligence in the financial services

Correspondents* & Contributors

www.australiansecuritymagazine.com.au

www.drasticnews.com

Prince Lazar*

Jane Lo*

Sarosh Bana*

Mark Deakes

Jaya Prakash

Adeline Teoh*

Anoosh Mushtaq

Ron Bartsch

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

4 | Malaysia & Singapore Security Magazine

John Kendall

Page 74 - Children of war: The rise of nation of young Jihadists

Editor's Desk

"Most prognostications for the world in 2017 contend that major disruptive political trends from 2016 will largely determine the course of events for the coming year, and that this is a source of concern, more than hope. The outlook for Southeast Asia for 2017 reflects more than challenges this broader view. 2016 saw changes to major power interests in the region as well as disruptive political dynamics in five of the six most populous Southeast Asian countries. These will play out in 2017 and beyond." - Southeast Asia Outlook 2017, ISEAS - Yusof Ishak Institute

he Southeast Asian region remains one of the few places in the world that can combine an abundant labour supply, many coastal cities and port facilities, however growth will rely on geo-political stability, good public infrastructure and education. According to the UN World Urbanisation Prospects (2014), throughout ASEAN, the percentage of people living in cities is projected to rise from about 47 percent in the mid-2010s to 56 percent in 2030 and then to 67 percent in 2050. Malaysia continues to be heavily dependent on oil and along with corruption scandals and the Ringit’s decline, has signed new naval defence agreements with China, joining the Philippines as another key country to accept, or succumb, to China’s obvious sphere of influence. In turn, the economic outlook has recently brightened for Singapore's prospects with an export rally lifting demand for Singapore's shipments earlier in the year and igniting hope that the economy is on the cusp of a strong rebound. In the security context, Southeast Asian governments have for years highlighted the risk from returning fighters alongside those radicalised at home via the internet. Those warnings have increased as Islamic State continues to lose ground in the Middle East, raising concerns it will metastasise and grow more potent in other places. The situation in Marawi, Philippines, initially came as a surprise to police and military forces, when they were confronted by a hornet’s nest of militants and foreign fighters, including some from as far afield as Saudi Arabia, Morroco and Belitsa. Marawi is a tipping point and serves as

inspiration to other groups in Indonesia, Malaysia and Thailand. This translates to increased threats to Singapore and other ASEAN countries and Western travellers throughout the region. Digital disruption also continues to affect all countries with investment in government led digitalisation projects and centralised government IT departments. Overall, the technology industry remains relatively positive for Southeast Asia with hyper-converged infrastructure and data centres continuing to be deployed. Wi-Fi is also seeing big deployments across Asia and particularly with massive growth in China. Messaging apps have fast become the preferred way for people to make calls and communicate whilst other technologies, such as speech and face recognition, though still not perfect has become ‘good enough’ to begin making a big impact. Regional and military tension and the risk of war, instigated by North Korea and the US, or tension in the South China Sea continues, and the renewed focus on the Southeast Asian region makes sense when considering holistic security issues such as, energy, social, physical and cyber security. MySecurity Media continues to reach out to become a significant media and event coordinator with national and regional cross-industry interests across the cyber-physical security domain, including defence, aerospace and maritime sectors. The outcome of our branded digital publications and on-site event printed editions aims to generate a high-level awareness about market priorities and industry capabilities, with post-event, current event and pre-event content. As we grow our footprint across the Asia

Pacific region, we are involved with a number of significant industry events and speak to leading CIOs, CISOs and CSOs in order to facilitate thought and discussion on critical issues. With correspondents and partners in Singapore, Malaysia and Mumbai we have on the ground presence and will continue to showcase our capabilities with regional roadshows, seminar series and industry conferences. With an audience of 10,000+ members covering every state in Australia, New Zealand, Singapore, Malaysia and ASEAN countries, backed with partnerships with the Australian Information Security Association, Risk Management Institution of Australasia and the Australasian Institute of Professional Intelligence Officers, we will be reaching a highly targeted and valuable audience. If your organisation needs to communicate and engage with senior, decision making security professionals operating within government and enterprise across the region, then MySecurity Media provides the best and most targeted media channels to be affiliated with. I hope you enjoy this special introductory edition of the Malaysia & Singapore Security Magazine and we look forward to engaging with you.

Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Malaysia & Singapore Security Magazine | 5

Asia Pacific Region Malaysia

S E C U R I T Y

U By Prince Lazar Malaysia Country Editor

A N D

R I S K

E N V I R O N M E N T

nderstanding the Security spectrum of Malaysia, it’s worthwhile to run through a bit of the Malaysian geo-political situation & location and the typicality of the South East Asia region with which Malaysia shares boundaries with a few other countries. Malaysia’s location makes it less susceptible to earthquakes and tsunamis than other countries in Southeast Asia. Within the Southeast Asia region, Malaysia is a highly open economy due to its maritime location, historically porous borders, geographic proximity to major trade and traffic routes, smaller population combined with relative affluence, shared ethnic heritages with the neighbouring countries inside and outside of Southeast Asia, government policy to encourage ties with the Islamic world, and globally oriented economic outlook. Malaysia offers lower costs in labour and land migrant workers are attracted to Malaysia because of the country’s relative affluence compared with its Southeast Asian neighbours (excluding Singapore and Brunei) and other countries in Asia. Foreign migrant workers are introduced

6 | Malaysia Australian& Security Singapore Magazine Security Magazine

both legally and illegally in sectors such as farming, food processing, mining, construction, house-keeping and with the promotion of the tourism industry also requires a large pool of low-skilled labour. Opportunities for transnational crimes has coincided with Malaysia’s growing migrant population and increased trade which can be attributed to the globalisation. Malaysia’s geographic location has exposed the country to long-distance commerce and migration has led to the many transnational issues Malaysia faces today, like drug smuggling and illegal workers. The porous nature of both borders and the corruption at official crossing points are both identified as causes of Malaysia’s ineffective immigration management. Human trafficking is subsumed under the illegal workers category, leading the government to focus on visa violations of the trafficked victims, terrorism and maritime piracy. In sustaining the growth trajectory, Malaysia has become increasingly dependent on data & information systems across verticals, like healthcare, critical infrastructure, defence, finance and technology, which are all potential targets

Asia Pacific Malaysia Region

for financially motivated cyber criminals and politically motivated actors like nation-states. The proliferation of wi-fi connected tablets for sales service personnel and in-store customer wi-fi access are adding to the complexity of the security challenges for major retailers in Malaysia today. The retail industry is fast becoming a major target for cyber criminals. Hence, for retailers with stores throughout Malaysia, secure network connectivity linking all sites to the head office is critical to business operating processes. Malaysia is considered to be having moderate crime levels, although the country has seen a spurt in the crime rates in the last few years including several reported assaults and robberies, sometimes involving weapons, but overall the security situation in Malaysia is considered still moderate. Other types of non-violent criminal activity include credit card fraud and automobile theft. In the list of security concerns crime, kidnapping, piracy, terrorism, human trafficking, financial fraud and money laundering are among the countryâ&#x20AC;&#x2122;s priorities. Financial and organised crime is

present in Malaysia, but has a limited direct impact on foreign businesses. The threat of cybercrime is growing, however, and companies must ensure they have sufficient cyber protection. The security challenges faced by Malaysia predominantly emanates from territorial complexity and intricacies. Undefined or unclear land and maritime boundaries have given rise to contestation and overlapping claims, which has manifested itself in some territorial disputes and intrusions. To counter this the country has formed a Defence pact with the Five Power Defence Arrangements (FPDA) established in 1971, committing Australia, Malaysia, New Zealand, Singapore and the United Kingdom to consult on a response to any armed attack or threat against Malaysia or Singapore. The FPDA has also recently expanded its focus to address non-conventional security threats facing the region, including terrorism and maritime security. The Territory and Territorial Seas of the Philippines, Indonesia, and Malaysia constitute a single geopolitical space. Long-standing ties facilitate commerce and social relations among the populations of the region, but they are also

Malaysia & Singapore Australian Security Magazine | 7

Malaysia

conducive to transnational dissident, terrorist and criminal activity. Vast areas lie outside government control, and ethnonational, ideological and religious conflicts exacerbate the void in governance. The threat from kidnapping has become a serious issue in maritime piracy which is predominantly prevalent in East Malaysia, particularly in the islands off Eastern Sabah due to its proximity to the Sulu archipelago in the Southern Philippines. The tri-border area (TBA) between the Philippines, Malaysia and Indonesia is a key hub of terrorist and related criminal activity in Southeast Asia, a well-known transit zone for weapons and explosives, and a principal logistical corridor for local and transnational terrorist groups. Terrorism has increasingly become a big threat in Malaysia of late and it remains a potent risk due to the Islamic influenced groups operating in the region and in the Middle-East. While previous terrorist organisations were disparate organisations fighting for separate causes, the regional terrorists may get-together to fight for a common cause across national boundaries and will possess capabilities to target masses using easily-acquired advanced technology weapons or equipment. The insurgency in the Southern Thailand by the Muslim Thai rebels who are active along the Thai border, has also further increased the threat of Terrorist attacks in this region.

8 | Malaysia & Singapore Security Magazine

The Revenue in the “Security” segment in Malaysia amounts to USD 1.1 million in 2016 and the revenue is expected to show an annual growth rate (CAGR 2016-2020) of 46.94% resulting in a market volume of USD 5.3 million in 2020 International terrorists are suspected of operating out of Malaysia for some time and the growth of Muslim extremism has spurred the development of home-grown terrorist groups and dozens of disparate fundamentalist groups/cells are believed to be operating in the country. The terror threat to Malaysia, however, doesn’t stem from a particular IS terror outfit, but by the presence of regional terror groups like Abu Sayyaf, the Moro National Liberation Front and many insurgent (terrorist) organisations which have always posed a threat to Malaysia’s northern state of Sabah, and now with their given allegiance to IS, the threat has become more potent.

Malaysia

Malaysia has taken a strong stance on terrorism with the increased terrorism threat; however the counterterrorism posture is still driven by domestic political considerations. Malaysian authorities have arrested several individuals for activities linked to IS. They have also been very proactive, especially in terms of monitoring flight manifests, preventing people from travelling to and from Syria and Iraq and monitoring social media. While Malaysiaâ&#x20AC;&#x2122;s counter-terrorism capabilities are relatively strong, the risk of political violence remains high due to tensions between ethnic groups. Over the last five years, Malaysia has experienced an increased number of demonstrations over political divisions, racial/religious tensions and international developments. The country has recently implemented security legislation introducing indefinite detention without trial has the potential to foster discontent and trigger violent protest. Another growing aspect of security is the threat posed to the tourism industry in Malaysia. With the rise of tourism and Malaysia being known as one among the top tourist destinations in the region, it receives a high number of tourist arrivals, which has increased the issues of safety and security in crime, terrorism, food safety, health issues and natural disasters as the main concern. The security industry in Malaysia, especially the guarding sector, with around 24,000 registered Private security guards, is saddled with problems on issues of employing incompetent, unqualified and unfit guards. There is a need for a comprehensive review of the security industry in the form of a proper security framework & regulations. If Private Security Companies (PSC) can be regulated and they co-ordinate well with the government institutions, they can be a source of tremendous information and can help the police track down criminals and assist in larger law and order maintenance. Public and private sector organisations are investing in several areas to ensure that their economic rise does not slow because of infrastructure disruptions brought upon by cyber sabotage or terrorism or lost revenue because of intellectual property theft. There is an increasing emphasis on security awareness, training & certifications and academic institutions are also focussing on specialised training and certification courses specific to security & safety. Security based job programs, such as internships are in place between the academic institutions, government organisations and the private sector which is a positive boost to security. This manifests in strong information sharing between public and private sector organisations and a general openness amongst organisations, even competitive organisations, when it comes to combating cyber-attacks. Going with the economic growth in the last few years in Malaysia, from securing the physical borders & assets to endpoint and data security, there is a good trend in a holistic approach to security. Security in Malaysia has been seeking an approach from the perspective of: What can be done, What technology/solutions are available and How it can be employed for end-to-end controls, which is a healthy sign towards security. When vetting solutions, security consistently makes it into the top three on the list of musthave requirements. The total Malaysian safety and security sector is

The security industry in Malaysia especially the Guarding sector with around 24,000 registered Private security guards is saddled with problems with issues of employing incompetent, unqualified and unfit guards. estimated at US$2 billion and is expected to grow. Private consumption of safety and security equipment has also risen over the last decade mainly due to the increased rate of urbanisation, a growing middle class owning assets which they wish to protect and a lack of faith in the local law enforcement (Source: Global Safety & Security guide US COMMERCIAL SERVICE). The Revenue in the â&#x20AC;&#x153;securityâ&#x20AC;? segment in Malaysia amounts to USD 1.1 million in 2016 and the revenue is expected to show an annual growth rate (CAGR 2016-2020) of 46.94% resulting in a market volume of USD 5.3 million in 2020 (Source: Statista market research portal). Public consumption is mostly government initiated purchases for the maintenance of law and public order, which is a long and tedious process. On the private consumption it is usually driven by purchases of new homes, cars and other assets that the common consumer wishes to protect. Until recently, most consumers based their selection process purely on price. In the last five years, there is a significant change in the attitude and mind-set of consumers, whereby quality and reliability also play a major role in selecting the type and brand of security products to invest in. The demand for technologies to keep users updated on the status of their security system. These usually include remote access via smart phones through internet, instant notifications via SMS and/ or monitoring companies. New solutions like intelligent video surveillance and cloud security devices are also gaining popularity, especially among the more affluent segments of the market. US companies presently dominate the Malaysian market for both the public and private market segments. However, Chinese and German companies are fast gaining footholds in the market, especially for point of entry equipment and for the private consumer market, Taiwanese and Chinese are eroding US market share with newer and price competitive surveillance and prevention systems. Some of the leading global security companies operating in Malaysia, which help to provide the latest security technology are Pelco, MOBOTIX, Sony, Avigilon, Bosch, HID Global, Panasonic, Samsung, Arecont Vision , AxxonSoft, CLIQ - ASSA ABLOY, Hikvision, Seagate, Suprema, Surveon Technology, Videotec, VIVOTEK, Chubbs and ADT. Malaysia with diverse ethnicity, race & language, faces dynamic security issues and challenges. This calls for maintaining a secure environment in the country, providing opportunities for economic development and better stability.

Malaysia & Singapore Security Magazine | 9

Malaysia

Malaysia’s changing Cyber Security framework Insight interview with Dato' Dr. Haji Amirudin Bin Abdul Wahab CEO, CyberSecurity Malaysia.

By Chris Cubbage Executive Editor

At the inaugural Cybersecurity in Asia Conference, Kuala Lumpur, held in early August 2017, Sean Lim, Chief Operating Officer for the EC-Council highlighted that Malaysia and the ASEAN region needs to increase its recognition of cyber risk as one of the top risks facing organisations. In acknowledging the risk, there is a requirement to establishing a coordinated national approach to responding to cyber incidents, including coordination amongst multiple government departments, forge collaborations with other nations and generate national capacity building measures. The Malaysia & Singapore Security Magazine sat down with Dato' Dr. Haji Amirudin Bin Abdul Wahab, Chief Executive Officer for CyberSecurity Malaysia, part of the Ministry of Science, Technology and Innovation (MOSTI), to discuss how Malaysia’s cyber security specialist agency is planning to implement these requirements. Dato Dr Wahab said, “Malaysia doesn't have the tiered strategy model that Australia does but we do partner via our own CERTs and Asia Pacific CERT (APCERT). We’re still organising ourselves but would like to have a model like Australia. We are part of a cybersecurity ecosystem, including with law enforcement. There are many other players within the Malaysian government framework with respective roles and the highest level is the National Security Council (NSC). There is a new entity now in the process of being formed for cyber security within the NSC, which will be the National

10 | Malaysia & Singapore Security Magazine

Cyber Security Agency (NaCSA). This will be positioned within the NSC and was announced by the Deputy Prime Minister in June, 2017. Alongside this announcement, Datuk Seri Dr Ahmad Zahid Hamidi announced the Malaysian Government will introduce a new law aimed at protecting Malaysians from cybersecurity threats. Dr Ahmad Zahid said, “the time has come for NaCSA to be the single agency that coordinates all efforts to manage such threats to be dealt with affectively.” Malaysia’s Communications and Multimedia Minister Datuk Seri Salleh Said Keruak was quoted in Malaysian media to say, “the menace poses a threat to national security and the NSC will head a group of agencies in tackling the matter.” He said, “although the NSC has not received any reports on ransomware attacks here, the Ministry views the matter seriously.” Dr. Wahab confirmed, “Malaysia received only three reports for Wannacry but there will be more and it was about the same for Petya. Ransomware had still had not reached a mass awareness level and these attacks actually assisted in getting the word out, in particular about the speed that these attacks can spread across the world. As we have been trying to raise awareness for years, it has been a blessing in disguise.” Malaysia plays a major role as Deputy-Chair of the Asia Pacific CERT (APCERT), a coalition of Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) within the Asia

Malaysia

Dr Haji Amirudin Bin Abdul Wahab CEO, CyberSecurity Malaysia

Pacific region. The organisation was established in February 2003 with the objective of encouraging and supporting the activities of CERTs/CSIRTs in the region and also has a key partnership with the Organisation of Islamic Cooperation CERT (OIC-CERT), including participation in an Annual Cyber Attack Drill. APCERT is represented at the OICCERT Annual Conference, last held in Jeddah, Kingdom of Saudi Arabia to present on the Asia Pacific cyber security threat environment and APCERT activities. The partnership between APCERT and Asia Pacific Network Information Centre (APNIC) has also continued to develop, with face-to-face meetings between APNIC and the Steering Committee in the margins of the Asia Pacific

Regional Internet Conference on Operational Technologies (APRICOT) held in Auckland, New Zealand, in early 2016. The 2016 APCERT AGM & Conference. APNIC and APCERT also collaborated with the Forum for Incident Response Security Teams (FIRST) to support a FIRST Technical Colloquium, within the margins of APRICOT. CERT Australia was re-elected as Chair of the APCERT Steering Committee, headed by Dr Ewan Ward and continues to work with all APCERT members and partners, now comprising of 56 economies and three supporting members, Bkav Corporation, Microsoft Corporation and SecureWorks. APCERT coordinates activities with other regional and global organisations, such as: APNIC: www.apnic.net); Forum of Incident Response and Security Teams (FIRST: www.first.org); Trans-European Research and Education Networking Association (TERENA: www.terena.org) task force (TF-CSIRT: www.terena.nl/tech/task-forces/tf-csirt/); Organisation of the Islamic Cooperation – Computer Emergency Response Team (OIC-CERT: www.oic-cert. net); and STOP.THINK. CONNECT program (www. stopthinkconnect.org/). Dr. Wahab concluded, “APAC is major region globally and we work closely with our partners in Australia, Japan, South Korea, and ASEAN countries. Every country wants to work towards strengthening its capabilities. Despite some competition between countries, which is healthy, we appreciate nor can we do it alone. You can no longer be in isolation.”

Malaysia & Singapore Security Magazine | 11

Singapore

Security in Singapore Security forms a key element of Australia’s partnership with Singapore and the private security sector should take advantage

By Chris Cubbage Executive Editor

aving had three back-to-back visits to Singapore in May, it was an opportune time to implicate myself further into this active city, with a proud people and with clear, long term prospects for continued city development and of most interest, a fast growing digital business economy. With dark clouds on the global economic horizon, if any country is set to lead the way through an approaching economic storm, it is Singapore. We have been wise to tie alongside this country’s anchor. On 29 June 2015, Australia and Singapore signed a Joint Declaration on the Comprehensive Strategic Partnership (CSP), a ten year plan to enhance strategic, trade, economic, defence and people to people links, and deepen bilateral relations for a Closer Economic Relationship (CER). The two countries announced in May they want to accelerate collaboration in innovation, science, research and technology. Regional security, defence and cyber-security are key aspects of the CER and there is naturally also an opportunity for Australia’s private security sector to sign-up and partner with Singapore’s security sector. This special report provides insight into how this may occur and why. Introduction to a global landscape The health and well-being of the global economy has direct and indirect context implications on the related security risk and threat environment. To help set the global landscape and business environment, we refer to the most recent PIMCO Secular Outlook 2016 titled ‘The Global Outlook: Stable but not Secure’.

12 | Malaysia & Singapore Security Magazine

The PIMCO report provided a consensus that “the post-crisis global economy is just fast enough to avoid stall speed, but there is no evident or prospective source of productivity or organic demand that would support a baseline for more robust expansion. The baseline scenario is that a version of the status quo will evolve gradually” ... however, it was acknowledged “there is a material risk globally that the unconventional monetary policies in place today will be insufficient to maintain global growth, close output gaps and bring inflation to target. Furthermore, compared with the pre-crises experience, with trend growth slow and with debt levels high, there is no obvious ‘spare tyres’ available globally, if and when monetary policy exhaustion threatens global stability. In other words, the global economy finds itself today in a state of disequilibrium that has remained stable thus far only…” ( June 2016). Alongside this report, the OECD’s latest Global Economic Outlook concluded “slower productivity growth and rising inequality pose further challenges. Comprehensive policy action is urgently needed to ensure that we get off this disappointing growth path and propel our economies to levels that will safeguard living standards for all,” said OECD Secretary-General Mr Angel Gurría. Singapore is Shining Despite global downturn, Singapore has cleverly manoeuvred itself to be an important international finance and commerce hub and ranked by the World Economic Forum as the most technology-ready country in the world. A most recent example is KuangChi Science’s announcement to locate its

Singapore

headquarters in Singapore. KuangChi Science was founded in 2010 by five distinguished Chinese scientists and provides a series of disruption space services and is working towards building a global disruptive space technology alliance. In addition, KuangChi Science announced a smart city objective, the Future City Strategy. Dr. Zhang Yangyang, Co-CEO of KuangChi Science, “Singapore provides an ideal innovation base and by creating an innovation headquarters in Singapore, KuangChi Science plans to further collaborate with Singaporean companies and institutes for research and development.” The strategy has been influenced by Singapore’s ‘Smart Nation’ initiative, which was launched in 2014 to make living better for all through tech-enabled solutions, harnessing ICT, communications networks, and big data. Information and communications technology allows local governments to interact directly with the community and the city infrastructure to monitor what is happening in the city and how it is evolving, and to ultimately create a better quality of life for citizens. KuangChi Science has been making investments in security, data transfer, and wireless coverage technology to help make cities smarter and better, effectively optimizing key services to improve city living around the world. HyalRoute has been one of the company’s key investments to support this goal. HyalRoute, now a part of Kuang-Chi GCI’s portfolio of technology innovation companies, is one of the most advanced network infrastructure developers and transnational telecommunication operators in the Asian-Pacific market. The company is engineering and implementing an international fiber-optic network spanning more than 1 million kilometres in length and linking 50 countries. Kuang-Chi GCI launched an international innovation fund based in Israel to invest in companies worldwide. The newly established fund had an initial investment of $50 million, which is planned to grow to $300 million over the next three years. Signing onto Singapore’s Security To facilitate the CER, Singapore will provide dedicated funding of S$25 million over five years. Australia will provide matching funding from a variety of government and nongovernment sources. Australia will also locate one of its five “landing pads” for market-ready start-ups in Singapore. This will assist start-ups to “think global” by linking them into entrepreneur and capital networks and industry value chains, accelerating their business development and growth. A pilot 1.5 Track Dialogue will bring together Government officials and academia in Australia in late 2016 to discuss regional security issues. The two countries will work together on defence science and technology, in areas including combat systems command, control, communications, intelligence integration and cognitive/ human systems integration. In the shadow of China’s militarisation of the South China Sea, these major areas of cooperation and collaboration demonstrate the extent of a fast expanding strategic defence partnership. For civil security, a Memorandum of Understanding has been signed to improve operational collaboration and

‘Kuang-Chi GCI launched an international innovation fund based in Israel to invest in companies worldwide. The newly established fund had an initial investment of $50 million, which is planned to grow to $300 million over the next three years.’ information exchange, share best practices and strengthen law enforcement cooperation in deterring, preventing and disrupting transnational drug crime. Alongside the defence and public security sectore, there is naturally a strong security profession in Singapore with the Singapore Security Alliance (SSA), an Alliance amongst the different security industry associations and organisations in the country. Much like the initiative in Australia with the Australiasian Council of Security Professionals (ACSP), the SSA includes the Asian Professional Security Association Singapore Chapter (APSA), ASIS International Singapore (ASIS), International Society of Crime Prevention Practitioners, Singapore (ISCPP), Security Systems Association of Singapore (SSAS) and Conference & Exhibition Management Services Pte Ltd (CEMS), organiser of the largest security exhibition in Singapore – Safety & Security Asia (SSA) series. The principle of the Alliance is to bring together different industry authorities under a uniform community to help address security issues in Singapore. For infosec professionals, the Association of Information Security Professionals (AISP) is registered with association to the Singapore Computer Society (SCS) and Infocomm Development Authority of Singapore (iDA). ASIS International Singapore Chapter has over 200 members and the Chapter actively promotes the certification of security professionals through the Certified Protection Professional (CPP) and Physical Security Professional (PSP) programmes. (Reference: http://dfat.gov.au/geo/singapore/Documents/ australia-singapore-csp-fact-sheet.pdf ) There is a great opportunity for Australian and Singapore security and technology professionals to better collaborate and partner. As Australia’s state based legislation models continue to be sought after for reform and seek out a national model, Singapore provides an ideal partner to work with in particular to work on solving the cyber security skills shortage and upskilling the existing physical security profession. Singapore’s Economic Development Board has been nurturing key industries that are driving Singapore’s economy and will take it into the future with attractive employment prospects. One these industries includes computer security and development of professionals in the information and communications technology sector. The future of the Australia and Singapore partnership is clear and mapped out. However, it will remain on the professional security sector to collaborate and partner to take advantage of this relationship and the opportunities it provides. It could be as simple as memorandums of understanding between our primary associations but could go as far as mutual recognition of agent and consultant licenses, certifications, training and qualifications.

Malaysia & Singapore Security Magazine | 13

Australian Delegation in Singapore for INTERPOL World 2017

acilitated by MySecurity Media, the Australian delegation

With the INTERPOL Congress theme on Day 1 focused on

in Singapore on the 4th July, was suitably hosted at the

Cybersecurity, the luncheon conversation centred around the

Dallas Restaurant, atop the Suntec Sky Garden at the

need for continued collaboration, reporting cybercrimes to police

Suntec Convention Centre, courtesy of INTERPOL World 2017.

and the threats and opportunities cybercrime has for business

Opened and addressed by the Australian Ambassador

and industry. Importantly, there is also the need for continuing

for Cyber Affairs, Dr. Tobias Feakin and accompanied by Zoe

business opportunities with developing a cybersecurity industry,

Hawkins, Cyber Policy Officer with the Department of Foreign

trading between Singapore and Australia.

Affairs, the delegation luncheon was attended by representatives

On the second day of the INTERPOL World Congress, the

of INTERPOL, Australian High Commission, Australian Federal

Australian delegation, accompanied by the Australian Federal

Police, Australian Strategic Policy Institute and the Aerospace

Police, toured the INTERPOL Global Innovation Complex, visiting

Maritime and Defence Foundation of Australia Ltd, attending

the Digital Forensics Lab, Command and Control Centre and the

to promote the CIVSEC 2018 Congress in Melbourne in May

Cyber Fusion Centre. Sponsored by Kaspersky Lab, MySecurity

2018. Guests were delegation supporter Kaspersky Lab’s Vice

Media also attended the Opening of the company’s new

President for Public Affairs and Asia Pacific Managing Director

Singapore Office and seminar series.

and Oracle’s Australian representatives and Global Director,

The event served as an important template for which to

Public Safety & Justice Solutions. Local support was received

base future Australian delegations in the Asia Pacific region and

from the Singapore Chapter Chair of ISACA and MySecurity

MySecurity Media would like to thank the Ambassador for Cyber

Media’s Singapore Correspondent.

Affairs Dr. Feakin and Kaspersky Lab for supporting the initiative.

14 | Malaysia & Singapore Security Magazine

KASPERSKY Lab chooses Singapore for new central Asia Pacific office: Releases Spring Dragon research – China & North Korea seen as initiating active APTs Kaspersky Lab aligned alongside the INTERPOL World Congress and Exhibition to formally open their new office in Singapore, now with 35 staff and as the central management office for the Asia Pacific, where they have 200 personnel operating across the region. CEO and Chairman, Eugene Kaspersky proudly declared Singapore as one of his favourite world cities and was also strongly encouraged and assisted by the Singaporean Economic Development Board (SEDB). “Singapore is a key regional city and one of the most developed cities in the world. The cybersecurity start-up sector is being assisted and we feel this will facilitate new vectors for industrial security, smart cities and the ‘cyberised’ Internet of Things.” Mr. Kaspersky said. Mr. Teo Chin Hock, Deputy Chief Executive of the Cyber Security Agency of Singapore (CSA) also presented on the need for a resilient and trusted cybersecurity environment. Singapore has four pillars to their cyber security strategy, Mr.Hock said, “First is on strengthening critical infrastructure, the second is on mobilising business, third is to create a cyber security industry and fourth is to develop strong international partners, in an effort to make Singapore a smart and safe nation.” As part of the efforts between the SEDB and Kaspersky Lab, a talent pipeline of skills development is being established with five Singaporeans sent to Kaspersky Lab’s head-office in Moscow for cybersecurity training and now two of these are working with the Singapore Cybersecurity Agency. Further collaboration is occurring between Singapore’s leading universities, including collaborating with National University of Singapore and Nanyang Technological University in the research areas of critical infrastructure protection.

Australian Delegation INTERPOL World Luncheon

Address by the Australian Ambassador for Cyber Affairs Australian delagtion to INTERPOL Global Innovation Complex

Palaeontology of Cyberattacks Alongside INTERPOL World, Kaspersky Lab held a half day seminar series on the ‘Palaeontology of Cyber Attacks’, with some of the company’s leading researchers in the Asia Pacific region, presenting on cyber-attack methodology and attributions. Vitaly Kamluk, APAC Director of the Global Research & Analysis Team (GReAT) presented on how the Democratic People’s Republic of Korea (North Korea) is Malaysia & Singapore Security Magazine | 15

CommunicAsia 2017

28th international communications and information technology exhibition & conference A host of smart future technologies such as big data analytics, cloud, the Internet of Things (IoT), cyber-security, artificial intelligence (AI), robotics, virtual reality (VR) and next generation broadcasting technologies were the key highlights of the three exhibitions - CommunicAsia2017, EnterpriseIT2017 and BroadcastAsia2017 (23rd – 25th

May) – that were held across two venues at the Marina Bay Sands and Suntec Singapore. With thirty-six International Group Pavilions – including Russia, China, Canada, USA, Korea and EU Business Avenues in South-East Asia - the event drew best-of-breed innovations from across the globe, hosting 1,800 exhibitors from 62 countries.

Left – Dr. Hamed Salim Al Rawahi, CEO, Telecommunications Regulatory Authority, Oman; Dr. Yaacob Ibrahim, Minister for Communications & Information, the Minister in charge of Muslim Affairs and the Minister in charge of Cyber Security; H.E. U Kyaw MYO, Deputy Minister for Ministry of Transportation and Communications, Myanmar; H.E. Mustappa Sirat, Minister, Ministry of Communications, Brunei Darussalam. Photo Credit: CommunicAsia 2017

In addition to a show-case of how businesses, governments, and consumers embrace digital transformation and leverage technology to create landscape of global connectedness, Cyber Security was also a key platform feature. In his opening address, Dr Yaacob Ibrahim, Minister for Communications & Information, noted Singapore’s IMDA (Infocomm Media Development Authority) focus area of Cyber Security (the others are: Artificial Intelligence and Data Science, Immersive Media, IoT and Future Communications Infrastructure), and added: “I don’t think I need to belabour how important this is for your companies from

16 | Malaysia & Singapore Security Magazine

operational, financial, reputational, intellectual property, and other angles. It is important as well for all of us here as individuals, and it is essential for our national security.” For the governments around the world, the threat of continuing (and evolving) cyber attacks is a grave concern. At the “Security of Things – Threat-proofing the Future” seminar track (curated and orchestrated by IEEE ComSoc), Mr. Ho Ka Wei, Director – National Cyber Threat Analysis Centre, Cyber Security Agency of Singapore – pointed out the recent WannaCry attack that disrupted government agencies and businesses in 150 countries across the globe, and affected health facilities and hospitals, was

a clear example of how malware attacks (in this case, a ransomware) had evolved from an inconvenience to a public threat which could put lives at risk. Closer to home, the APT (Advanced Persistent Threat) actors who recently gained unauthorized access to two Singapore Universities (The National University of Singapore (NUS) and Nanyang Technological University (NTU)), according to the authorities, to "maybe steal information related to Government or research" was the first sophisticated cyber attack on Singapore universities. It was targeted, carefully planned and "not the work of casual hackers", said authorities.

CommunicAsia 2017

Mr. Ho Ka Wei, Director – National Cyber Threat Analysis Centre, Cyber Security Agency of Singapore, at the “Security of Things – Threat-proofing the Future” seminar track, speaking on “Singapore’s Cyber Threat Landscape”. Photo Credit: CommunicAsia 2017

"As we become more digitally connected, such threats will continue to increase in sophistication, and both public and private sector organisations are equally vulnerable," Dr Yaacob had said earlier last month, following the incident. Over the years, the Singapore government had embarked on several initiatives to develop skills and awareness in this area. Recent examples include the Cybersecurity Associates and Technologists, or CSAT programme to train more cybersecurity professionals for the industry, and the “SMEs Go Digital” programme which will enable SMEs to receive specialist advice on the topic of CyberSecurity, amongst others. Under one of the government’s programmes was a study conducted for the Singapore’s Cybersecurity defense project by researchers at iTrust (a cybersecurity research center at the Singapore University of Technology and Design) – which was pointed out by Mr Junaid UR Rehnan, Security Adviosr, HP Inc on his keynote speech “Defending Your Weakest Link – Reinforcing Printer Security”. The research demonstrated how attackers using a drone with an attached mobile phone could intercept documents sent to a seemingly inaccessible Wi-Fi printer. Using a drone to transport a mobile phone with two apps – one that detects open Wi-Fi

printers and the other to establish rouge access point that mimics the printer and intercept documents intended for the real device – the researchers showed how adversaries do not

"As we become more digitally connected, such threats will continue to increase in sophistication, and both public and private sector organisations are equally vulnerable," have to be close to a Wi-Fi device to steal data – if they could instead deploy their drones to be near the target. This result exposed the myth of low risk of outside attack in a physically “inaccessible” environment and is especially critical to bear in mind for Singapore’s business district where high-rises dominate the skyline. In fact, printer cyber vulnerabilities are not

dis-similar to those of other “conventional” devices on the network – such as unsecured ports and network connections, compromised firmware and device settings. Simply put, printers are just another device on the network and cyber security guidelines for network devices and endpoints are applicable to printers as well. Mr Junaid Rehnan pointed out specifically the principles published by the “US Department of Defence - NIST 800-53 – Multifunction device and network printers security technical implementation guide (STIG)” – such as to, • Update the firmware • Disable unneeded services, protocols and features • Restrict access to the device based on IP address. • Allow setting and changing of the authentication information passwords and community strings) for all management services • Prevent unauthorized physical access to the hard drive using either a locking mechanism or other physical access control measure • Implement authenticated access to management controls, allowing access to authorized administration based on privilege assignments • Enable and configure audit logging Whilst the increased number of attacks is a key national risk to overcome for Singapore, it is not a challenge that is unique to Singapore. “The Contribution of the UNGGE to Global Cyber Security” (United Nations Group of Government Experts) talk provided an opportunity for attendees to hear about Cyber Security policies from the United Nations Group of Government Experts (UNGGE) from His Excellency Mohamed Abulkheir, Ambassador, Egyptian Embassy of Singapore. Since 1998 when the first resolution was drafted to initiate the discussion of Information Security with the United Nations, there have been Four Groups of Governmental Experts (UNGGEs) that have “examined the existing and potential threats from the cyber-sphere and possible cooperative measures to address them”. From the First UNGGE where policy questions centred around coverage and scope of the discussions (such as if the “impact of developments in information and communications technologies (ICTs) on national security and military affairs” should be considered or if “transborder information content should be controlled as a matter of national

Malaysia & Singapore Security Magazine | 17

CommunicAsia 2017

Mr Junaid UR Rehnan, Security Advisor, HP Inc, speaking at Day 2 of “Security of Things” Opening Keynote “Defending Your Weakest Link – Reinforcing Printer Security”

His Excellency Mohamed Abulkheir, Ambassador, Egyptian Embassy of Singapore, at the “Security of Things” seminar track, speaking on “The Contribution of the UNGGE to Global Cyber Security” (United Nations Group of Government Experts). Photo Credit: CommunicAsia 2017

security”), UNGGE had evolved to include dialogue “on norms”, “confidence buildingbuilding and risk reduction measures”, “capacity building”. As Cyber attacks become increasingly transnational in nature, the UNGGE’s mandate has grown to address this challenge. For example, the scope of the current Group of 25 experts* includes “how international law applies to the use of information and communication technologies by States, as well as norms, rules and principles of responsible behavior of States, confidence-building

18 | Malaysia & Singapore Security Magazine

measures and capacity-building.” *Australia, Brazil, Botswana, Canada, China, Cuba, Egypt, Estonia, Finland, France, Germany, India, Indonesia, Japan, Kazakhstan, Kenya, Mexico, Netherlands, South Korea, Russia, Senegal, Serbia, Switzerland, United Kingdom, United States The seminar ended on Day 3 with “Security Governance Full Day Workshop” with Dr Paul Haskell-Dowland’s (Associate Dean for Computing and Security, Edith-Cowan University) “Ethical Hacking” session. Based on a real-life example (non-public), he took participants through how a hacker

may deface a website with a step-by-step demonstration: (1) Identification of vulnerable website (2) Exploitation of the vulnerabilities (3) Gaining remote access (4) Escalating privileges (5) Probing internal network. As penetration tester mimics the steps taken by a typical attacker to identify infrastructure weaknesses, these check points also form part of a standard vulnerability assessment exercise. Hence it is critical that the appropriate permissions have been sought and granted to perform a legitimate breach of the system. Specifically, Dr Haskell-Dowland highlighted these key considerations: • A controlled evaluation of vulnerabilities Compromised on your terms • Rules of engagement – Permissions; Scope (in/out); When to stop; Privacy/ethics • What do you want from the process? – Reporting Mr. Peter Hannay (Lecturer of Edith-Cowan University), in his “Forensic Computing” session, pointed out that as “many forms of data exist only for a brief period or a prohibitively expensive to recover unless adequate preparation takes place”, “preparing for evidence is an important factor in the success of any forensic response”. This involved obtaining and analyzing digital data, investigating data from a hard desk or other storage media (including recovering data that was hidden or deleted), and telling a story (which formed evidence in civil, criminal or administrative cases). As the nature of evidence had evolved over time, for examples, from printed photos to digital photos, from handwritten notes to email, from

CommunicAsia 2017

The “Security of Things” Seminar Track, co-sponsored by HP PC and Printer; Nomura research institute; Level 3 Communications. Photo Credit: CommunicAsia 2017

money as a physical entity to being represented as a digital number, “organization assets must be considered as to their potential to produce, transit or contain potential evidence”. Whilst it is easy to immediately identify physical assets such as workstations or servers as evidential potential, logical assets (cloud and virtual infrastructure), or transitive (network, telecommunications and transmission media) could also hold information or data critical for forensic response planning. As with penetration testing, a Computer Forensics Analysis plan that proposes intentions (pertaining to an upcoming investigation) is important to allow parties involved to have a thorough understanding of the case and grant the necessary approvals for investigation. He concluded with “Cyber Security is there to SUPPORT the business needs of the organization. Cyber Forensics is there to SUPPORT the security of the organization”. Indeed, as Cyber Security becomes an increasingly important consideration in the fast-paced evolution of hardware and software, robust procedures to respond to incidents that affect the confidentiality, integrity, and availability of these is essential. And these include guidelines to tackle the technical challenges of digital evidence capture in order to prevent contamination or loss. Any investigation of and response to Cyber Attacks will necessarily involve the preservation and examination of electronic evidence; and therefore a digital evidence strategy must form an integral part of the Cyber Security framework.

[Right] Dr Paul Haskell-Dowland, Associate Dean for Computing and Security, Edith-Cowan University, before his “Ethical Hacking” session on Day 3 Security Governance Full Day Workshop of the “Security of Things” track. Photo Credit: CommunicAsia 2017

Peter Hannay, Lecturer of Edith-Cowan University, presented on “Forensic Computing” on Day 3 - Security Governance Full Day Workshop of the Security of Things track.

Malaysia & Singapore Security Magazine | 19

Cyber Security Singapore

A cyber week in Singapore

T By Jane Lo Singapore Correspondent

he last week of March in Singapore’s Cyber conference and events calendar got underway with the Asia ICS Cyber Security Conference (27th-28th March, SunTec Convention Hall). Supported by the Cyber Security Agency of Singapore, it gathered the international community of experts in Industrial Control Systems (ICS) Cyber Security for 2 days of conferences, dialogues, exhibitions and social events to exchange leading ideas and thoughts on cyber security issues related to ICS and SCADA Systems; This was followed by IoT Asia 2017 (29th – 30th March, Singapore Expo), officially opened by Dr Vivian Balakrishnan, Singapore’s Minister for Foreign Affairs and Minister-in-Charge of the country’s Smart Nation initiative, welcomed thought leaders, industry experts, decision-makers, leading technology companies and small media enterprises (SMEs) from around the world over the two-day event; The week concluded with the well-regarded BlackHat Asia 2017 (28th – 31st March, Marina Bay Sands Convention), which returned to Singapore for its fifth year. Security professionals and researchers in the industry gathered for a total of four days--two days of deeply technical handson Trainings, and two days of the latest research and vulnerability disclosures. Beyond the presentations, panel discussions and exhibitions on the latest technologies, vulnerability research and risk assessment approaches, a theme that is clearly emerging and receiving much attention of policy makers and practitioners is the need to clarify our understanding and strengthen Cyber-Physical Security Risks in the Industrial Control Systems.

20 | Malaysia & Singapore Security Magazine

A recent incident in the Industrial Control Systems (ICSs) was the Cyber-Physical attack on the Kiev’s power grid during a December weekend last year which cut off power in the residential areas for slightly more than one hour. This event fit a familiar pattern of some 6,500 cyber incidents in Ukraine that month. Early in December, the Ukrainian Ministry of Finance as well as the State Treasury and Pension Fund said their websites was temporarily downed by disruptive attacks. Transport and energy infrastructure, including railway and mining firms, were also targeted that same month. Though these news seized sensational headlines and became centerpieces in this era of cyber disruptions, they were thought to be driven either by destabilization motivations or intelligence gathering exercises, and had not resulted in maximum damage. Outage in the affected areas in Kiev lasted a little more than an hour. Nevertheless, the Kiev attack came a year immediately after the attack on Prykarpattya Oblenergo in Western Ukraine which left many without electricity for hours. The outage in Dec 2015 was the first cyber-physical attack since Stuxnet, a Microsoft Windows malware, degraded Iran’s uranium processing capability in 2010. According to Ukraine’s representative at a conference earlier this year, the investigations of the Kiev’s disruption revealed, for example, malicious software code which included modules to specifically harm equipment inside the electric grid. Mr Olekssi Tkachenko, Deputy Head of Analytical Division, Cyber Security Department, Security Service of Ukraine, pointed out at the Asia ICS Cyber Security conference, in his “Ukraine

Cyber Singapore Security

Experience” talk, that these are “disguised using special software (specialized shell-codes, RootKits, 0-day, vulnerabilities etc.), exploiting vulnerabilities that are unknown to general public and are not detected by antivirus software.” Intelligence Gathering and “Phising Investigators reported that the process to manipulate ICSs was very possibly facilitated with an initial-stage malware delivered through a technique known as “phishing”. The implanted malware obtained legitimate credentials to open back-doors. In this case, the credentials allowed the attackers remote-access via Virtual Private Network (VPN) to control the ICSs client software, and - with second-stage and additional malware – to eventually cause capacity damage to the ICSs. Phishing, is the extraction of critical information using deceptively crafted yet convincing messages. According to a Q2 2016 statistics from RSA FraudAction researchers, a new phishing attack is launched every 30 seconds. In that quarter alone, RSA identified more than 515,000 phishing attacks globally — a 115% rise over the previous quarter. This technique appears to be highly popular business model for malicious actors, costing global organizations $9.1 billion. Keith Turpin (CISO, Universal Weather and Aviation), at the BlackHat Asia 2017 conference, described phishing attacks to be “often highly targeted”. Significant reconnaissance (or information-gathering) using corporate websites, social media (Facebook, LinkedIN, Twitter) and public media is usually

conducted first to understand the organization structure, C-Suite executives, corporate logos, banners, headers. A friendly phone call to manipulate unsuspecting employees into divulging information is also not unusual. The next step in the attack cycle: the injection of the malware, is effectively executed using spoofed emails with Microsoft attachments (such as Excel, Word, Powerpoint). These are painstakingly constructed to be authenticlooking using available information gathered during the reconnaissance phase. Typically, the urgency for action and legitimacy of these deceptive requests derive from emails impersonating executives in key positions, prompting users to click on a malicious link or attachment. The community of internal and external users connected to the organization network are potential target “candidates” – from vendors of industrial equipment, integrators, support controllers, analysts, to executives. The Cyber-Physical attack This preparatory phase of implanting the first-stage malware, to obtain the necessary credentials to masquerade as legitimate users, was likely planned and conducted for several months to chart a plan of attack. With access to the targeted systems in the ICSs infrastructure gained, the actual attack on the physical plant was launched. According to the alert posted by U.S. Department of Homeland Security ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), “most breakers were tripped when remote human operators accessed the

Malaysia & Singapore Security Magazine | 21

Singapore

Opening Keynote speaker Halvar Flake at BlackHat Asia 2017 Photo Credit: BlackHat Asia 2017

Control Systems” at BlackHat Asia 2017, pointed out that this means reliably controlling the marginal attack parameter and capturing the process feedback throughout the attack, as the physical reactions propagate through the system. To mitigate against this, Ms Krotofil highlighted takeaways such as locking away configuration files, to prevent illegitimate manipulation (in addition to hardening the distributed control systems, /supervisory control and data access servers). Oleksii Tkachenko – Deputy Head of Analytical Division, Cyber Security Department, Security Service of Ukraine. “The Ukraine Experience Part 2”. Speaking at the Asia ICS Cyber Security Conference 2017. Photo Credit: Asia ICS Cyber Security Conference 2017

dispatcher workstations and remotely took control of the terminals using legitimately installed remote access tools” and additional malware “erased selected files on target systems and corrupted the master boot record, rendering systems” to delay restoration efforts. Additionally, the manipulation of the industrial process to schedule unauthorized outages was carefully synchronized and coordinated with attacks on internal telephone networks, cutting off internal communications to prevent detection and early warnings. The prevention of early alarm triggers and timely response is crucial in a “successful” Cyber-Physical attack. Marina Krotofil (Lead Cyber Security Researcher, Honeywell Industrial Cyber Security Lab), in her talk “Man-in-theSCADA: Anatomy of Data Integrity Attacks in Industrial

22 | Malaysia & Singapore Security Magazine

Interconnection between the “Cyber” and “Physical” worlds ICS are found in critical infrastructure sectors such as electric, water, oil and gas, manufacturing, food and beverage, and other industrial processes such as a chemical plant. Its evolution from physically secured isolated systems running proprietary control protocols, to resembling “traditional” information technology systems - with Internet protocol IP devices replacing these older generation proprietary devices, and running on standard operating systems and network protocols – had opened up whole new surfaces vulnerable to attacks. ICS components (e.g. mechanical, hydraulic) are highly interconnected and mutually dependent, acting together to achieve an industrial objective (e.g. manufacturing, energy), through a “process” that produces the industrial output controlled by the “controller” to ensure conformance with pre-configured specifications. This tight interconnection and dependency means that the digital logic executing in the ICS has a direct effect on the performance and reliability in the physical world, with implications for health and safety. Cyber Security hence is essential to the safe and reliable

Singapore

Singapore has launched the Singapore’s Cyber Security Strategy, in which “Building a Resilient Infrastructure in Singapore” forms a key pillar. As an international financial, shipping and aviation hub, Singapore also houses critical systems that transcend national borders, such as global payment systems, port operations systems, and air-traffic control systems. operation of these industrial processes. For example, the “controller” is operated via a HumanMachine Interface (HMI) and Remote Diagnostic and Maintenance tools built using myriad of network protocols on layered information system architectures. These are multivendor, non-homogenous and like any corporate network, legacy equipment adds to the complexities of integration. Inherent shortcomings that are forgotten, unnoticed or simply disregarded become back-doors for malicious actors to gain unauthorized access, become real vulnerabilities in these architecture perimeters. Industry good practices of Cyber Security are well documented - including standards such as procurement of

trusted systems; knowing who and what is on your network and contingency plans for safe operation or shutdown in an event of a breach. And basic implementation measures such as locking down unused ports and turning off unused services, isolating ICS networks from untrusted networks, hardening Remote Access functionality. At the same time, the tight interconnection and dependency between the Cyber and Physical worlds also requires assessing functional safety to consider the full product lifecycle in an industrial process. Standards are now starting to emerge and develop that offer a structured approach to functional safety and cyber security. Mr Heinz Gall, TÜV Rheinland, speaking at the Asia ICS Cyber Security Conference, elaborated on the IEC61508 Functional Safety and IEC62443 Cyber Security standards: ”If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, a security threats analysis should be carried out. Should security threat surface, a vulnerability analysis should be undertaken in order to specify security requirements.” Consider a power system composed of power plants, power transmission, transformer line, power supply and distribution plants. In the lifecycle of installation – validation – operation - maintenance, cyber security is the defense against malicious actions to protect devices and facilities. Complementing this, is functional security, which “is the defense against random and systematic technical failure to protect the application,” said Mr Heinz Gall. Each of these “requires risk and threat analysis, need to specify safety and security levels, requires organizational and technical measures, and need to consider fault avoidance and fault control”. He further stressed that Cyber Security and Functional Safety assessments need to be taken proactively in the configuration of ICSs. Regulations typically lag the pace

Manuel Diez, TÜV Rheinland, “Always Be Safe”, speaking at the Asia ICS Cyber Security Conference 2017 conference. Photo Credit: Asia ICS Cyber Security Conference 2017

Malaysia & Singapore Security Magazine | 23

Singapore

Dr Vivian Balakrishnan, Minister for Foreign Affairs and Minister-in-charge of the Smart Nation Initiative, speaking at KeyNote at IoT Asia 2017. Photo Credit: IoT Asia 2017

of innovation, competitive pressures and technological complexities, and require lengthy consultation time to be passed. Managing to the timeline of regulations or legislations may not adequately prepare organization for preventing major industrial incidents to occur. People, Policy, Technology – Weakest Link? While a single point of compromise in the network may open up extended access due to legacy access-controls linking the interconnected assets, it is also important to consider the “People” aspect. This was among the points brought up by Mr. Manuel Diez, TÜV Rheinland, speaking at the Asia ICS Cyber Security Conference. Clear roles and responsibilities (“who is doing what”) and training on “what not to do” are critical governance elements in a robust cyber security framework, said Mr Manuel Diez. Whilst technology and policies can be tirelessly reviewed, assessed and updated, human factor remain the weakest links. Establishing a mutual understanding of “IT” and “OT” teams (information technology and operational technology) is critical to combine Cyber Security and Functional Security in the long run. For effective collaboration to take place between the two, a shared ideology in security, anchored by a strong culture in communication will be necessary. Reconnaissance campaigns are getting more sophisticated and well-organised, and malware growing more complex, with obfuscations and anti-spam detection techniques such as embedding code in legitimate-looking displays, other codes or even music lyrics. Once these are embedded in the organization, it is often too late to eradicate. The first line of defense, therefore, is preventing the malware from penetrating and blending into the organization’s assets. Training on social engineering tactics, and phishing attack scenarios – such as not enabling macros in documents, opening attachments from unverified sources, checking the addresses when replying to emails should form part of the formal Cyber awareness policies. And these lessons are equally relevant to the operational technology teams who use tools which are highly susceptible to phishing attacks – such as the HMIs or other diagnostic tools to control the industrial processes. Without training on specific ICS threats and cyber security standards, they cannot be expected to maintain a secure ICS environment. Building a Resilient Infrastructure in Singapore The Ukraine incident highlights the need for critical infrastructure owners and operators across all sectors to implement enhanced cyber measures to reduce risks of Cyber-Physical attacks. Singapore has launched the Singapore’s Cyber Security Strategy, in which “Building a Resilient Infrastructure in Singapore” forms a key pillar. As an international financial, shipping and aviation hub, Singapore also houses critical systems that transcend national borders, such as global payment systems, port operations systems, and air-traffic control systems. Successful attacks on these supra-national

24 | Malaysia & Singapore Security Magazine

CIIs can have disproportionate effects on the trade and banking systems beyond Singapore’s shores. Mr Lim Thian Chin, Head of Critical Information Infrastructure (CII) Protection at the Cyber Security Agency of Singapore (CSA) referred to the Cybersecurity Act within the Singapore’s Cyber Security Strategy, to be introduced later this year, which will: • Require CII owners and operators to take responsibility for securing their systems and networks. This includes complying with policies and standards, conducting audits and risk assessments, and reporting cybersecurity incidents. CII owners and operators will also be required to participate in cybersecurity exercises to ensure their readiness in managing cyber incidents; and • Facilitate the sharing of cybersecurity information with and by CSA. Recognising that cybersecurity breaches will happen despite our best efforts, the Act will empower CSA and sector regulators to work closely with affected parties to expeditiously resolve cybersecurity incidents and recover from disruptions. CSA has been and will continue to work closely with sector regulators, CII stakeholders and industry players in formulating detailed proposals for the new Act. A key principle is to adopt a risk-based approach to cybersecurity, and to build in sufficient flexibility to take into account the unique circumstances and regulations in each sector. In his concluding remarks at IoT Asia 2017 at the Singapore Expo, Dr Vivian Balakrishnan, Minister for Foreign Affairs and Minister-in-charge of the Smart Nation Initiative, he noted that, while the nation is embarking on a digital revolution, “we need to be mindful that cybersecurity is still the biggest elephant in the room. We have all heard of the cyber-attack on Dyn last year which brought down Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and many other popular sites and services. In Singapore, StarHub told us that their subscribers experienced a similar attack. Internet-connected devices of StarHub customers, such as video cameras, routers and DVR players, were taken over by hackers and used for an attack on the domain name system. So critical control systems need to be protected even as we make them smarter. We need to ensure that our digital identity framework, our e-transaction platforms are secure and robust.”

Cyber Singapore Security

Cyber resilience for tomorrow

wo conferences during April in Singapore provided invaluable insights into the responses across three sectors to raising Cyber Risks in the digital economy. GTACS (Governance, Technology Audit, Control, Security), annual conference organized by ISACA Singapore Chapter, 24th25th April 2017, Marina Bay Sands Convention Hall, Singapore. SEA Asia 2017, driven by the Maritime and Port Authority of Singapore, 25th – 27th April 2017, Marina Bay Sands Convention Hall, Singapore. Business Continuity Planning, Sharing Threat Intelligence, and Raising Cyber Security Awareness – these are the Cyber risk management perspectives voiced by practitioners within the Financial Services, Health Care, and Maritime Industries respectively. The theme for GTACS 2017 is “Cyber Resilience for Tomorrow”, which emphasizes the need to go beyond defense to develop capabilities to respond and recover rapidly. Opening the conference, Dr Janil Puthucheary, Minister of State , pointed out that the pace of innovation and the digitalization of the economy are trends that require resilient Cyber Security to respond to increased threats. Through presentations and panel discussions, the Health Services Sector and the Financial Services Sector gave two interesting perspectives on “resiliency” to cyber attacks. Mr Muthukrishnan Ramaswami, President of the Singapore Exchange, in his Welcome Address, highlighted the need to conduct periodic Maturity Review of the Information Security Program, that “benchmarks capabilities against Regulatory and global standards and identifies areas for improvement”, and additionally, to establish an

“Information Security Key Operation Metric - a monthly dash board of both the External and Internal environments and facilitates an agile response where required”. Agility, is certainly an important characteristic of a rapid and effective respond and recover. However, how does an organization have a full understanding to ensure the adequacy of its resiliency program? This question was addressed in the discussion panel “Business Continuity management – Have we done enough?”. Representing the Singapore Exchange, Mr Stephen Lee, Head of Business Continuity Management, challenged us to ask ourselves first: “when preparing for, or when managing a disruption, do you consider the many components that are interlinked” – such as “Information Security, Crisis Management, IT Disaster Recovery”, “Incident Management”? He provided 3 specific guiding questions and widely accepted responses, and highlighted important considerations that may not have been obvious: “1. How do you define the role of information Security? Information security goals in an organization centres around Confidentiality, Integrity and Availability. A heavy emphasis is placed on prevention e.g. prevention of unauthorized modifications, users, access, etc. But Prevention is very important, but planning must assume that defenses have been breached, accompanied with appropriate responses. 2. How do you define the role of incident management? Responses to an unplanned interruption to an IT Service or reduction in the quality of an IT service.

By Jane Lo Singapore Correspondent

Malaysia & Singapore Security Magazine | 25

Singapore

But - Failure of a configuration item that has not yet affected service is also an incident. How do you define the role of business continuity management? A major component includes testing and validation. Focus on continuity of critical operations. But - Tests must include looking for “weak links” and “vulnerabilities” before they break, not just when something breaks.”

Within the Health Care Sector, information sharing or threat intelligence sharing is critical to adopting a resilient cyber posture. Denise Anderson, President, National Health Information Sharing and Analysis Center (NH-ISAC), highlighted the use of STIX/TAXII (Structured Threat Information eXpression) / (Trusted Automated eXchange of Indicator Information (TAXII) in Threat Intelligence sharing in the sector. FS-ISAC (Financial Services – Information Sharing and Analysis Centre), NH-ISAC (National Health – Information Sharing and Analysis Centre), and the multi state ISAC are currently sharing operational data using STIX/TAXII; DHS National Cybersecurity and Communications Integration Centre (NCCIC) and US -CERT are currently publishing reports in STIIX / TAXII; and DHS’s free Automated Indicator Sharing (AS+IS) capability uses STIIX/ TAXXI to enable machine-tomachine communication.

26 | Malaysia & Singapore Security Magazine

She also pointed to other areas of knowledge exchange such as Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) where information on tactics, techniques and procedures (TTPs) of adversaries, postcompromise, is gathered through MITRE research, penetration testing and red teaming. However, having threat knowledge and information doesn’t mean the organization have a threat intelligence program. That was a message of the panel discussion in the Health Care Cyber Security Break Out Session, “Building A Threat Intelligence Program”, (moderated by: Chris Tan, IT Risk Management & Security Associate Director, Merck & Co; panelists: Gregory Barnes, Global CISO, Amgen; Nambiar Jayapalan, Senior Manager, Information Security and Risk Management, Johnson & Johnson; Saverio Ortizzo, IT Risk Management & Security Director, Merck & Co). While introducing data into the industry ecosystem can help reduce breaches elsewhere, it is important to have a robust respond plan with in actionable items, adds value to the business, and where the organization is “not following the malware of the day”. Coincidentally, the GTACS conference was held during the Singapore Maritime Week 2017 (SMW) which saw visitors from over 80 countries. Driven by the Maritime and Port Authority of Singapore, Sea Asia 25-27th April 2017 presented a golden opportunity to hear the innovation

Panel Discussion: Business Continuity Management - Have We Done Enough? Moderator: Mr Victor Tay, Chief Development Officer, NTU Panelists: Dr Goh Moh Heng, President, BCM Institute Stephen Lee, Head of Business Continuity Management, SGX Kevin Kwok, Head of Risk, City Development Limited

Singapore

Denise Anderson, President, National Health Information Sharing and Analysis Center (NH-ISAC), speaking at GTACS 2017.

“Embracing a new world of smarter connected shipping at what cost?”, presented some startling statistics: “43% crew sailed on a vessel that has been compromised by a cyber incident; 90% crew had never received any cyber security training or

Immarsat, asked the question “Embracing a new world of smarter connected shipping at what cost?”, presented some startling statistics: “43% crew sailed on a vessel that has been compromised by a cyber incident; 90% crew had never received any cyber security training or guidelines, 95% breaches are caused by human errors”. Mr Michael Montoya, Chief Cybersecurity Advisor, Asia Microsoft Enterprise & Partner Group, elaborated that crews’ daily activities onboard, such as emails checking, BOYD and plug-and-play electronic devices, are as vulnerable to cyber attacks as they are onshore, and they need help with raising their cyber safety awareness. “Companies must embrace technology… but as you expand your digital footprint, you do open yourself to risks in the form of cybersecurity. However, there are ways to protect yourself from that risk, and there are smart ways that you can implement that will allow you to continue on that maturity journey to put much better services and systems in place,” he said. The Minister of Transport concluded that, while how technological developments will pan out, no one knows. But “superior connectivity will be measured in multi-modal terms and maybe as much digital as physical,” he stated. As interconnectivity increases, so will the Cyber and Physical worlds. Where digitalization is an important driver of a viable commercial strategy, we will certainly be hearing more from the Maritime industry leaders who are approaching these technology developments from an innovation as well as a risk management perspective.

guidelines, 95% breaches are caused by human errors”. challenges and corresponding Cyber Security concerns facing a different industry - the Maritime industry. Singapore’s port and maritime industries need to gear up to deal with digitalization and disruption of global transport supply chains – that was the message of Mr Khaw Boon Wan, Coordinating Minister for Infrastructure and Minister of transport, at the official opening of Sea Asia 2017. The role of hub ports such as Singapore, the world’s largest container transshipment hub, are set to change as digitalization takes a hold. “The landscape is changing rapidly, digitalization is disrupting and transforming the global transport supply chains,” Mr Khaw said. Painting a picture of the new landscape, Mr Khaw said: “Nearer to home we are seeing the rise of multi-modal logistics infrastructure, and the growth of other hubs in Asia fueled by e-commerce. These trends have also sparked talk about the emergence of new trade routes and even multi-hub network in the longer term where no single hub will enjoy superior connectivity.” The panel discussion “The Fourth Industrial Revolution: Threat or Opportunity? The implications of Smart shipping and other new technologies for the future of shipping”, moderated by the well-known BBC correspondent Nik Gowing, discussed the implications for the industry as it undergoes disruption to become more efficient and the implications thereof such as increased Cyber Risks. Mr Peter Broadhurst, Senior Vice President, Safety & Security,

YOUR ADVERT HERE Get in touch today promoteme@mysecuritymedia.com

Malaysia & Singapore Security Magazine | 27

TechnologyCyber Singapore FocusSecurity - CCTV

SINGAPORE CYBER UPDATES Highlights from the Singapore International Cyber Week 2016 (10th Oct 2016 – 12th Oct 2016, SunTec Singapore International Convention & Exhibition Centre), and the Cloud Expo Security 2016 (12th Oct -13th Oct 2016, Marina Bay Sands Expo and Convention Centre). When hackers broke into the computers of Bangladesh’s Central Bank in February of this year and committed one of the largest cyber heists ever in which $951million fake payments were ordered, $81million was already cleared and processed by the time the fraud was discovered. Details of the techniques and methods believed to be linked to the heist revealed by government and private investigation teams raised widespread concerns that these tools and techniques used may allow the same, if not other sophisticated international criminal syndicates to strike again. One consolation is that the losses could have been 10 times worse, with the attackers making off with nearly $1billion had all the fraudulent transactions been cleared. Cyber attacks such as the Bangladesh heist and the Carbanak attacks which targeted the ATMs and transaction systems take advantage of vulnerabilities of the global financial processing networks to successfully steal and move millions of dollars across borders.

28 | Malaysia & Singapore Security Magazine

The significance of these attacks lie in their large-scale haul and sophisticated coordination: by adopting techniques which targeted different systems, processes, departments and countries; and the significant planning involved in deleting evidence of their activities and covering cyber tracks to remain undetected. Besides banks, transportation networks, hospitals and other essential services have also been subject to wide ranging cyber infiltrations, where the attackers seek to extract data and monetize the stolen data, compromise critical infrastructure, manipulate and influence public opinion. Cyber attacks are growing more sophisticated, frequent and impactful. According to the 2016 Cyberthreat Defense Report, 76 percent of responding organizations were affected by a successful cyberattack in 2015 – up from 70 percent in 2014 and 62 percent in 2013. Left unchecked, these attacks can create a hostile cyberspace, making it difficult to trust and perform basic online transactions and interactions.

For Singapore, setting out a Smart Nation vision – which centers on harnessing the power of technology – will make the nation more productive, but also at the same time pose significant challenges, as the increasing connectedness means a corresponding elevation of potential cybersecurity threats. The good news is that the Singapore Government has consistently taken cyberthreats seriously.

Singapore Technology CyberFocus Security - CCTV

Singapore International Cyber Week 2016 (SICW) Singapore’s cybersecurity journey started a decade ago with the first Infocomm Security Masterplan. Just a year and a half ago, the Cyber Security Agency (CSA), was formed to specifically address the cybersecurity threats, and to coordinate efforts across government and among the various other stakeholders. In the latest cybersecurity push, CSA held the inaugural Singapore International Cyber Week 2016 (SICW) to connect over 3,000 policy makers, industry players and innovators. The theme “Building a secure and resilient digital future through partnership” reflects Singapore’s desire to strengthen the nation’s digital future through building robust local and international partnerships. Opening the SICW, Singapore Prime Minister Mr Lee Hsien Loong launched the “Singapore’s National CyberSecurity Strategy”. “Our government networks are regularly probed and attacked. We have experienced phishing attacks, intrusions, malware. From time to time, Government systems have been compromised, websites have been defaced and also suffered concerted DDOS attacks that sought to bring our systems down. Our financial sector has suffered DDOS attacks, and leaks of data. Individuals too have been targeted”, he said. “Individuals too have been targeted. Fake websites masquerading as SPF, MOM, ICA, CPF pages, hosted in other countries, phish for personal information or scam people into sending money.” (SPF: Singapore Police Force; MOM: Ministry of Manpower; ICA: Immigration & Checkpoints Authority; CPF: Central Provident Fund) To coordinate efforts in cybersecurity, the National CyberSecurity Strategy will have four components: 1. 2. 3. 4.

Build a Resilient Infrastructure Create a Safer Cyberspace Develop a Vibrant Ecosystem Strengthen International Partnerships

Increasing inter-government collaboration and partnerships There are tangible examples to “Strengthen International Partnerships”, a key focus of the Cybersecurity Strategy. Opening ceremony key note speaker, Mr Christopher Painter, Coordinator for Cyber Issues, US Department of State, cited the Memorandum

Singapore Prime Minister Mr Lee Hsien Loong

of Understanding signed between United States and Singapore in August this year, which covered cooperation in areas such as regular CERTCERT information exchanges and sharing of best practices, coordination in cyber-incident response and sharing of best practices on critical information infrastructure protection. Mr Conrad Prince, UK CyberSecurity Ambassador, Defense and Security Organization, Department of International Trade, referred to the CREST Singapore Chapter - the first CREST Chapter in Asia established in partnership with the Cyber Security Agency of Singapore (CSA) and the Association of Information Security Professionals (AISP) - to introduce its penetration testing certifications and accreditations to Singapore. ASEAN Discussions and Dialogues To strengthen partnership within ASEAN (Association of South-East Asian Nations), a ASEAN Ministerial Conference on Cybersecurity at Shangri-La Hotel was convened as part of the SICW, bringing together the ASEAN Member States to facilitate discussion and share knowledge on cybersecurity issues and fighting cybercrime. Dr Yaacob Ibrahim, Minister for Communications and Information, Minister-In-Charge of Cybersecurity said “Countries today face a full spectrum of cyber threats- cybercrime, attacks,

espionage and other malicious activities. We in ASEAN have not been immune to this”. According to the Singtel FireEye Southeast Asia Cyber Threat Report, new findings have identified Southeast Asia as a region that is increasingly under cyber-attack. The joint SingtelFireEye report, “Southeast Asia: An Evolving Cyber Threat Landscape”, details how Advanced Persistent Threat (APT) actors and other cyberattack groups are among those keenly interested in targets located in Singapore, Philippines, Malaysia, Thailand, Vietnam, Indonesia and Brunei. Dr Yaacob Ibrahim proposed 3 areas that ASEAN could work on, to further efforts against the threat: Fostering ASEAN Cyber Capacity Building; Securing a Safer Common Cyberspace, Facilitating exchanges on Cyber Norms. “While staying plugged into the global conversations, we should also make sure that norms and behaviors are kept relevant and applicable to our unique ASEAN context and cultures”. He also announced the launch of a S$10million ASEAN Cyber Capacity Program (ACCP) to build cyber capacity in ASEAN Member States. Focus areas under the program includes cyber policy, legislation, strategy development as well as incident response; and Singapore’s sponsorship of the global initiative called Cyber Green (which aggregates global open source

Malaysia & Singapore Security Magazine | 29

TechnologyCyber Singapore FocusSecurity - CCTV

Cyber security in a smart nation

YM Dato Paduka Awang Haji Hamdan bin Haji Abu Bakar

Deputy Minister at the Prime Minister’s Office and Director of the Internal Security Department

Brunei

H.E. KAN Channmeta

Secretary of State, Ministry of Post and Telecommunications

Cambodia

Dr. Basuki Yusuf Iskandar

Head of ICT Research and Human Resource Development Agency, Ministry of ICT of Indonesia

Indonesia

Air Rear Marshall Warsono

Deputy Coordinating Minister for Political, Legal and Security Affairs

Indonesia

H.E Dr. Thansamay Kommasith

Minister of Post and Telecommunications

Lao PDR

YB Datuk Seri Panglima Madius Tangau

Minister for Science, Technology and Innovation (MOSTI)

Malaysia

Dr Yaacob Ibrahim

Minister for Communications and Information and Minister-in-charge of Cybersecurity

Singapore

H.E. Le Luong Minh

ASEAN Secretary General

H.E. Lt-Gen Kyaw Swe

Union Minister for Home Affairs

Republic of the Union of Myanmar

H.E. U Kyaw Myo

Deputy Minister of the Ministry of Transportation and Communications

Myanmar

RAdm Rufino S Lopez Jr (Ret)

Deputy Director General, National Security Council

Philippines

H.E. Prajin Juntong

Deputy Prime Minister and Minister for Digital Economy and Society

Thailand

Mr. Nguyen Thanh Hai

Director General of Security Information Department, Ministry of Information and Communications

Vietnam

Senior Colonel Nguyen Van Thinh

Deputy Director-General of the Department of Cybersecurity

Vietnam

information in an index for cyber health) which will allow access for ASEAN members states to the data through Singapore. Industry Partnerships To make Singapore’s cyberspace safe for businesses, individuals and the society at large, strong partnerships with multiple stakeholders across the cybersecurity ecosystem is needed. During the SICW, CSA announced new agreements with top industry players – BAE Systems, (ISC)2 , Microsoft and Palo Alto Networks, to boost training in cybersecurity and raise cybersecurity capabilities. Mr David Koh, Chief Executive of CSA, said “Cybersecurity is a multidisciplinary issue and it

30 | Malaysia & Singapore Security Magazine

is necessary to have all hands on deck to grow the capabilities for the sector.” These partnerships will see the industry players engage with local cybersecurity startups for research and development of cyber technologies, encouraging professionals to deepen their skills and enhancing security awareness, to share cyber threat analysis, and developing educational platforms for cybersecurity outreach. Developing skill set and supporting startups are also keys to “Develop a Vibrant Ecosystem”, one of the pillars underpinning the CyberSecurity Strategy.

“Singapore aspires to be a Smart Nation. But to be one, we must also be a safe nation”, said Prime Minister Mr Lee Hsien Loong in his closing remarks. “Creating a Safer CyberSpace” is another key focus of the CyberSecurity Strategy. As Singapore is transforming to become a Smart Nation and adopting Internet of Things (IoT) technology - digital healthcare, smart watches, internet-enabled appliances, smart manufacturing and connecting devices, vehicles, buildings – significant volume of data will be generated, collected, stored and shared via the cloud. According to Gartner, it is forecast that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 11.4 billion by 2018. The volume of data will continue to grow as we get more digitally connected. Securing the data and ensuring the confidentiality, integrity and authenticity is critical to prevent, mitigate risks and minimize the financial, social, reputation and economic impacts of an attack. Weakest link Cyber attacks often arise from an exploitation of the weakest link in the IoT security chain. From a well-meaning employee sending work documents home to unpatched systems running home heating-cooling systems, physical vulnerabilities and human behaviors provide new attack vectors for cyber criminals. These challenges are addressed across various themes such as governance, threat landscape, detection and defense approaches at the 25th edition of GovWare (the region’s conference and exhibition on cybersecurity for cyber thought leaders, industry players and academia), and the Smart Nation IoT Security Conference, held in conjunction with the SICW. Speaking at GovWare, Professor Issac Ben-Israel, Chairman, Israel Space Agency & Chairman, Israel National Council for R&D, Director ICRC, Tel Aviv University said “Smart City” or “IoT”– smartness that come from computer chips to make our lives faster, easier – is the trend at present and “is not imagination” or “Science Fiction”, and we have “created dependency on these chips”. Cyber criminals will use “weak points” in this dependency to do damage. Attacks and preventive measures The declining costs of IoT technology makes it attractive for us to adopt, but Professor Yu Chien Siang, founder of GovWare, noted: “embedded devices are often low-cost, low power, restricted in both memory and computing power, and could be easily accessible by the adversaries. As such, many

Singapore Technology CyberFocus Security - CCTV physical attacks are possible including side-channel attacks (SCAs), which can be used to extract the secret key from electronic devices using power, electromagnetic (EM) emanations, timing analysis or acoustics. Such attacks have been shown against transit cards, car immobilizers, and Field Programmable Gate Array (FPGA) devices.” He also pointed out, the biggest threat may not necessarily be the deletion or the removal of data, but the modification of it, an example being the change of patient’s records such as blood type. He termed this as “Computer Torture”. Poor and diverse designs are other key challenges in IoT security highlighted by Dr Steven Wong, Associate Professor & Program Director, Singapore Institute of Technology, President of Association of Information Security Professionals and Co-chair of CREST Singapore Working Committee. “Many IoT systems are poorly designed and implemented, using diverse protocols and technologies that create complex configurations” he explained. There is also a “lack of mature IoT technologies and business processes”, and “limited guidance for lifecycle maintenance and management of IoT devices”. IoT privacy concerns are complex and not always readily evident, he added. To address these challenges, he suggested developing “a common set of standards and guidelines for IoT when there are so many parties and technologies involved”. But he also cautioned that “even with IoT standards and guidelines, who will really follow them?” One way is to strategically target critical areas/ groups to drive adoption. He also suggested the possibility of “Singapore’s smart nation as an international test-bed for standards and guidelines”. Be Prepared Risks will increase when we go IoT because of interconnectivity, as pointed out by John Lee, ISACA Singapore Chapter President, speaking at the Cloud Security Expo Asia 2016. And often, the cyber attack is not a matter of if, but when. He urged the need to “Prepare for Black Swan”. Financial services practitioners and observers would agree that banks have a history of dealing with unexpected financial market events that are difficult to predict, and which have widespread ramifications and contagion effects, termed the “Black Swan”. One clear example is the Great Financial Crisis that occurred during 2007- 2008. The potential for a Black Swan event in the digital world has yet to receive similar levels of attention, and failure to accept cyber risk as a core risk may prevent governments, businesses and individuals to develop fallback and containment plans to mitigate unexpected cyber attacks.

A resilient and trusted cyber environment

With a reputation as a "non-nonsense" and "business-friendly" financial center, Singapore is known for a trusted, sound and stable location to do business in. Recent examples included the Monetary Authority of Singapore (MAS) stripping Falcon Private Bank of its license for "serious failures in anti-money laundering (AML) controls", a development that followed the shuttering of the Singapore branch of Swiss bank BSI in May for "serious breaches of anti-money laundering requirements, poor management oversight of the bank’s operations, and gross misconduct by some of the bank’s staff ". The Bangladesh heist is a clear example where a cyber attack was launched to facilitate a financial criminal activity that spanned across several countries. Cyber criminals operating from one country attacking inter-bank payment systems can cause damages, from minor inconveniences to significant disruptions globally. Being connected to the global network of financial flows and playing host to hundreds of foreign financial institutions means that Singapore is not immune to this. Not only banking, but essential services such as energy, healthcare and transport are powered by infocomm technology. As an international financial, shipping and aviation hub, Singapore houses critical systems that transcend national borders, such as global

payment systems, port operations systems, and airtraffic control systems. Successful attacks on these supra-national Critical Information Infrastructures (CIIs) can have disproportionate effects on the trade and banking systems beyond Singapore’s shores. “Building a Resilient Infrastructure” is a key focus of the CyberSecurity Strategy, to ensure that Singapore’s essential services are protected. A new Cybersecurity Act will also be introduced in 2017, to provide a comprehensive legal framework for national cybersecurity. Cybersecurity, beyond a necessity to defend and protect, is also an enable for the economy and society. Singapore's CyberSecurity Strategy sets out the vision, goals and priorities and outlines the country’s commitment to build a resilient and trusted cyber environment. It aims to catalyze participation by all stakeholders – government agencies, the cyber industry, professionals and students, academia and researchers, and providers of essential services. It also signals Singapore’s willingness to forge strong partnerships with the international community to combat the transnational nature of cyber threats. Jane Lo has more than 15 years of experience in enterprise-wide risk management and writes on risk themes relevant in the financial services sector. She started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore 6 years ago. Outside of work, she is a marathon runner and enjoys spending time with friends and family.

Malaysia & Singapore Security Magazine | 31

India

Tackling the turmoil within

F By Sarosh Bana APSM Correspondent Mumbai

or a 3.29 million sq km sub-continental nation densely populated with 1.28 billion people of all faiths and creeds, and confronted by two hawkish adversaries on its frontiers, India has held itself together remarkably well. Since gaining independence from the British in 1947, the country has broken out of its mould to become the fastest growing major economy today, overtaking its former coloniser last year to become the world’s sixth largest economy, with a GDP of $2.30 trillion. The retreating British, however, left behind a bitter legacy as the Hindu-majority India and Muslim-dominated Pakistan that they cleaved their colony into have since gone to war four times, at the time of Partition in 1947, and in 1965, 1971 and 1999. Three of these wars were waged over the border state of Jammu and Kashmir ( J&K), while that of 1971 engendered Bangladesh from the fall of East Pakistan. Their sustained enmity has strained both sides, diverting vital funding to their military at the cost of their impoverished millions. With powerful China siding with trigger-happy Pakistan in this fray, India has had to batten down its hatches. Its Budget for 2017-18 has lavished $42 billion on defence, while granting a mere sixth of this allocation, $7.5 billion, to public health, alongside $12 billion to education, $28 billion to women and children, and $29 billion to agriculture. The Ministry of Home Affairs (MHA) secured $12.8 billion to oversee internal security. Indian and Pakistani soldiers square off perpetually at the

32 | Malaysia & Singapore Security Magazine

Siachen glacier, at 5,400 metres “the world’s highest – and toughest - battlefield” where more of them perish not from bullets but from the hostility of the rugged frozen terrain, where temperatures can plunge to - 45° Celsius. While the Pakistani side of Siachen is accessible by roads, constructed with Chinese assistance, the Indian side can be served only by helicopter, necessitating even artillery and daily provisions to be airlifted and radars and Unmanned Aerial Vehicles to be used for surveillance. Chinese troops also intrude at will from across the Himalayas to set up pickets and threaten Indian soldiers and villagers, and at times even build helipads and communications outposts, while terrorists trained in Pakistan infiltrate the beauteous mountainous state of J&K. India’s heterogeneity is unparalleled and makes for an amazingly diversified society that lends itself to the richness of its culture and its heritage. But it is also disparate, and this diversity and disparity at times have inflamed strife and discord. Though rare and largely localised, communal violence flared from the razing of the 16th century Babri mosque by Hindu religionists in December 1992 that led to a militant Hindu revivalism as also to the reprisal serial bombings in Mumbai by radical Islamists just three months later. The burning alive of Hindu pilgrims in a train in Gujarat in 2002 also resulted in a retaliatory onslaught against Muslims in that state. It is civilians more than extremists or security forces who

India

' There are reportedly 94 active terrorist and insurgent groups operating in the region, mostly seeking to secede from secular India along the territories of the ethnic groups they represent.' suffer the most in these conflicts. The South Asia Terrorism Portal (SATP), run by the New Delhi-based Institute for Conflict Management, estimates that of the 44,197 who have perished in J&K in the separatist violence since 1988, 14,748 have been civilians, alongside 6,284 security personnel and 23,165 terrorists. Left wing extremism in the country, in turn, has killed an estimated 13,312 since 1999, of whom 7,640 have been civilians, 2,612 security personnel and 3,060 terrorists. This brutal agenda has for long been pursued across several states by the underground Naxalite movement that has been guided by an anarchic Maoist ideology. Insurgency has also blighted several of the eight exceptionally scenic north-eastern states that are linked to the rest of the country via an umbilical neck of land hemmed in by Nepal, Bhutan and Bangladesh. Tibet and China lie to their north and Myanmar to their east. There are reportedly 94 active terrorist and insurgent groups operating in the region, mostly seeking to secede from secular India along the territories of the ethnic groups they represent. SATP estimates this north-eastern insurgency to have taken a toll of 21,472 lives since 1992, 10,262 of them civilians, 2,737 security personnel, and 8,473 terrorists. As Law and Order is a State, not a Federal, subject under the Indian Constitution, the State governments are responsible for providing security on the basis of threat assessments by security agencies. The MHA also sensitises and passes on intelligence and threat inputs to the State governments when necessary. Policing to ensure citizens a safe and secure environment is a formidable task. More so, when the lawmakers are at times lawbreakers. The Association for Democratic Reforms reports that a third of the MPs in the 543-member Lower House of Parliament have criminal records, with 112 of them facing serious charges like murder and attempt to murder, kidnapping, land-grabbing, causing communal discord, and even leading criminal gangs. The Election Commission is alarmed by the criminalisation of politics as those convicted by courts are contesting elections. This situation emboldens crime syndicates, compromises law enforcement and breeds insecurity. India’s internal security problems hence cannot be treated as merely of law and order. They have to be dealt with comprehensively in all their dimensions and at all levels — political, economic and social. As India’s borders are not fully secured, intrusions occur into frontier states like J&K, Punjab, Rajasthan and Gujarat from Pakistan, into Uttar Pradesh and Bihar from Nepal, into J&K, Uttarakhand and Arunachal Pradesh from China, into Bihar and West Bengal from Bangladesh and into Nagaland, Manipur and Mizoram from Myanmar. Apart from a coastline of 7,517 km, including island territories, India

has 15,107 km of land borders, with 4,097 km of it along Bangladesh, 3,488 km along China, 3,323 km along Pakistan, 1,751 km along Nepal, 1,643 km along Myanmar, 699 km along Bhutan and 106 km along Afghanistan. Using stealth, and bearing firearms of various calibre, and at times grenades and improvised explosive devices (IEDs), indoctrinated and motivated terrorists are causing havoc where they strike. Authorities have been charting plans to upgrade security, and strengthen intelligence and counteroffensive measures. An official committee has recommended technology-based security infrastructure, and the deployment of Quick Reaction Teams at “high-threat” facilities. Another committee addressing the issue of border protection has recommended various measures to strengthen security and address vulnerabilities in fencing along the Indo-Pakistan border. One was for “smart fencing” in difficult terrain and riverine and marshy areas where regular fencing cannot be erected. This will comprise non-physical barriers like laser walls, closed circuit cameras and acoustic radars that map vibration. Gaps in the border areas are also to be plugged, and floodlight installed and manpower increased, apart from border roads and outposts being constructed, and hi-tech surveillance equipment and more effective mobile patrolling introduced. Though these measures are crucial, there have been instances when intruding Chinese troops have smashed Indian bunkers and destroyed and even carted away surveillance equipment. There is a multi-tiered security apparatus tasked for operations at the Centre, at the States and at the borders. Responsible for national stability, the MHA is the nodal agency for dealing with all matters of internal security through its various arms that perform preventive, regulative and investigative roles. Its seven central armed police forces number over 1.3 million. India’s internal and external threat situation warrants continuous upgradation and expansion of its forces and munitions, enormously straining the developing economy.

Malaysia & Singapore Security Magazine | 33

International India

Demonetisation spurs cyber crime in India With the Indian government striving towards a cashless economy by expanding the scope of digitisation across all activities, the widening internet modes this will foster will need to be safeguarded from cyber crime and cyber fraud.

O By Sarosh Bana APSM Correspondent

Mumbai

nline databases and transactions are getting increasingly vulnerable to hackers today with their ever innovative tools. Cases of banking frauds from phishing, cloning charge cards, cyber stalking, hacking accounts and databases, and impersonation are already on the rise in India, but detection has been weak in the absence of effective policing and monitoring, especially in individual cases. Less than a fifth of the cases registered with the cyber police have been solved over the last four years. In Mumbai, the financial capital of the country, as much as 80 per cent of the crimes registered in 2016 has remained undetected. As per Reserve Bank of India (RBI) data, banks in India reported 9,500, 13,083 and 16,468 cases related to cyber frauds like breach of accounts during 2013-14, 2014-15 and 2015-16, respectively. Pointing out that detecting cyber cases has become challenging as most such criminals use servers based out of India, the Mumbai cyber police see this situation presenting a severe hindrance in resolving the cases owing to the longdrawn procedures that are mostly beyond their jurisdiction. They yet say that they are continuously at work on cracking down online frauds and are monitoring the situation as best they can. Asked what challenges lay ahead for the city police in 2017, Mumbai Police Commissioner Dattatray Padsalgikar retorts: “Cyber crime is a threat.” Furthering the government’s drive towards digitisation will be the planned optic-fibre based internet connectivity across rural India, apart from a new initiative that aims to provide villages with tele-medicine, education, and skills through the use of digital technology. Another scheme is for a digital pension distribution system that will provide retired

34 | Malaysia & Singapore Security Magazine

defence personnel easier access to their funds and a similar initiative that will offer health information to senior citizens. Last November, the government took the drastic step of demonetising high denomination currency in an effort to crack down on black money and fake notes. As much as 87 per cent of the money in circulation was sucked out of the economy as a result. With diminished access to money even for their daily expenses, the public, especially the working classes who deal exclusively in cash, was traumatised. The government changed its tune, announcing that the withdrawal of the high value tender was also meant to usher in digitisation with the larger objective of financial inclusion of all. Following on this argument, it has hitherto replaced only part of the currency that it invalidated. This objective towards digitisation appears to be succeeding to a degree, with the numbers rising from 27.3 million credit cards and 739.3 million debit cards to 28.8 million credit cards and 818 million debit cards within two months of the demonetisation. Indians have always preferred debit cards over credit cards. While the total amount transacted through credit cards in January was Rs32,691 crore (Aus$6.8 billion), a 76 per cent rise over January 2016, that transacted through debit cards was Rs49,004 crore (Aus$10.2 billion), a jump of 235 per cent. India has traditionally and historically been more dependent on cash than most other countries. The penetration of banking services has been a niggardly 59 per cent, and there are only 202,801 ATMs (Automated Teller Machines) serving a population of 1.27 billion. India’s reserve money to broad money ratio, indicative of the scale of cash in circulation, is 0.18, deemed very high in

India

“In global terms, India was 13th on the list of malware detections in Q4,” FortiGuard Labs adds. It registered a rise also in Botnet activity, with an average activity level of 800,000 connections per day recorded by Fortinet sensors in Q4. Government was the most infected industry sector, followed by manufacturing”.

comparison with other emerging economies – 3.5 times that of China’s, triple that of Brazil’s and double that of Mexico’s. Compared with developed countries, India’s ratio is 2.25 times that of Japan’s, 2.5 times of the Netherlands’, 4 times of Canada’s, and 6.5 times of Sweden’s and South Korea’s. Anticipating technology to be a key driver of India’s growth, with the country embracing applications of technologies at an accelerated pace, Amitabh Kant, CEO of Niti Aayog - the present government’s version of the Planning Commission that it disbanded – believes that physical banking in India is almost dead. He adds that the country is adopting pervasive technologies so rapidly that over the next three to four years, digital transactions will move through mobile wallet and biometric modes, setting the stage for credit cards, debit cards and ATMs to eventually disappear. Recognising the trends that will have wide implications for all online systems like banking, financial, commercial and retail, the Finance ministry in its Budget for 2017-18 has proposed the Computer Emergency Response Team for Financial Sector (CERT-Fin) to curb hacking and secure online data. Underscoring cyber security as critical for safeguarding the integrity and stability of India’s financial sector, Finance minister Arun Jaitley informed Parliament that CERT-Fin will work in close coordination with financial sector regulators such as RBI and Securities and Exchange Board of India (SEBI) to further boost the moves towards digitisation. CERT-Fin will be a team of computer experts and computer scientists that will help secure the government’s online presence. Cyber experts, however, feel that much more will need to be done in order to safeguard computer networks and

payment gateways as India aims to go digital. Following one of the biggest ever malware-related security breaches of financial data in India that took place last October, the public sector State Bank of India and four private sector banks either replaced, or asked users to change the security codes of, as many as 3.2 million debit cards that were compromised. Several victims reported unauthorised usage from locations in China. The breach was found to have originated in malware introduced into the systems of Hitachi Payment Services, which provides ATM, point of sale (PoS) and other services. This enabled the fraudsters to steal information that provided them access to various accounts. FortiGuard Labs, the threat research division of California-based network security solutions provider Fortinet, observed a spike in attacks and malware in India in the months of November and December, that is, postdemonetisation. Its report, India threat analysis for Q4 2016, notes increased threat activities in that period, with ransomware trending particularly high, accounting for nine out of the top 10 malwares. Finance was the most attacked vertical throughout Q1 to Q3. There was a surge of attacks on telecommunications companies in the last three months of 2016 and the report saw this as a possible result of an increase in mobile transactions after demonetisation. “In global terms, India was 13th on the list of malware detections in Q4,” FortiGuard Labs adds. It registered a rise also in Botnet activity, with an average activity level of 800,000 connections per day recorded by Fortinet sensors in Q4. Government was the most infected industry sector, followed by manufacturing. According to the report, threat activity in India increased significantly over the last two weeks of December, caused by a surge of SSH (Secure Shell) Connection brute-force attempts, such a surge interestingly not seen globally. “The most attacked industry was Banking & Finance, which received more than 15 times the hits than the second-placed Technology industry,” it states. “Hackers are smart people and they know exactly what organisations are going through,” mentions Rajesh Maurya, Fortinet’s Regional Vice President for India and SAARC. “There’s only one way to get the better of them – be quicker

Malaysia & Singapore Security Magazine | 35

India

Fortinet’s Security Fabric provides a powerful, integrated end-to-end security solution across the entire attack surface, linking different security sensors and tools together in order to collect, coordinate, and respond to malicious behavior anywhere it occurs in real time and more knowledgeable.” He believes sharing information is a prerequisite to get ahead of cybercrime, as a collection of companies working together to collect and share intelligence will always have better visibility into the threat landscape than one organisation on its own. Also, seeing new threats as soon as they emerge increases our ability to respond and protect valuable resources. Though a lot of raw data are available to organisations, most security infrastructures are not designed to effectively consume, correlate, and distribute the increasing volume of information available, remarks Maurya. “Fortinet’s Security Fabric provides a powerful, integrated end-to-end security solution across the entire attack surface, linking different security sensors and tools together in order to collect, coordinate, and respond to malicious behavior anywhere it occurs in real time,” he says. “It provides control, integration, and easy management of security across the entire organisation, from IoT (Internet of Things) to the cloud.” Contending that Budget 2017-18 did not allocate adequate funding for fighting cyber crime, cyber experts deem it critical for the existing cyber law framework to be revamped to bring in new encryption and privacy policies and regulate existing encryption services. They also see the need to fortify cyber law to effectively deter online fraudsters and detect and prosecute them without delay. However, they do not expect any improvement in the situation until the National Cyber Security Policy is fully implemented. Drafted in 2013 as India’s first policy on cyber security, it had been years in the making and was finally released last November by the Department of Electronics and Information Technology. Setting high goals for cyber security in India, the Policy covers a wide range of topics, from institutional frameworks for emergency response to indigenous capacity building. The Society for Cyberabad Security Council (SCSC), however, indicates that what the Policy achieves in breadth, it often lacks in depth. “Vague, cursory language ultimately prevents the Policy from being anything more than an aspirational document,” the Council notes in its review. “In order to translate the Policy’s goals into an effective strategy, a great deal more specificity and precision will be required.” Observing that precision most required is in definitions, SCSC maintains that since the Policy is not a statute, it lacks the legal precision expected of an act of Parliament and ends up with terms that appear ambiguous, “cyber security not the least among them”. “In forgoing basic definitions, the Policy fails to define its own scope, and as a result it proves remarkably broad and arguably unfocused,” the Council clarifies. It adds that while the pervasive and intrusive Central

36 | Malaysia & Singapore Security Magazine

Monitoring System (CMS) has been justified on concerns of national cyber security, expanding the range of threats for it to address has the danger of providing a pretext for further surveillance efforts on a national scale. The World Economic Forum estimates the total economic costs of cybercrime worldwide at $3 trillion, while Silicon Valley-based consultancy Cybersecurity Ventures projects cybercrime to cost the world in excess of $6 trillion annually by 2021. Much of this explosive growth of cyber crime has been from illegal business that are safely conducted deep in a part of the internet that most people have never seen, and have little means to access. Also termed “darknet”, this section of the internet lies beyond normal web browsers, is cloaked in anonymity, and has become a haven for criminal commerce, including cyber crime. Just as legitimate businesses have employees reporting for work, threat actors and agents pursue their activities in much the same manner, the three broad segments of the threat marketplace being producers, consumers and enablers. Mitigating the risks associated with these cyber threats requires a comprehensive strategy that includes actionable threat intelligence.

ASIA TELECOMS INNOVATION SUMMIT & AWARDS A Review & Celebration of Global Telecommunications Projects 1 9 S E P T E M B E R 2 0 17 S W I S S O T E L M E R C H A N T C O U R T, S I N G A P O R E

The Asia Telecoms Innovation Summit and Awards celebrate and recognise the industry’s most innovative & successful project partnerships between operators and vendors over the last 12 months and showcase the very best projects from every corner of the industry.

AWARDS CATEGORIES: • Infrastructure Innovation

• Consumer Service Innovation

• Software & Applications Innovation

• Wholesale Service Innovation

• Enterprise Service Innovation

SUBMIT YOUR ENTRY NOW!

Participants include:

& Singapore Security Magazine | 37 www.gtbsummits.com | gtbevents@euromoneyplc.com | +44Malaysia (0)20 7779 7227

Cyber Feature Cover India Security

India’s cyber trauma

R By Sarosh Bana APSM Correspondent Mumbai

ecently, India’s Defence and other ministries were placed on high alert following concerted cyber attacks on the country’s government and commercial organisations by the Chinese People’s Liberation Army’s (PLA’s) Western Theatre Command that faces India all along its northern Himalayan borders. The Ministry of Defence (MoD) issued an alert to the army, navy and air force that a Chinese Advanced Persistent Threat (APT) group called Suckfly, based in Chengdu region where the Command is located, is targeting Indian agencies, with the defence establishment as its prime target. Suckfly, which carries out cyber espionage through a malware called Nidiran, camouflaged its attacks with certificates stolen from legitimate software developing firms in South Korea. “This cyber espionage was undertaken by infecting computers of both government and commercial houses involved in e-commerce, finance, healthcare, shipping and technology,” the MoD alert cautioned. “Sensitive information from targeted computers and networks is being used to undermine national security and economic capabilities.” An APT is a network attack in which someone gains unauthorised access and stays there undetected for long, the intention being to steal data instead of causing damage to the network or organisation.

38 | Malaysia & Singapore Security Magazine

These mounting cyber onslaughts against India’s defence establishments have reaffirmed a proposal for the setting up of a dedicated tri-services command for cyber security. A proposal for such a command had indeed been drafted following a 2012 cyber attack by Chinese hackers, who managed to penetrate the commuter systems of the Indian Navy’s Eastern Command, where the country’s first indigenous nuclear submarine was constructed and is based. More recently, a strange email was received by senior executives of the Mumbai-headquartered Tata Group (US$103 billion revenue last year) from chairman Cyrus Mistry asking them to transfer US$4,500 to a specified bank account. “We are coming up with a project of Tata Group; kindly deposit US$4,500 in a/c no. xxxx,” the email mentioned. “This project should not get stopped due to financial crunch.” Appropriately, it was the Group’s chief ethics officer, Dr Mukund Rajan, who caught the lie, recognising the hoax. He informed Mistry of the online impersonation, and a police inquiry is now under way to identify the perpetrator. A similarly fake email ID of Mistry had been created last year by a former Tata employee, subsequently arrested, who had sent emails from this account to officials of the Group company of Jaguar Land Rover ( JLR), asking them to

India

consider his curriculum vitae for a position in the purchase department. Numerous corporates, including multinationals, across the country are being defrauded by online pranksters and fraudsters. Many of the cases have a similarity with that of Tata’s, where emails are sent to the finance departments through spoofed email IDs of the company heads with instructions to deposit funds in specified bank accounts. Cyber police maintain that an email can be ascertained to be fraudulent only after going through the full-header or logs of the suspected email address. “In most cases, while the spoofed emails are of different managing directors and directors of companies, full-header analyses reveal that they were sent from one exec.m@exces. com,” says an official. “Earlier, cyber fraudsters used to make minor alterations while spoofing email IDs, but now they hack the complete corporate email IDs of the promoters and use them to communicate with the finance officers.” In one instance, a finance officer received an email from his managing director asking for Rs600,000 (A$11,869) to be deposited, but the fraud came to light when the MD called him in the nick of time for some other reason. India is clearly one of the most cyber attacked countries in the world, a recent study estimating a 350 per cent surge in cyber crime cases registered under the country’s Information Technology (IT) Act, 2000, between 2011 and 2014. Indian authorities have been alarmed by the growing number of attacks on cyber networks that are posing a huge risk and severe threat to the nation’s, and individual Indian’s, financial and security interests. Criminals are exploiting cyberspace for their own ends as it touches nearly every part of our daily lives through broadband networks, wireless signals, local networks, and the massive grids that power the nation. “More than 8,000 Indian websites were hacked in the first three months of 2016,” Communications and IT Minister Ravi Shankar Prasad informed Parliament recently. “While 28,481 websites were hacked into in 2013, 32,323 sites were attacked in 2014, 27,205 in 2015, and 8,056 until March this year.” Cyber crime and security were a major enough issue for Indian Prime Minister Narendra Modi to discuss with U.S. President Barack Obama during his visit to the U.S. in June. “The entire world is concerned about cyber security, and Indian IT professionals can do a lot for cyber safety of digital assets across the world,” said Modi. “Can we secure the world from this bloodless war? India must take the lead in cyber security through innovation; I dream of Digital India where cyber security becomes an integral part of national security.” Both leaders felt that defending against, and defeating, cyber attacks will require the combined efforts of both the public and private sectors, working to develop new technologies and new approaches for maintaining real-time protection of their individual networks. The recent study, “Protecting interconnected systems in the cyber era”, conducted by ASSOCHAM (Associated Chambers of Commerce and Industry of India) and business consultancy PwC India (PricewaterhouseCoopers India) notes that operational systems are increasingly subject to cyber attacks, as many are built around legacy technologies with weaker protocols that are inherently more vulnerable.

“The continued and regular sharing of cyber security intelligence and insights are essential to improving the resilience of these systems and processes from emerging cyber risks,” it mentions. It adds that the Computer Emergency Response Team-India (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents recorded in 2015. Pointing out that cyber attacks are occurring around the world at a greater frequency and intensity, the study indicates that the profile and motivation of cyber attackers are fast changing. A new breed of cyber criminals has emerged whose main aim is not just financial gains, but also causing disruption and chaos in businesses in particular and in the nation at large. “The importance of cyber security in India has increased exponentially over the last few years, with an emphasis on Digital India and e-commerce and many government services now being delivered online,” explains Sivarama Krishnan, Leader, Cyber Security, PwC India. “The new breed of hackers understands cyber vulnerabilities and how to exploit them and they play by a new set of rules, the ‘bare minimum’ being ineffective against increasingly adept assaults.” He advises businesses to rethink their cyber security practices and focus on innovative technologies that can help reduce risks, seeing advantage in having the right data, understanding data and knowing how to take active steps in putting information to good use. Pratyush Kumar, who chairs ASSOCHAM’s National Council on Cyber Security and is also Vice President, Boeing International, and President, Boeing India, says the worldwide threat of terrorism, turmoil in the South China Sea, Brexit, the state of transition in the Middle East, the coup attempt in Turkey, etc. are all factors adding to uncertainty and volatility in the world. “Concurrently, we are being deeply impacted by the furious pace of technological evolution, especially the explosion of Big Data, mobility, the Cloud, Internet of Things (IoT), machine learning and analytics,” he observes. “If properly managed, these technologies can transform our society, but on the other hand, an uncertain and volatile world also puts this very technology in the hands of operators anywhere in the world for causing tremendous damage, given the growing linkages between cyberspace and physical systems.” U.K.’s Sophos Group plc, a global leader in endpoint, encryption and network security, lists India among five countries with the highest percentage of endpoints exposed to a malware attack and thus more prone to cyber attacks. Research by the company’s SophosLabs division on such incidence in the first months of 2016 discovered a growing trend among cyber criminals to target and even filter out specific countries when designing ransomware and other malicious cyber attacks. Apart from India, the countries with the highest so-called Threat Exposure Rates (TER) were Algeria, Bolivia, Pakistan and China. The research gleaned millions of endpoints worldwide that were analysed by a SophosLabs team. To ensnare more victims, cyber criminals are now devising customised spam in regional vernacular, and touting brands and payment methods that appear culturally compatibile. To beguile the recipients, they make their scam emails

Malaysia & Singapore Security Magazine | 39

India

impersonate local postal companies, tax and law enforcement agencies, and utility firms, including fraudulent shipping notices, refunds, speeding tickets and electricity bills. On 5 October, while releasing in India a report on internet governance as head of the Global Commission for Internet Governance (GCIG), former Swedish Prime Minister Carl Bildt mentioned that as an emerging cyber power, India needed to engage seriously on issues of internet governance. He deemed it necessary for India to address over-the-horizon threats like cyber attacks, cyber spying and cyber crime. One of the conclusions of the report was that surveillance was an important part of cyber governance, “because in its absence, people tend to lose trust in the internet”. “The purpose of the report is mainly to bring to the attention of policymakers across the world the significance of the challenges we are facing and of the potential that exists,” said Bildt. “Too much of this has been debated among technical people, while policymakers haven’t addressed the issue sufficiently.” He found that for policymakers, safeguarding freedom of expression and of information on the internet is under increasing challenge. “The world is entering the Internet of Things (IoT) and everything will be connected with everything, everything will have an IP address,” he remarked. “Everything can potentially be turned into a weapon in the cyber world, and this brings the requirement for cyber security, stability and governance to a very different level.” The report found only

three governments, of the United States, Estonia and China, addressing this issue. Whereas the economic contribution of the internet is as high as US$4.2 trillion in 2016, the IoT could result in upwards of US$11.1 trillion in economic growth and efficiency gains by 2025. Bildt deemed Beijing’s level of attention notable, saying, “The Chinese do it slightly differently, to put it mildly; they do both offensive and defensive because it has to do with the stability of the regime, and the future of the Chinese economy - for them it’s a high priority issue.” According to him, the world is slowly initiating conversation on cyber behaviour, with elements coming out of the U.S.-China agreement, and India being on the United Nations’ Group of Governmental Experts on Information Security. “These are important as the top countries are beginning to set rules for the internet,” he notes. “It is important that India is part of this conversation as it is the second largest in the world in terms of connected people, as well as largest in terms of unconnected people, and hence has an important voice both in the connected world and the unconnected world.” The number of internet users in the world has increased threefold in the last 10 years, but during the same period, their number has multiplied nearly 15 times in India. As per Connecticut-based IT research and advisory firm Gartner, Inc., the number of devices connected to the internet will reach 27 billion globally by 2020, with a total revenue of around US$300 billion. India will have an around five to six per cent share of the global IoT industry. t efi e by en rat er b d st to ir gi er y B Re mb arl ce E De the 31 om fr

THE MUST ATTEND CONFERENCE FOR THE UNDERSEA DEFENCE SECTOR IN ASIA

Image source: Australian Government / Department of Defence

2 days of leading conference content, delivering perspectives from across the Asian region

A boutique exhibition presenting the latest innovative technologies

250 delegates and VIPs expected

An event co-located with 3 other military shows, offering hundreds of networking opportunities

J327696_UDTA03_Advert_148.5x110_2017_v2.indd 1 40 | Malaysia & Singapore Security Magazine

Organisers of

Endorsed by

Organised by

25/10/2016 16:52

Cyber Security

2 ANNUAL ND

GLOBAL PREDICTIVE ANALYTICS FORUM IN MENA

HEAR FROM LEADING EXPERTS ABOUT: •• INCREASING INCREASING PROFITABILITY PROFITABILITY •• IMPROVING IMPROVING OPERATIONS OPERATIONS •• REDUCING REDUCING RISK RISK •• DETECTING DETECTING FRAUD FRAUD •• HOW HOW CAN CAN PREDICTIVE PREDICTIVE ANALYTICS ANALYTICS SAVE LIVES? SAVE LIVES? •• AA HOLISTIC HOLISTIC VIEW VIEW ON ON PREDICTIVE PREDICTIVE ANALYTICS ANALYTICS

•• PEOPLE PEOPLE BASED BASED DATA DATA AND AND ANALYTICS: ANALYTICS: HELPING HELPING IMPROVE IMPROVE PREDICTABILITY PREDICTABILITY OF OF BUSINESS BUSINESS OUTCOMES OUTCOMES •• ENHANCING ENHANCING LEAN LEAN SIX-SIGMA SIX-SIGMA USING USING ADVANCED ADVANCED PREDICTIVE PREDICTIVE ANALYTICS ANALYTICS •• DIGITAL DIGITAL CUSTOMER CUSTOMER CARE CARE -- COGNITIVE COGNITIVE ANALYTICS ANALYTICS •• MOBILITY MOBILITY ANALYTICS ANALYTICS

SPEAKERS

+44 20 3129 1775

info@c-parity.com

www.corporateparity.com

Sri Lanka

Transnational Crime in Sri Lanka: Future considerations for international cooperation By Mitchell Sutton and Serge DeSilva-Ranasinghe

A changing criminal threat Despite the large blow dealt to drug, people and arms trafficking systems by the fall of the LTTE in 2009, Sri Lanka still faces serious challenges from transnational organised crime. The country has found itself both a transit and a source point along the larger South and Southeast Asian smuggling routes, and the problem has been exacerbated by its poor border control, it’s geographical position and the incidence of official corruption. The challenges faced by the country are, at their core, regional problems that can’t be countered by the Sri Lankan Government in isolation. Although the country is but a small link, activities in Sri Lanka have impacts in some way upon all stages of the trafficking chain, from producer countries to destinations. Bilateral and interagency law enforcement cooperation As a small island nation with a marginal ability to limit transnational crime seeping over from its larger neighbours, Sri Lanka has been keenly involved in international law enforcement cooperation since the 1970s. That cooperation has taken the form of multilateral regional cooperation

42 | Malaysia & Singapore Security Magazine

forums, bilateral agreements and the provision of training and equipment by foreign governments. Those patterns have largely continued unchanged into the present day, although Sri Lanka’s moves to establish counter-people-smuggling coordination agreements with Australia appear to indicate a willingness to expand coordination efforts outside its immediate neighbourhood. Australia has been one focus of cooperation among many for the Sri Lankan Government. Cooperation is based on a broad Memorandum of Understanding on Combating Transnational Crime and Developing Police Cooperation signed in May 2009, and a more specific memorandum on cooperation against migrant smuggling signed later that year. The Australia – Sri Lanka Joint Working Group on People Smuggling and Other Transnational Crime was formed in 2012 to complement the latter agreement. These agreements have resulted in increased cooperation between Sri Lankan authorities, the Australian Border Force and the Australian Federal Police (AFP). The AFP has developed close operational-level contracts inside the Sri Lanka Police, including with the Criminal Intelligence Division (CID), the Maritime Human Smuggling Investigation Unit, the AntiHuman Smuggling Investigation Bureau and the Airport CID team. Along with Australian Customs and Border Protection

Sri Lanka

officers based in Sri Lanka, customs cooperation has also included two ex-Customs Bay-class patrol boats gifted to the Sri Lanka Navy in 2013 and further maritime cooperation, training, equipment and workshop. The Sri Lankan Government’s willingness to engage in extra-regional bilateral arrangements has also been evident in its approach to money laundering and corruption. Since 2008, intelligence-sharing memorandums have been signed between the FIUCBSL and banks or other counter-money-laundering agencies across the globe. Britain has been prominent in these efforts, committing around £750,000 to Sri Lankan counter-corruption efforts for the 2015–2018 period. An officer from the UK Serious Fraud Office has also been seconded to the High Commission to assist the Commission to Investigate Allegations of Bribery or Corruption and the Sri Lanka Police’s CID and Financial Crime Investigations Department. The provision of training and equipment by foreign law enforcement authorities has been a strong method of international cooperation, despite ongoing controversies in some quarters over the human rights record of the Sri Lanka Police. In recent years, the police have received counternarcotics training from the US, Canada, Germany, Thailand, India, Japan and the UK, as well as ethics and human rights training from Sweden and counter-corruption skilling from Switzerland. Australia has been prominent in these efforts, providing training and equipment to build Sri Lankan Government capability. This support has included computers, specialised intelligence software, office equipment and vehicles. Other agencies have also been involved; for example, the US has provided seaport security training for the police through the US Coast Guard. Sri Lanka has itself also provided law enforcement training to others, in the form of counternarcotics assistance to members of the Maldives National Security Service. Multilateral law enforcement cooperation At the regional and global levels, Sri Lanka has engaged in a number of initiatives to counter drug trafficking, people smuggling, money laundering and maritime crime. Most of its law enforcement cooperation efforts at the coordination level have been with the South Asian Association for Regional Cooperation (SAARC). The Sri Lankan Government was at the centre of efforts to establish the SAARC Convention on Narcotic Drugs and Psychotropic Substances (1990), the Colombo-based SAARC Drug Offences Monitoring Desk (1992), the SAARC Conference on Cooperation in Police Matters (first held in Colombo in 1996) and the SAARC Coordination Group of Drug Law Enforcement Agencies. Along with Australia, the country was also involved in the Colombo Plan Drug Advisory Programme, which was also designed to facilitate law enforcement and intergovernmental cooperation on the issue in the region, and the UNODC’s South Asia Regional Programme, which targets drug trafficking and official corruption. These initiatives have helped to improve information sharing between Sri Lanka and the major regional powers, especially the major drug transit points of India and Pakistan. The Sri Lankan Government has engaged robustly with the UNODC’s Global Maritime Crime Programme. In 2014, it assisted in the foundation of the UNODC’s Indian Ocean Forum on Maritime Crime and presented ways in which the Global Maritime Crime Programme could be

extended into maritime narcotics trafficking. It subsequently participated in the forum’s technical meetings on human trafficking and maritime heroin smuggling held in 2015. Aside from the UNODC, Sri Lanka has been an active member of INTERPOL since 1950. The Sri Lanka Police’s CID is designated as the INTERPOL National Central Bureau, with the Deputy Inspector General of Police as its designated head. Memorandums of understanding continue to be signed between Sri Lanka and INTERPOL, including one in 2015 expediting the visa application process for INTERPOL officials and other foreign investigators. Counter-moneylaundering efforts have also been occurring on a multilateral level. Although Sri Lanka had no domestic laws prohibiting money laundering until 2006, in recent years financial regulations have been tightened to crack down on the practice and comply with international agreements. Those agreements include UN Security Council resolutions 1267 (1999) and 1373 (2001) on terrorist financing, the International Convention on the Suppression of Terrorist Financing (2005), the regulations set out by the Financial Action Task Force (1989) and its subsequent updates, and the standards established by the Asia Pacific Group on Money Laundering (1997). The initial tranche of compliance laws included the Convention on the Suppression of Terrorist Financing Act (2005) and the Prevention of Money Laundering Act (2006), which forbid transactions involving profits from ‘dangerous drugs, terrorism, bribery, corruption, firearms and explosives, foreign currency transactions, transnational organized crimes, cybercrimes, child pornography and trafficking of persons’. The FIUCBSL was also established in 2006, and became a member of the Egmont Group of Financial Intelligence Units in 2009. Despite the improvements brought about by the creation of these frameworks, enormous enforcement challenges remain. More recent have been multilateral efforts to counter people smuggling. Sri Lanka has been one of the 11 states engaged in the Australian-instigated Law Enforcement Joint Management Group on People Smuggling since the group’s establishment in 2014. The Sri Lanka Police are due to host the third annual meeting of the group in Colombo in 2016. Good cooperation, but limited impact Law enforcement cooperation between the Sri Lanka Police and regional and global allies has generally been very good, and Sri Lanka has been at the centre of a number of longterm multilateral counter-trafficking initiatives. Likewise, bilateral arrangements designed to address immediate issues, such as the agreements between the AFP and the Sri Lanka Police on combating transnational crime, have also encountered a great deal of success. However, this cooperation is likely to remain of limited use unless the Sri Lankan police and military recalibrate their efforts to meet new threats and develop effective anticorruption measures. The Full Report is available at https://aspi.org.au/ publications/transnational-crime-in-sri-lanka-futureconsiderations-for-international-cooperation/SR94_SriLanka.pdf

Malaysia & Singapore Security Magazine | 43

International China

Digital innovation in China how the West is being won! Evolving business models with investments in VR & AR makes China unique amongst a global IT market

D By Chris Cubbage Executive Editor

igitalisation in China has been rapid, on a massive scale and is unique beyond any other country on the planet. Ecommerce in China is now 18 per cent larger than that in the USA. With over 1.3 billion people, China is naturally a major market for IT and has evolved its own digital ecosystem, mirroring that of the Westâ&#x20AC;&#x2122;s Google, Amazon and Facebook with the likes of Baidu, Alibaba and Tencent. Mobile apps have also played a major part, like WebChat, which has over 200 million users and AliPay with well over 300 million users, more users than the USA population. The Chinese Government remains protective against foreign companies entering the market, despite the national economy slowing and transitioning from manufacturing to services. Verticals such as logistics, transport, retail, entertainment, healthcare and banking are all embracing digitalisation and the country is entering a golden era for integrating new technologies, with steady growth expected over the next decade.

44 | Malaysia & Singapore Security Magazine

The major drivers, according to Canalys APAC Research Director Nicole Peng, speaking last week in Macau at the Canalys APAC Channels Forum, has been driven by trends in the macro economy, consumer behaviour and onlineoffline market. Major trends in the macro economy has been the shift from manufacturing to services sector and strong encouragement from Chinaâ&#x20AC;&#x2122;s Government for the country to innovate. The services sector now exceeds manufacturing as a GDP contributor and the country has also experienced rapid wage rises. The increases in wages has increased labour costs which is further driving business to focus on productivity. Urbanisation has led to better infrastructure, including network and wi-fi infrastructure. Increasing incomes has been significant for migrant workers moving within tier 2 and tier 3 cities and the logistics industry is a leading example of innovation within national supply chains. Another major trend is the consumer sector. China has a billion smart phone users and will grow to 1.3 billion by 2020. Online payment platforms such as Alipay are allowing rapid

China

"Mobile apps have also played a major part, like WebChat, which has over 200 million users and AliPay with well over 300 million users, more users than the USA population." adoption of online and retail services, including the transition to accessing all of government services. Consumer expectations on business is for them to embrace new technologies. The third major trend is the online to offline model which sets out to uncover latent supply between the physical and cyber experiences. This market is addressing an unmet demand in areas such as food ordering, travel, payments and transport on demand. There remains a large potential for greater cross selling and upselling to consumers in this area, with potential to best apply this market is the VR (Virtual Reality) and AR (Augmented Reality) technologies. VR and AR is anticipated to drive new digital transformation and provides a substantial user experience if correctly supported by new hardware and software. There remains a lot of challenges with the mix needing to combine the right form of hardware, new software platforms and most importantly, new content. Getting this mix right has the potential to fundamentally change how users operate online, engage socially and behave commercially. The VR and AR market has the potential to kick start a new wave of business and next generation content. Canalys Analyst Jason Low predicts that the VR industry will ship 6.3 million headsets worldwide in 2016 with 40% of these for the China market. In VR, advertising offers a more engaging experience to the consumer and also offers wider options for product placement. With these benefits in mind, Badui is looking to transition customers from web browsers to new VR platforms. VR will therefore require new hardware, new software and most importantly, new content which will need to be based on combining user data, image recognition and generating customised content. Alibaba is investing heavily in creating new online shopping experiences in new VR environments and virtual shopping malls will only be limited to the imagination of the developers. The aim is to change the way people shop for products online. The concept is to provide customers the ability to experience products virtually and generating immediate market scale by keeping the technology simple and accessible to everyone. With the amount of investment being made by the likes of Alibaba the VR technology is anticipated to mature quickly. Tencent has diversified into mobile and online gaming and is the most relevant for deploying VR hardware whilst combining social networks and VR content. Tencent has released its new VR platform called SOLAR-VR and is seeking to significantly expand across its gaming platforms, accommodating casual gamers through to hardcore gamers. LeEco, China’s largest online video company and Xiaomi, the world’s fourth largest smart phone maker, comparatively operate as a mix of Apple, Amazon and Google with business models combining smart electronic hardware, online retail platforms and delivery of mobile services. Xiaomi has made

investments into 50 companies that are producing new breeds of IT hardware ecosystems and has plans to expand its investments to reach 100 companies. Xiaomi investments follow strict rules that apply technology specifically to their user profile, namely 18 – 35 year old males that are techsavvy, price conscious and inspired by design. The companies also need to have a similar culture to its own and need to have developed a large user base. According to Hugo Barra, Xiaomi’s Vice President, “the game in China is building walled gardens and getting them to stay in your garden.” Xiaomi is also amassing substantial data on its users to better understand and predict their behaviours. With 150 million users, they are each lighting their screens on average 122 times a day and have an average total daily screen time of 4.4 hours per user. In Tier 1 cities, 17 out of 100 people have a Xiaomi device and in Tier 2 and Tier 3 cities its 13 and 6 out of 100, respectively. Data is being collected on users accessing social media, video, tools, games, books and news. The data analytics business concept is to deliver services with precision marketing and generate consumer buying power. LeEco, similar to Netflix with on-demand video streaming has also entered the smart phone and smart TV sector and has founded its own digital ecosystem based on Internet and Cloud platforms, with LeMail.com and LeTV Cloud that is surrounded by content, mobile services, Smart TV hardware, Music, Internet Finance, Sports and Automotive, part of a Super Electric EcoSystem (SEE) Plan. These all-encompassing business plans are endeavouring to brings multiple benefits including flexibility in pricing, so hardware prices are linked to subscription services. For example, lower hardware prices are offset by longer subscriptions and vice versa. So lower cost smart phones are offset with longer term or higher priced subscriptions. The business model is to create life time users and secure revenue from subscriptions, advertising and online shopping. The content driven ecosystem will also allow cross sector promotion and greater selling diversification. With integrated products and service range propositions expanding across industries. This flexibility in pricing and digitalisation blurs the boundaries between industries and expands the data they can access, analyse and create highly targeted and effective digital services to a consumer seemingly always hungry and willing for more. How the West competes with the Far East will continue to play out but generating similarly scaled digital business models is still someway away, with only Google, Apple, Facebook and Amazon on a similar path and needing a global audience rather than just a US centric model. Regardless, the global battle to get human screen time continues and is set to take on a whole new look within the next 5 to 10 years – so get your VR goggles and hang-on.

Malaysia & Singapore Security Magazine | 45

Technology

ID Document: Holograms innovate and protect Dr Mark Deakes, general secretary of the International Hologram Manufacturers Association (IHMA), considers current developments in security holography in the face of continuing worries about fake identity documents.

W By Mark Deakes General secretary of the International Hologram Manufacturers Association (IHMA)

hile the production of identification documents is a global business, estimated to be worth hundreds of millions of dollars a year in revenues for designers, producers and manufacturers, the cost of fraudulent passports, driver’s licences and pass cards adds up to hundreds of billion dollars a year in lost revenues, untold damage to corporate reputations, and funding initiatives to combat the counterfeiters. Identity theft affected 17 million people and amounted $15bn in 2014 in the US alone in 2014 while the Department for Homeland Security reported in 2016 that it believed Europe’s trade in forged and stolen passports was so out of control that it had reached ‘epidemic’ proportions. Elsewhere, police personnel in India are being issued with smart identity cards with special security features and a hologram in a move to improve security and identify fake officers. But in the war on counterfeiting, holography remains a

46 | Malaysia & Singapore Security Magazine

weapon of choice, paramount in securing data and protecting identity documents against interference, tampering, alteration, forgery or imitation. New materials, scientific innovation and state-of-the-art manufacturing practices combine to keep the technology fresh, secure and relevant, continuing to play a seminal role in protecting against the photograph and personal data forgery, otherwise known as the ‘variable information’. However, the ability of holography to provide effective protection lies in the continuous innovation of new techniques. Both optical effects and material science techniques have created authentication devices that are easily recognised yet difficult to copy accurately. They can be safely integrated within the production process and stand-up to the rigorous demands of being in use for a period of anything up to ten years. Modern reprographic technologies make it possible to

Technology

copy many things but the real issue is just how accurately can holograms be copied? The answer is that their intrinsic features ensure that the techniques and visual effects make it extremely difficult, perhaps almost impossible, to copy a welldesigned security hologram 100%. Holograms serve as both a means of protection and authentication, and a warning about the dangers of counterfeiting. Therefore, they are not solely to prevent counterfeits but act as an effective detection device, making it easier for the trained eye to distinguish the genuine article from the fake or usurper. Manufacturers are responding to the technical challenges this imposes through new optics and material science technologies used in the production of holography solutions for ID. Since 2010, we have seen significant growth in the number of passport and other documents issued that feature OVD (Optically Variable Devices), which are created in

highly-secure facilities and are at the forefront of overt asset and brand protection programmes - the OVD can be used as a stand-alone feature or combined with printed security features to create devices that are extremely difficult to replicate using conventional photocopy or scanning technologies. New developments Companies currently at the forefront of new developments include OVD Kinegram, one of the leading providers of security technologies used in the protection of government documents and banknotes. The companyâ&#x20AC;&#x2122;s Kinegram digital seal is a copy-resistant feature that interlinks and interlocks physical ID documents with mobile verification processes. It takes the biographical data from an identity document and encodes this information into a quick response (QR) code, which can be encrypted and read by a smartphone. The code

Malaysia & Singapore Security Magazine | 47

Technology

is protected against forgery or interference by the optical structure and the information contained therein can be read using a simple smartphone app to verify and check that the document is not stolen, lost or fake. Growing smartphone usage in the authentication processes is also behind the development of high security opto-digital foil technology. Optokey OVDs from Surys combine a digital data matrix code with a high definition micro image, which is part of the holographic security design. Using a dedicated app, specific images and properties can be authenticated without the need for an internet connection. Russia’s RPC Krypten is another firm at the forefront of developments in the sector with its photopolymer laminate 3D Gram-M; an overlay technology that has a bright reflectance at discreet angles and undergoes a colour change from green to gold and then finally red when viewed at acute angles. Passport pages need to be adequately protected from tampering and alteration but it can be difficult to achieve this when there’s such a proliferation of different formats and styles in use by different national governments. However, new printed security laminates can be deployed across multiple formats to provide effective protection of document types and specifications. For example, ITW Security Division’s Holoprotek security laminates utilise proprietary technology to protect against the forgery and counterfeiting of government and personal ID document data pages, combining traditional holographic effects with high security print to provide level one security features for public recognition and simple, easy to verify level two security features. Elsewhere, manufacturers continue to push the boundaries in addressing anti-counterfeiting solutions aimed at end-users. Promoted as a significant step forward in moving further than the current state-of-the-art in light transmission, optically variable coloured effects are visible through Surys’ Plasmogram: a new generation, high security DOVID that combines reflective and see-through effects on a nano-

48 | Malaysia & Singapore Security Magazine

structured film incorporating physical properties. It’s one of a number of ‘break through’ technologies that are now increasingly finding their way into the high security sector where, for instance, they are being adopted by producers of passports to provide beneficial features including added track and trace capabilities. Equally, for ID cards, we are seeing optical security features coming through that can be integrated with almost any substrates - plastic cards, polycarbonate material, composite and paper - to deliver ‘smart’ ID solutions - ones that combine optical and digital technologies to offer both visual and automatic authentication based around the interactions of the user and smart devices. Holograms will continue to play an important part in moving ID documents to the next stage of development as those with responsibilities for safety and security look to stay one step ahead of the criminals; ensuring quality and checking the trade in fake ID while those documents not displaying security holograms are seized and destroyed. Those involved in law enforcement, border protection and ID security will always be reassured by the presence of holography technologies and devices on passports and other documents, clearly seeing and benefiting from the advantages they provide. Moreover, the use of well-designed and properly deployed authentication solutions, enables those with safety and security responsibilities to verify the authenticity of a legitimate product, differentiating it from counterfeits. Even those that carry a ‘fake’ authentication feature can be distinguished from the genuine item if that item carries a carefully thought-out authentication solution. The IHMA (www.ihma.org) is made up of 100 of the world's leading hologram companies. Members include the leading producers and converters of holograms for banknote security, anti-counterfeiting, brand protection, packaging, graphics and other commercial applications around the world, and actively cooperate to maintain the highest professional, security and quality standards.

Technology

Scott Raynovich, founder of Futurium and creator of the Rayno Report, now a part of SDxCentral.

The most effective IT security methodology: SysSecOps Editor’s Interview with Scott Raynovich, founder of Futurium and creator of the Rayno Report, now a part of SDxCentral.

R By Chris Cubbage Executive Editor

ecent ransomware attacks such as Wannacry and Petya highlight the continued disconnect between two enterprise technology silos, and it’s killing both operations and security. I spoke with technology analyst Scott Raynovich, who has developed an enterprise security methodology, SysSecOps, or Systems Security Operations and released the Futuriom report ‘Endpoint Security and SysSecOps – The growing trend to build a more secure enterprise’. As Scott explained, “The context is ‘almost’ perfect as the recent ransomware attacks provide a top level view – security operations and system operations are often separate functions and these organisations aren’t always talking to each other. The ransomware worms are affecting older systems that haven’t been maintained and patched. So, this is a patching issue, which is an IT administration problem.” “The premise of the report – surveying 170 people - was there has to be more integration between security operations but these are management and process challenges. Looking back through some of the largest hacks and attacks, Target, Yahoo, DNC, the pattern is that many of these incidents wasn’t that technology didn’t identify it was happening, it was rather a system process problem. The right person wasn’t informed or the response wasn’t automated.” Editor - Isn’t it also the case that security, as it always has been, continues to be seen as a cost and not a business contributor? “There is a cost component to security and there is a number attached to it. How much are we going to spend? Things have changed in the last year or so and Target was another catalyst, when the CEO lost his job. Yahoo is another case where a significant corporate merger was affected. This is why corporate boards are now more aware and security is now a corporate governance issue. The report highlights the critical awareness that has arisen and the beginning of the change for organisations managing security at the highest levels. It is the CIO and CEO that has the power to make change and a board level process which needs to set new policies. There has to be an integrated approach and the top challenges are lack of time and resources. But this is a budget issue and despite an increase in spend, it is not infinite. The other answer is automation of policy. Thirty-four per

cent cited conflicting IT and security goals and a lack of integration of policy, or a lack of coordination. Everything needs to be integrated at a higher level and therefore policy is required, as well as policy enforcement. The number one response was better management of security budget and better integration between systems management and tools. Some of the newer technology has been focused on better integration, visibility, managing alerts, monitoring and managing end points. Feeding all this data into a broad analytics platform for better insight. Like the way DevOps brought together developers and IT operations, the approach of SysSecOps brings together the CISO’s security team with the CIO/CTO’s operations staff, to provide a unified view of the status of the organisation’s IT infrastructure – and to prevent and respond to security threats, particularly those affecting endpoints. For a copy of the Futuriom Report – visit http://www.futuriom.com/articles/news/the-futuriomsyssecops-report/2017/06 Key Findings 1. Endpoint security integration and organisational coordination are key to building a SysSecOps approach to enterprise security 2. Many of the major hacks of the past five years could have been prevented with better organisational response and integration of security tools 3. Half of the respondents to the 2017 Futuriom security survey believe security technology integration is a major challenge in securing endpoints 4. Integrating security tools is a major goal of SysSecOps, which can have beneficial effects in securing the enterprise, according to Futuriom research 5. Many systems and security operations staff say they are challenged by time and resources, meaning further security automation would be welcome 6. Conflicting security goals within the same organisation can be a barrier to securing endpoints and systems 7. Many current endpoint security tools are inadequate, lacking integration with other security components 8. Malware and phishing remain major threats to enterprise security, requiring integrated system monitoring and endpoint protection

Malaysia & Singapore Security Magazine | 49

Technology

Now is the time for multi-modal biometrics at border security checkpoints

B By John Kendall Border Security Program Director, Unisys

order security today is facing a perfect storm of challenges that requires every tool available to manage it. John Kendall, Border Security Program Director, Unisys, explores why the time for multi-modal biometrics, including face, fingerprint and iris recognition technology, has arrived. Many border security agencies have clung to outdated technologies and inaccurate assumptions when it comes to leveraging biometrics. For many, the reluctance to modernise technology at the border relates to flat budgets. For others, time simply doesn’t allow them to screen travellers effectively. Globally however, border security agencies can no longer afford to stand still in time. The sheer volume of travellers crossing borders means advanced technology must play a role in effective border security. In 2015, a record 1.2 billion people travelled overseas – up four per cent. In addition, the war in Syria has sparked the largest human migration seen since the end of World War II . This, coupled with fear caused by the recent Paris and Brussels attacks has created a dire need to efficiently and accurately monitor who enters, and leaves, each country. Multimodal biometrics are the future and border security agencies must be ready to adopt them.

50 | Malaysia & Singapore Security Magazine

Biometrics can help New ePassports include facial biometric data on the chip, so biometrics can automatically detect stolen or forged passports by authenticating the traveller against the rightful holder of the travel document. Border agencies can also use biometrics to check the traveller against a watch list of known “most wanted” persons to identify individuals of interest when entering or leaving the country. Automated clearance eGates are also capable of performing these checks quickly and accurately. Border security solutions employing biometric technology are used in many countries today including the US, UK and Australia. But these biometric solutions display little differences from those deployed 15 years ago and continue to exhibit the same shortcomings. In particular, most of the current biometric solutions are unable to detect individuals travelling under multiple identities and travel documents. This is a vulnerability that can be exploited by terrorists and other criminals to avoid detection when travelling internationally. If an individual is able to obtain a new passport (perhaps from a different country) under a new “clean” identity, then

Technology

the chances of getting stopped by border security officers is very small.

"As a result, fingerprint biometrics is

Achieving accuracy and speed

far more accurate than facial matching.

The types of biometrics captured at most border crossings isn’t well suited for near-real time searching against very large databases (e.g., biometric records of all travellers who previously entered or exited the country). The International Civil Aviation Organization (ICAO) Document 9303 defines international standards for machine readable travel documents, like ePassports. The standard provides for the storage of three different types of biometrics on the chip – face, fingerprint and iris. Facial biometrics are mandatory, but fingerprint and iris modalities are optional. Facial biometrics work very well for performing a oneto-one verification of the traveller to the facial image stored on the chip as it is quick and accurate. However, they are not as well suited for performing one-to-many searches against a large database of biometric records because of the large number of false matches and false non-matches. For example, if a traveller’s face is compared against the faces of 100 million previous travellers, the facial matching system is likely to return a long list of possible matches against records with similar faces. A border agent then needs to manually review the possible matches to eliminate all the false matches. This is not a problem if you have lots of time, but when facing a queue of tired and frustrated travellers, time cannot be wasted. Because of the relatively low accuracy of facial biometrics, a number of countries have elected to collect and match fingerprints at the border crossing. Fingerprint image analysis detects far more feature points (or minutiae) in a single fingerprint than facial biometrics detects in a face. Fingerprint biometric matching also performs a far more mathematically complex comparison of those feature points (e.g., location, ridge direction, and distance to neighbouring feature points). As a result, fingerprint biometrics is far more accurate than facial matching. In fact, it is possible to perform one-to-many searches against a large database of fingerprint biometric records with very few false matches and false non-matches.

In fact, it is possible to perform one-to-

Real time matching essential In a border crossing situation, the biometric matching needs to be completed in, at most, a couple of seconds, or near-real time. Since fingerprint matching is computationally intensive, near-real time, large-scale fingerprint matching requires significant processing resources - which can be very expensive. So fingerprints work well for one-to-one authentication and one-to-few watch list checks, but fingerprint biometrics are too costly to perform near-real time searches against massive databases (such as the biometric records of all previous travellers). Without that capability, a known suspect travelling under a new identity and travel document can slip through the border undetected.

many searches against a large database of fingerprint biometric records with very few false matches and false nonmatches. " Iris – best of both worlds Iris biometrics offers the advantage of very fast and efficient matching with accuracy similar to that of fingerprints. As a result, it is possible and cost effective to perform near-real time iris biometric matching against very large iris databases. So how might iris biometrics be used in the border security environment? When a traveller enters or exits the country, the border agency captures an image of the iris. This is a simple process that takes a high resolution picture of the eye from up to two meters away – much like taking a photo of the face. Once the iris image is captured, the unique patterns of the iris can be quantified and searched against the entire database of previous travellers to determine whether or not that iris has been seen previously. Iris biometrics represents the best defence against individuals who attempt to enter a country using multiple identities and will go a long way towards tightening border security without delaying the border clearance process. Iris biometrics is not as well known or understood by the public as facial or fingerprint biometrics, but it is used for border clearance in the UAE and is the favoured modality for large-scale civil applications – like national identity. For example, iris is the primary biometric used for the 110 million person Mexico National ID as well as the one billion-person India National ID. Bottom Line Most border agencies try to weather the perfect storm of border security challenges using traditional biometric technologies that only address part of the security risk. With heightened security threats and a growing volume of travellers to process, there is a pressing need to expand border crossing solutions to leverage the power and cost efficiency of iris biometrics. Face and fingerprint biometrics still have a place, with many existing face and fingerprint biometric watch lists, but the time for multimodal biometrics (using face, fingerprint and iris) has arrived.

Malaysia & Singapore Security Magazine | 51

Technology

Next generation security intelligence operations Interview with Vasant Kumar: Future learning opportunities on safeguarding business and industry By Chris Cubbage Executive Editor and Jane Lo Singapore Correspondent

ne never stops learning. As in the past, there will remain future learning opportunities on safeguarding business and industry with next generation security intelligence operations. HPE’s ASEAN Information Security Day, held in Singapore, focused on the theme “Information Security – Investigate & Incident Response” and presented new ideas around Security Intelligence Operations, investigating and responding to incidents, and discovering the path of continued innovation. Vasant Kumar, Regional Customer Success Manager for the Asia Pacific region with HPE ArcSight, HPE Software reported “We are seeing an unprecedented growth in the volume of data that is being created, generated and adopted each day, versus, for example, 5-10 years ago when there were not that many mobile applications. The biggest disruptor is the variety and velocity of data – where billions of contents are shared on social media and movies are watched online, and where sensors are built into everyday consumer products.” During his presentation, titled ‘Resilience for Growth’, Vasant Kumar outlined what it means to be able to successfully and intelligently utilise and adapt this exponential growth of data. “To analyse these large data sets to detect patterns, trends and associations of malicious activities – in a shorter frame of time, and at a lower cost, means the need to build a tool to be able to store and perform contextual searches on the growing scale of data in a simple-to-use-andunderstand way. We see this simplification of process, as smart analytics, that is key to resolving and closing issues rapidly.”

52 | Malaysia & Singapore Security Magazine

The adoption of Big Data Analytics, combined with correlation analytics, is also key to defending against multistaged attacks. The data is ingested into the HPE ArcSight Data platform and event correlation and security analytics is enabled to identify and prioritise threats in real time and remediate incidents early through HPE ArcSight ESM. HPE Security’s State of Security Operations 2017 report of capabilities and maturity of cyber defense organisations highlighted some key findings, including a sharp decline in maturity for organisations that are opting out of real-time security monitoring in favour of post-event search technologies. While this is a disturbing trend, organisations that have adopted hunt team capabilities as an add-on to their existing real-time monitoring programs have seen success in rapid detection of configuration issues, previously undetected malware infections, and SWIFT attack identification. The State of Security Operations 2017 report also noted that “HPE did not observe a direct relationship between the size of the organisation and operational maturity across commercial and public sector organisations. While there are larger organisations at or near the top, an exploration of the lowest performing organisations reveals some large multinationals that have simply not prioritised security operations. The allocation of IT budget and security budget to protect revenue, privacy, critical infrastructure, market share, safety, and intellectual capital is sizable when there is much to lose. Despite access to significant resources those organisations are not more mature. Security as a competitive

Technology

differentiator, market leadership, and industry alignment are better predictors of maturity. The right growth strategy for cyber security maturity How should customers establish their growth strategy, in terms of cyber maturity? What are the key focus areas and challenges? Vasant Kumar considers and outlines the HPE approach. â&#x20AC;&#x153;Whether protecting brand, intellectual capital, and customer information or providing controls for critical infrastructure, the means for incident detection and response to protect organisational interests have common elements: people, processes, and technology. The HPE model, SOMM (Security operations maturity model and methodology), focuses on multiple aspects of a successful and mature security intelligence and monitoring capability including people, process, technology, and the supporting business functions. These four pillars are equally important. Our experience with our clients revealed that, while clients focus on people, process and technology, it is critical to gain the buy-in from the business, who has an important role to play. When we deliver services, the first thing we conduct are the Business Requirements Mapping workshop with our clients. This is a series of a 5-day workshop with the key stakeholders where we establish the business issues. We do this by identifying these across products, services, and use cases, and the associated risk levels. For example, for a banking client, we map against the compliance and regulatory requirements relating to system logs, and help the client automate these reports in an auditable way. In this way, the client is able to demonstrate to the auditors that there is an established protocol in place to review logs and highlight issues. Everyone has a responsibility when it comes to security. And this includes the business, which means the need for the board to be involved in key decisions relating to security. Knowing there was a security risk and not prioritising it is no longer acceptable. Stringent regulations are being enforced in certain industries, for example in financial services. Aligning the cyber security goals against regulatory requirements will also be useful in helping to formulate growth strategy. Security Intelligence and the key sources for Security Operations Security Intelligence using analytics, such as machine learning and predictive analytics across diverse data sets, can help an organisation become proactive, rather than reactive, in managing cyber risk and mitigate threats. Vasant Kumar notes, â&#x20AC;&#x153;this allows our clients to identify threats quickly and accurately so that action can be taken before critical systems are impacted. With the ability to predict, using a data collection platform that is reliable and secure, it provides visibility and triggers for alerts generation. Data collected, normalised and enriched through this platform, include key sources such as: logs, sensors, stream

network traffic, security devices, web servers, customer applications, cloud services and others. HPE ArcSight Data Platform (ADP) 2.0 collects data from these sources and delivers an open architecture that can also send event data to third-party applications such as Hadoop, data lakes, or even proprietary in-house applications. For example, data from the end-device monitoring capability allows for identification of the specific device in issue and reduce time to make an informed decision to fix any problem quickly. In addition, normalising and categorising data immediately after it is collected, and enriched with security context enables faster correlation and threat detection. This also helps our clients to be proactive rather than reactive. Our in-house threat intelligence feeds can be plugged onto the platform. For example, our Threat Intelligence team monitors the cyber underground to understand the threat actors and the indicators of compromise; our experts in vulnerability, malware and defender research perform complex analysis of the latest malware and exploits while putting the trends into context for defenders; and we have our data scientists and security researchers utilise machine learning and predictive analytics to develop use case driven models. We also use Open Source intelligence and collaborative feeds, such as Stix, Taxii, which are integrated into the platform.â&#x20AC;? >>

HPE ARCSIGHT Evolves Beyond Traditional SIEM HPE ArcSight continues its leadership in the industry, helping clients to protect their organisation against cyber threats using a risk-based adversary-centric approach. As the landscape of threats vectors moved beyond the traditional IT environment to OT, to now IoT, HPE had recently launched a rethink of the fundamentals of ArcSight. The roadmap for HPE ArcSight will continue to help protect clients against the most aggressive threat environment in the history of IT security HPE ArcSight is a next-generation cyber defense solution with security and compliance analytics. In coming up with the roadmap, we have taken on client pain points.

Malaysia & Singapore Security Magazine | 53

Technology

The solution allows clients to easily expand the size and breadth of a deployment by delivering an open and scalable architecture. The multidimensional real-time correlation uses rule-based, statistical or algorithmic correlation, as well as other methods, to allow clients work smarter.

•

There are three aspects considered as key in planning the roadmap:

that enables needle-in-the-haystack queries of both active and historical data with a simple search interface. Interesting search patterns can be easily converted into real-time alerts. The investigation and forensic tools help obtain the right information at the right time. You can track situations as they develop and query both active and historical data to investigate possible threats and conduct entity profiling.

Data chaos into security insights with powerful querying capabilities

3. Respond to threats – all alert mechanisms, KPIs, SOC metrics, workflow in place

•

ADP is now architected for the breadth, depth and speed of Big Data collection that organisations demand to improve their security posture. It collects machine data in real-time from a broad range of sources (including logs, clickstreams, sensors, stream network traffic, Web servers, custom applications, hypervisors, social media, and cloud services. It enables you to search, monitor and analyse the data to detect security threats faster. The variety and velocity of data is ingested, enriched, stored and brokered with “Event Broker”. Event Broker is an Event shuffling and distribution of data that uses the Kafka open-source stream processing technology. It streams traffic meant for internal or external use; for examples whether the data is meant for correlation / analytics; or meant for long term compliance and third party repository purposes. This next generation data collection and storage engine allows you to capture data at rates of up to 400,000 events per second, and executes searches at millions of events per second.

•

• •

•

2. Address the challenges of skills and manpower • •

Make it simple to use “simpler & faster searches” ArcSight Investigate, a next generation hunt and investigate solution, features a simple search interface

Events of interest can be manually or automatically escalated to the right people in the right time frame. The robust workflow framework comes with built in case management and can integrate with existing processes and systems.

Information security – investigate & incident response Interview with Stephen Kho: The key IR skills, roles and why non-technical skills are still important. With a computer engineering system background, Stephen Kho, Managing Principal, Consulting Services for HPE Software gained his security experience in firewalls, IPD/ IDS management, and spent more than ten years building and leading pen-testing teams. “The Pen Testing team members I recruited,” Stephen notes, “included professionals from other areas such as chemists and educational specialists. The common traits amongst them, regardless of their technical expertise, was the level of inquisitiveness, motivation to learn, analytical ability and ability to think outside the box, or in other words think laterally. This is the mindset I look for.” The different roles within an Incident Response Team include Intelligence Analyst, Data Scientist, Digital Forensic

Figure 1: Data from everywhere to anywhere: Open Architecture

54 | Malaysia & Singapore Security Magazine

Technology

Investigator and that is why the skills shortage is a real challenge. While technical skills can be taught, Stephen Kho believes that attitude is key. “During the interview, I would ask technical questions, but this is only to allow me to gauge how much technical training I need to give. From an incident response perspective, having ability to think outside the box and analytical abilities are key to enable a Level 1 security analyst to progress to a Level 2 for example, where the security incident related tasks are more challenging. At the security analyst Level 2 level and above, the investigative activities can include digital forensics, network analysis and reverse engineering. Inquisitiveness and having the motivation to learn are vital traits, especially as the attack landscape is constantly evolving and the level of attack sophistication is increasing.” Uncovering cybercrime and expectations from authorities Should a cybercrime be uncovered, Authorities would want to clarify that the data handling & information dissemination steps the client has taken comply with the relevant legal requirements. This includes the policies and procedures that are in place internally. Stephen acknowledges that this encompasses many aspects. “For example, HR policy should set out code of conduct in relation to data handling policy pertaining to privacy and protection of personal and sensitive data. There should also be procedures on data breach notification and the relevant escalation triggers and procedures. This should also include disclosure and confidentiality procedures in the event of a potential cybercrime under investigation, including who is allowed access to the investigation details and progress. These policies would be aligned to the rules and regulations of the relevant jurisdictions that the client operate under. Internally, forensic handlers must understand the regulatory and legal requirements, and these vary across jurisdictions, meaning, how to handle evidence and maintain evidence for admission into the court of law. With HPE

Consulting we share with our clients, in our training sessions, the framework to ensure that adequate policies and procedures are in place to process information and data relating to cybercrime, that comply with the legislations and regulations.”

on the server had

Achieving outcomes from Incident Response

been reported,

The IR platform must have a good reporting and tracking functionality, including workflow and case management functionality. It is important to have a robust reporting tool with time stamped and staged details for events, and acknowledgement of who is looking after which case. This allows members of the team to do immediate investigations, make informed decisions and take appropriate and timely action. Team members who are responsible for responding to incidents need to be familiar with the reporting tool, as well as the policies and procedures on documented standards. This includes the minimum amount of information that needs to be captured to enable handoffs between L1 and L2 security analysts. Or between experienced and newer members of the team. “For example,” Stephen notes, “if a malware on the server had been reported, the reporting tool should highlight if it had been resolved, and if not, what is the resolution stage of the incident, and who is the case owner. It is important for the reporting tool to capture the right information, that is, relevant and timely information. Availability of actionable data is important to enable the team to understand the background of the issue, and the case status. At HPE Consulting we help our clients achieve this by a combination of initial and continuous training and teaching. We share the best practices in terms of opening and closing an incident with an adequate audit trail. We also provide training on frameworks and approaches that allow the clients to standardise the documentation in a consistent manner, in order to allow decisions and actions to be taken. Not only does this reduce the time spent on response, it also addresses the skills shortage challenge, which is one of the key areas we are focusing on in our roadmap.”

the reporting tool

"if a malware

should highlight if it had been resolved, and if not, what is the resolution stage of the incident, and who is the case owner. It is important for the reporting tool to capture the right information"

Figure 2: Hadoop Integration Architecture

Malaysia & Singapore Security Magazine | 55

Technology National

Artificial Intelligence in the financial services

W By Jane Lo Singapore Correspondent

hen the United Kingdom cast its decisive vote on 23rd June 2016 to leave the European Union, a membership in which it held for more than 40 years, the British pound slumped to a 31-year low as the final polling results sent shockwaves during the Asian trading hours. The losses extended to the European and US trading sessions as panicking investors fled to safe haven assets, and stunned traders caught short by the unexpected outcome rushed to cover their positions. On that day, the pound plummeted more than 10% to $1.33, from $1.50. While the financial markets absorbed the news and braced for further turmoil over the following days and weeks, no one was quite prepared for the “flash crash” that happened 3 months later, on 7th October, when the currency plunged within a few minutes from $1.26 to $1.15 – marking a fresh 31-year low. The blame swiftly shifted to “algorithm trading programs”, for triggering market orders that contributed to the massive pressure on the pound as political uncertainties mount. Algorithm-driven robot traders Algorithm-driven robot traders, a form of “Artificial Intelligence (AI)”, mimic real-life trading using logic, if-

56 | Malaysia & Singapore Security Magazine

then rules, decision trees to behave in ways that resemble an expert trader. Initially developed to improve trading efficiency by minimizing the manual tracking of financial markets and laborious execution of order (and arguably, also to eliminate trader emotional volatility), these robo-trading algorithms have evolved. From simple sell-buy triggers, to devising trading strategies built on high-speed cross-asset-correlations and other complex mathematical calculations, they have acquired the potential to create systemically contagious impacts as trades from one algorithm could trigger signals of others (as we see in this Brexit example). The coding of the financial markets data tracking and profitable trades structuring is not new; what’s changed is that these algorithms fully harnessed the vast computation power available today to rapidly identify micro arbitrage opportunities across assets, markets, time zones and construct profitable trading strategies within fraction of a second. Processing power, and lots of data “Artificial intelligence” encompasses a vast range of technologies, ranging from problem-solving programs that copy human logical thinking process (as in this case

Technology

Algorithm-driven robot traders), to “machine learning” that improves these programs over time (“with experience”) using mathematical optimization techniques, to “deep learning” (or deep neural networks as formally referred to in academic research) which are composed of multi-layered neural networks that self-train with vast amounts of data. In the fields of speech and image recognition, for example, Amazon’s Alexa, Apple’s Siri, Microsoft’s Cortana, and the many voice-responsive features of Google – are enabled by the vast computation power as well as volumes of image, video, audio and text file data available on the Internet. There is no question that it is in the machine-vs-human game of chess where this impressive processing power has taken our appreciation of potential of AI to the next level. Deep Blue (IBM’s supercomputer) beat Garry Kasparov, the then world chess champion, in a six-game match in 1997, by using sheer processing power and massive data storage capability. Moving beyond merely programming how human experts think with if-then-rules and decision trees, Google’s AlphaGo (an application of two layers of deep learning nets – Deepmind combined with a reinforcement learning) played against Mr Lee Se-dol last year in the ancient Chinese game of GO. AlphaGo beat Mr Lee, perhaps the best player of the game, in four of the five games. These advances in AI are made possible by the increased computational power referred to as Moore’s Law and graphics processing units (GPUs) – initially built by Nvidiá for 3D visual experiences in gaming - which enable 20 to 50 times efficiency compared to traditional central processing units (CPUs). Google’s tensor processing units (TPUs), or Intel’s acquisition of Nervana Systems and Movidius, two startups that tailor-make technology for deep-learning computations point to how serious technology giants are viewing the potential in this market. Sheer processing power combined with the availability of realms of data are accelerating AI applications across industries. Besides robo-trading, we are seeing innovations in the areas of robo-advising, fraud detection and market behavioral analytics in the financial services. Artificial Intelligence in the Financial Services Robo-Advisors offer digital investment advisory services based on algorithms. By collecting the details of investors’ investment objectives, preferences, style and risk profile, the robo-advisers learn what investors are interested in and deliver customised advice by aggregating relevant research reports and market updates to suggest financial asset allocations. In addition to these data analytics approaches, roboadvising technologies such as Chatbots (robots that converse with humans) or Sentiment Analysis (the “irrational and qualitative” aspect of investment analytics, based on nonbalance-sheet components such as views sourced from Tweets or other social media) which improve the customer experience with natural language processing and unstructured data analytics algorithms, have also being widely deployed. This robo-human interaction technology is in initial phases of innovation. Robo-adviors are yet to understand subtleties in a conversation. “I am worried about my parents’ health” which may prompt a human advisor to review the risk profile and

"There is no question that it is in the machine-vs-human game of chess where this impressive processing power has taken our appreciation of potential of AI to the next level. Deep Blue (IBM’s supercomputer) beat Garry Kasparov, the then world chess champion, in a six-game match in 1997, by using sheer processing power and massive data storage capability." investment horizon of the customer, may not necessarily trigger the same response in a robo-advisor. A robo-advisor may also be limited in its information gathering ability: it may not ask about money held outside of its service, which could give a distorted picture of a customer’s financial health. These examples show that whilst there is still some way to go before a robo-advisor can fully function as fiduciary in the traditional sense, the volume and speed of the data being processed across several sources to deliver timely advice mean that innovations in these technologies will continue. Certainly, for those contemplating using robo-advisers, less biased advice combined with a wider selection of potential investments at a fraction of the cost of traditional service is an attractive proposition. Fraud Detection - AI machine learning techniques are also used to help in fighting cyber attacks, through automatic scanning, detection and response of network vulnerabilities. Similarly, by applying AI to volumes of data to spot suspicious financial transactions amongst millions of normal ones, AI could ease the burden on investigators in combatting money laundering, financial fraud and sanctions violations. With increasing regulatory scrutiny in these areas, financial institutions have adopted over-cautious attitudes, setting thresholds of traditional rules-based anti-fraud systems at levels that raise alert on practically everything resulting in unsustainable increase in false positives. Not only do legitimate customers face unnecessary probes, investigators also consume excessive time clearing these false positives. Adding to this workload is the manual building of the customer profile when swamped with structured and unstructured data about the subject, their social and commercial networks from in-house and other public and commercial sources. By replicating the way an investigator manages a case, AI automatically flags unusual/suspicious activity by mining data from a customer’s and peer group transaction history and thousands of “signature fraud patterns”. At the same time AI also learns new patterns or goes into corrective loop to ignore the ‘false positives’. For investigators facing the tedious job of manual data collation and rules update in the legacy threshold systems, AI not only reduces the burdens but also completes these tasks much quicker. Market Behavioral Analytics - In the fast-paced, high-pressure world of trading where it is not uncommon for millions of transactions to change hands across the global markets of FX, futures, or commodities, most would rank >>

Malaysia & Singapore Security Magazine | 57

Technology

Nick Leeson and the collapse of Barings Bank, the United Kingdom's oldest merchant bank in 1995, as one of the most publicized cases of unauthorized trading. Trading in the futures markets on the Singapore International Monetary Exchange (SIMEX), Leeson was regularly using Barings' error account (accounts used to correct mistakes made in trading) numbered 88888 to hide his trading losses, a practice that remained undetected for at least 2 years. The unravelling was triggered by his attempts to offset losses when the 17 January 1995 Kobe earthquake struck sending the Asian markets and his trading positions into a tailspin. His new trades exacerbated the original losses, the total of which eventually reached £827 million (US$1.4 billion), resulting in Barings declaring insolvency on 26 February 1995. Recent cases of unauthorized trading included Jérôme Kerviel, a French trader convicted in the 2008 Société Générale €4.9 billion trading loss scandal. As a trader at the bank's Delta One desk, he created offsetting faked hedge trades to cover his losses. Three years later in 2011, in what was another incident of unathorised trading loss, Kweku Adoboli, as a Global Synthetic Equities desk trader at UBS, also practiced entering false information into the bank's computers to hide the risky trades he was making, which eventually cost the bank $2 billion. At the heart of rogue trading (or other types of fraud) are human incentives: those who want to profit for personal gain or who enjoy the thrill of excessive and unsanctioned risk taking, and those who are afraid to own up to losses. These incentives are reasons why flagging rogue trading is a challenge in-house using traditional methods. Bank employees do not reveal problems early because they are not incentivized to: they might get fired or lose their bonuses. Employers are not incentivized to be completely open with regulators because of adverse effects on their business. Algorithms and data-driven analysed by external teams of former traders, compliance staff, intelligence officials, and psychologists, to a certain extend solve this incentive problem: systems alert to suspicious activity that is employeeagnostic, supported by an external investigative team that is independent with minimal conflicts of interest. A Re-evaluation of Artificial Intelligence’s potential? Early this year, in a widely hailed new milestone for AI, Libratus, built by Carnegie Mellon University Professor of Computer Science Tuomas Sandholm and his PhD student Noam Brown, won $1.5 million in chips after beating four of the world’s best poker players in an extraordinary 20-day tournament. Training a machine with incomplete, hidden and misleading information to win is significantly more challenging than constructing layers of neural nets to beat humans at chess. Unlike chess where players see the entire board, poker players do not see each other’s hands. From performing probability calculations to manipulating table image, poker is a game where the outcome is tied to players’ actions based on psychology and game theory. The ability to interpret an imperfect set of information and “bluff ” is key to a winning hand – and building this ability into artificial

58 | Malaysia & Singapore Security Magazine

intelligence had proven to be elusive. Libratus does this by self-learning: armed with massive computing power, it plays trillions of hands to refine its approach to arrive at a winning strategy. Critically, Libratus does this overnight and repeatedly over the 20 days without needing to “take a break”; whereas the poker pros face a very real physical challenge: they need to eat and sleep. The success of Libratus is special. It challenges our preconceptions about the limitations of AI, and takes us to previously unexplored possibilities: there is potential for applications from negotiating trade deals to devising cyber security defense strategies to setting national budgets – areas that we think of as strategic work with imperfect information. But, AI successes such as this have also raised concerns. Aside from data protection issues in Fraud Detection (will my personal investment data be anonymized for peer group profiling?), or threats of surveillance in Market Behavioral analytics (will the storing of my phone and electronic conversations be done in such a way that it meets legal requirements?), it is hard to escape our nagging suspicions that AI will soon replace us. The news that the world’s largest hedge fund, Bridgewater Associates which manages $160billion is extending AI beyond financial trading to build “a piece of software to automate the day-to-day management of the firm, including hiring, firing and other strategic decision-making” adds to the fears and insecurities felt by many of us. Arguably, the examples provided here – Algo trading, Robo-Advisors, Fraud Detection, Market Behavioral analytics – do not eliminate the human touch; AI merely collates data and draws out key information to allow for more efficient human decision making. An Accenture survey of 1,770 managers across 14 countries concludes similarly: “AI will ultimately prove to be cheaper, more efficient” and so will “free us from the drudgery of administrative tasks”, to allow us “to focus on things only humans can do.” However, some, including the Futurist Ray Kurzweil, disagree and believe that what we think of as strategic work or even creative work can be substantially overtaken by AI. Perhaps, the real question is not if, but when: are we decades in planning for the arrival of full AI systems without human guidance? Is it a quantum leap from today’s AI systems to performing strategic decision making? What research breakthroughs are required to make these feasible? The evolutionarily path is unlikely to be a linear one, and the complexities of human activities mean that some are easier to automate than others. But the rapid innovation of AI technologies mean that we should not dismiss the likelihood out of hand. While the debate rages on, we can plan to adapt to AI’s transformational impact in our future lives. For the time being though, we still hold some cards in our hands: there is no question that AI still needs our direction to set its objectives, programming, algorithms, codes and ultimately, to turn it on.

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 2, 2017

Digitisation and Internet of Things

Cyber Insurance: A Buyer’s Guide

Cyber Hygiene: Tips to improve your security organisation

Threat Hunting – Pursue your adversaries

A Beginners Guide to Bug Bounty Programmes

Hacking your own company

PAGE 8

M EM B ER F OC U S E D Malaysia & Singapore Security Magazine | 59

Cyber Security Maritime

Piracy is only beaten but not defeated

A By J Prakash Singapore correspondent

nagging reluctance to embarrass one another for fear of softening the Association of South East Asian (ASEAN) solidarity, poor economic growth and the lack of job opportunities appears to be contributing to a rise in pirate attacks in the seas and waters surrounding eastern Indonesia. But the problem could actually be larger. Not only is there the question of fading economic opportunities but lax enforcement of security measures is perceptibly feeding a scourge that has the potential to scale to what was seen a decade ago when Indonesia, according to an International Maritime Bureau (IMB) report finished second only to Nigeria and whose waters and seas around it were deemed too dangerous a place for ships and ship owners. On 20 Feb 17, the ReCAAP ISC, a multi-lateral information sharing body operating out of Singapore received report from their Vietnamese counterparts about an abduction incident that occurred on a Vietnam-registered ship, Giang Hai. The bulk carrier was sailing from Indonesia to IIoilo Port, Philippines when an unidentified number of pirates boarded the ship and abducted its six crew members and fatally shot one. The pirates destroyed navigation and communication equipment before escaping. The ship then headed to Taganak anchorage area, Tawi Tawi, Philippines and underwent investigations conducted by the Philippine authorities. Such incidents remain standard fare in South East Asia where ships are either boarded by pirates or robbed of their possessions, or in extreme cases such as the one that happened to Giang Hai of even having its crew maimed or even sometimes killed. Since the de-escalation of piracy off the Gulf of Aden, an effacing new focal point is emerging unseen and possibly unnoticed by the rest of the global community. Even as it remains in the shadows of the vastly lucrative maritime

60 | Malaysia & Singapore Security Magazine

trade criss-crossing the busy South China Sea shipping lanes, what has been especially worrying is the rising frequency of such attacks. The prospect of more of these raids can only but now mean an increase in insurance cargo premiums for the foreseeable future, and heightened security preparedness in the hire of security guards. Another prospect is the installation of security devices to stave off the increasingly, yet worrying tide of ship assaults and taking of hostages. Too Little Information and Too Little To Do Though the continued fall in piracy is good news outlines Pottengal Mukundan, Director of the International Maritime Bureau or IMB, ‘the kidnappings’, he adds with emphasis, ‘in the Sulu Sea between East Malaysia and the Philippines are a particular concern’. Speaking to APSM in a phone interview, Mukundan said the most encouraging news of all is that though pirate attacks across the western part and the hinterland of Indonesia have decreased, the nagging problem actually lies in the Sulu Sea. ‘The situation in the Sulu Seas is worrying’ he decries and that is only because of a very loose, diffusive, fragmented and informal system of where shipping and fishing overlap one another to present a very confusing and defying charade of hide and seek. There is, as he says, ‘a lot of fishing traffic’ in the region and that adds to the tide of confusion and clear-eyed analysis of what now is raising the ante in the Indonesian periphery of security operations. That leaves coast guard patrols in hot pursuit of pirates dead in their tracks with little or no chance of ever positively identifying or apprehending them. Because pirates disguise themselves as fishermen in the

Maritime

'The problem, as a matter of fact, according to Mukundan, has worsened to such an extent that even tugs and barges are attacked with their crew taken to southern Philippines where a militant insurgency that has been festering for decades recently made headlines in the beheading of captives and making a parade out of them.'

openly, an open secret making its rounds is that the body is downplaying the information sharing process much to the detriment of ship owners. That reluctance to precisely reveal all the information the body has, causes a whole host of problems from pursuing pirates into the shores of neigbouring countries to revealing ‘compromising’ information of one another. Yet the larger and the more pressing issue is with the entire socio-economic matrix within Indonesia proper itself that is feeding and fostering poverty, which in turn feeds into piracy. Indonesian president Joko Widodo has made it his administration’s goal to reduce poverty by the building of infrastructure links. That is a good start to cleansing the nation of the piracy menace but what has remained undocumented is how successful he will be given that he just has a few more years left in his term? Until then piracy in South East Asia will remain as it is: only beaten but never defeated.

vicinity of the Sulu Sea, security operations and security coordination on the high seas is frustrated and undermined by the extent of these fishermen turned pirates, taking to concealing their tracks. And that is worsened not just by corrupt practices but also through a very well-oiled and wellchoreographed regime of connivance by enforcement officials. A Worsening Situation The problem, as a matter of fact, according to Mukundan, has worsened to such an extent that even tugs and barges are attacked with their crew taken to southern Philippines where a militant insurgency that has been festering for decades recently made headlines in the beheading of captives and making a parade out of them. Yet the problem in South East Asia as it unfolds cannot be anymore starker than the tide of piracy the world saw off the Gulf of Aden over the last few years. Unlike the very brazen Somali pirates – except for the episode on 14th March when they resumed their wilful ways, in the hijack of the Aris 13, a Panamanian-owned vessel South East Asian pirates are in the business purely for money and that is for nothing more than that they are perceptibly lesser organised than their Somali counterparts. That explains why they mostly take to robbing their victims and drop the idea of ever taking hostages. In an ancillary it also explains why ship owners could quietly be abetting piracy by not seeking to report such incidences for fear of either alarming their shore masters or giving cause to insurers to justify raising premiums. Still unlike the times when ship owners wrapped their vessels with razor wires and hired security guards, none of those measures have ever been taken in South East Asia. Ship owners have often been leery on hiring guards for fear of causing casualties among their own crew or even of fatalities. Yet many have been quick to pin the blame on ReCAAP which they say is doing too little about the kind of information it is disseminating. Just like ASEAN ReCAAP too, is hamstrung by the politics of deference. Though it may not have said so

Malaysia & Singapore Security Magazine | 61

Maritime

Dark figure issues in maritime piracy

iracy is a maritime security risk concern with deep historical roots that permeates all times and places. Nevertheless, this article will show that piracy embodies ambiguity in definition such that misunderstanding the crime inhibits an efficacious collective transnational response. Furthermore, due to definition limitations, the deficiencies in transnational counter piracy measures are often exacerbated by legal, procedural and financial factors, ultimately resulting in a dark figure in recorded piracy incidents. Notwithstanding that some counter measures, including the rebuilding of failed states and coordinated international cooperation have shown a degree of effectiveness. The combined rising incidence of piracy, its poorly defined nature coupled with developing disunity and instability in the S.E. Asian maritime region, undermines the viability of internationally coordinated counter-measures being implemented. Historical Snapshot The history of piracy can be traced back to 1200 B.C. in the Mediterranean, across the periods of ancient Rome and Greece to Middle Ages and through to today’s shipping lane choke points – the Gulf of Aden, the Gulf of Guinea, the Malacca Strait and off the Indian subcontinent (Figure 1). Nonetheless, current accepted definitions limit the international community’s ability to collectively counter this crime effectively.

62 | Malaysia & Singapore Security Magazine

Definitions and Delineations Defined in Article 101 of the United Nations Convention on the Law of the Sea (UNCLOS), piracy is defined as any of the following acts: a. any illegal acts of violence or detention, or any act of depredation, committed for private ends by the crew or the passengers of a private ship or a private aircraft, and directed: b. on the high seas, against another ship or aircraft, or against persons or property on board such ship or aircraft; c. against a ship, aircraft, persons or property in a place outside the jurisdiction of any State; (United Nations, 2009, sec. 101) Such definition limits piracy to those actions carried out on the high seas. As strategy expert Peter Jennings points out if an attack on a vessel takes place in the territorial waters of a country, then it is a ‘crime at sea’ and not ‘piracy’. Such discrepancy means an appropriate, internationally accessible lexicon of language to facilitate collective reporting and responses is lacking. The miss-defined nature of piracy means that a dark figure exists in its official incident recordings of actions that at least in spirit are acts of piracy. For example, crime is committed in waters beyond UNCLOS defined boundaries of the high seas (Figure 2), yet the type of actions such as stealing and high jacking on vessels remain the actions of pirates in the organised criminal context.

Maritime

Jurisdictions Law enforcement practitioners and some scholarly authors are of the view that the definitional gap created by the preclusion of territorial waters from the international legal framework embodying piracy, leaves the strategies to record and counter it flawed (Nyman, 2011, p. 863) and impeding prosecution (Chang, 2010, p. 273; Harrelson, 2010, p. 312). Consequently, it has become common practice to release pirate suspects to avoid jurisdictional issues and perceived complications of prosecution (Galletti, 2012, p. 155; Ploch, Blanchard, O’Rourke, & Mason, 2011, p. 22). Although sovereign states have a sanctioned universal jurisdiction under UNCLOS to repress, investigate and prosecute piracy events (United Nations, 2009, sec. 105), the number of recorded attacks remains incommensurate to recorded prosecutions by a factor of more than 50% (Petretto, 2008, p. 4). Legal, procedural and financial factors are likewise seen to contribute to a dark figure of international piracy including the lack of holistic inter-disciplinary cooperation between military, shipping companies, law enforcement and the public sector (Gottlieb, 2013, p. 320). Other contributory factors are the fear of reporting due to diminished confidence in compensation, consequent increased insurance premiums, damage to harbour and trade route reputation, disruption of shipping schedules and a lack of reporting by smaller craft to the IMB (Petretto, 2008, p. 4; Wu & Zou, 2010, p. 27). Drivers The drivers to piracy include those drivers to many other security risk concerns. For the Sub-Saharan African countries, drivers relate to “state fragility, economic deprivation, population and geographic opportunity” (Prins, 2014, p. 3). The link between weak and failing or failed states and piratical activity is strong and widely supported (Daxecker & Prins, 2012, p. 960; Oil Companies International Marine Forum, 2011; Whitman, 2013, p. 217), with proposals of long-term strategies to rebuild failed states in order to defeat this transnational threat (Zaluar & Zeckhauser, 2002, p. 26). Impacts More than theft and murder on the high seas, Stavridis and LeBron (2010) highlight the financial impact of piracy, claiming it to be a “systemic destabiliser of international norms of commerce, economics and trade” (p. 73). Amortising the cost of piracy led to estimate trade losses of around 24.5 billion dollars based on bilateral trade flow between European and Asian countries between 1999 and 2008, reflected in 11% reduction in trade for every 10 vessels hijacked by pirates (Bensassi & Martínez-Zarzoso, 2012, p. 869). Furthermore, it must be acknowledged that whilst a deficit of information prevents a comprehensive picture of the ‘human cost’ of piracy, there is also a profound impact on seafarers and their families associated with piracy events (Hurlburt & Seyle, 2013, p. 1).

Counter-Measures Figure 1. International Maritime

Rebuilding states as a countermeasure to piracy is a long term project. Other collective measures that have been effective include the international naval task force, where resolutions by the United Nations (UN) Security Council, including the U.S.-led Resolution 1851, authorising the use of military style force against pirates from member states in the Gulf of Aden, has been relatively successful in reducing incidences of ship takeover on the high seas (Alessi & Hanson, 2012, p. 4). Furthermore, pursuant to this resolution, formation of the Contact Group on Piracy off the Coast of Somalia (CGPCS) was established and tasked to address judicial issues, strengthen capability and awareness for shipping and assist with public information and financial flows (Bateman & Rajaratnam, 2012, p. 21). Consequently, these collective arrangements show that governments can work at a transnational level to successfully counter the piracy threat and that arguably, it is the international collective, which makes these strategies affordable and effective. Therefore, it is logical to consider expanding the definitional limitations of piracy to facilitate multinational or transnational reporting and responses against piracy to assist in eradicating this threat more broadly.

Bureau (IMB) Piracy & Armed Robbery Map, showing locations of piracy and armed robbery incidents reported to IMB Piracy Reporting Centre during 2016 (International Chamber of Commerce, 2016).

Figure 2. Baselines and Maritime Zones

Malaysia & Singapore Security Magazine | 63

Maritime

goods are said to pass through Straight. It is here a steady rise in pirate attacks from 2009 (see Fig 4), has led Winn (2015, p. 1) to claim it the most preyed-upon waters on the planet. Contrastingly, these crimes are carried out near land bases and coastlines in small boats (Galletti, 2012, p. 56), and without broadening the definition of piracy to encompass actions undertaken within these exclusive, economic contiguous zones, they remain crimes at sea where internationally partnered support to counter this threat is implausible, and the ‘dark figure’ of piracy continues to rise.

Figure 3. Number of recorded pirate attacks by year and region – Somalia and Gulf of Aden (International Chamber of

Figure 4. Number of recorded pirate attacks by year and region – Indonesia, Singapore and Malaysia (International Chamber of Commerce, 2016). Furthermore, the recent posturing of China as a global power and influence in the South China Sea, and subsequent disputes from overlapping claims of sovereignty (Mearsheimer, 2010, p. 381), have highlighted the complex and arguably obsolete nature of former customary laws regarding maritime delimitation (Mirasola 2016, p. 29). Central to the development of new legal principles such as treaty law and case precedent, are international bodies such as UNCLOS and the International Court of Justice (ICJ) (Davis, 2015, p. 120), yet in an environment of obstruction and disunity, this needed international collaboration remains unlikely. All the while, a dark figure in maritime piracy incident recording will continue to conceal the magnitude of the problem and in turn, the potential interventions needed to engage it effectively.

Commerce, 2016).

Figure 4. Number of recorded pirate attacks by year and region – Indonesia, Singapore and Malaysia (International Chamber of Commerce, 2016).

Mitigations and Outcomes Focussing upon the immense effort the shipping industry has undertaken to protect itself; highlights the creation of Best Management Practices (BMP) in 2011. This guideline for maritime crews provides for preparation and response against pirate attacks during transits through identified high-risk areas. The outlined strategies in the guidelines are argued to be contributing to a decline in piracy attacks on the high seas in the Indian Ocean and the restoration of former minimum distance shipping route patterns (Oil Companies International Marine Forum, 2011, p. 10). Such claims are substantiated by IMB statistics (see Fig 3), that depict a sharp declining trend from 2012 in piracy attacks in the region of Somalia and the Gulf of Aden. Opposing trend In contrast to the success of Somalia and the Gulf of Aden strategies is the Strait of Malacca, connecting the Pacific and Indian Oceans in S.E. Asia. Half the world’s oil and trading

64 | Malaysia & Singapore Security Magazine

Malaysia & Singapore Security Magazine | 65

Maritime

The great submarine leak

T By Sarosh Bana APSM Correspondent

he wide-ranging data leak on India’s French-origin Scorpene submarines hosted on its website recently by the daily broadsheet, The Australian, on two consecutive days clearly undermines New Delhi’s sensitive submarine construction programme. The 22,400 leaked pages detailed the combat capabilities of the 1,565-tonne 61.7-metre Scorpene 2000 SSKs (dieselelectric hunter/killer submarines). Six of these submarines are being built under the Indian Navy’s Project-75 (P-75) under a Transfer of Technology (ToT) agreement between DCNS, the European leader in naval defence, and the Mumbai-based state-owned shipyard, Mazagon Dock Limited (MDL). The first of this series, construction on which began at the MDL yards in December 2006, is being launched in September, its commissioning scheduled a year thereafter, with subsequent boats delivered at intervals of nine months. The programme is running four years behind schedule, its original contract cost of US$2.63 billion in 2010 having spiralled to US$3.8 billion. The cost includes a US$1 billion Technical Data Package for MDL to gain competence in submarine construction, especially in the field of hull fabrication, outfitting, and system integration. While the question is whether India’s security is under threat as a result of the data leak, another question concerns

66 | Malaysia & Singapore Security Magazine

the motive of the morninger, owned by Rupert Murdoch’s News Corp Australia and published out of New South Wales, in exposing a friendly nation’s defence agenda. The paper has been described as one that acts more like a propaganda sheet for the rightwing of Australia’s Liberal party than a broadbased sounding board for big ideas and public policy. Canberra in April awarded the same French defence contractor, DCNS, an A$50 billion (US$38 billion) contract to design and build 12 next generation submarines. It is speculated that the expose could have been the consequence of corporate espionage, as competition is fierce in the global military sweepstakes. Variants of the DCNS Scorpene operate with the Malaysian and Chilean navies and will soon also be deployed by Brazil from 2018. The uploaded sets of documents contained the entire design plans, specifications and stealth capabilities of the Scorpene, as also detailed operating instructions for its underwater warfare system and revealed too was the range of technical specifications of the sonars and at what degrees and frequencies they would function. Almost the entire Operating Instruction Manual has been detailed, with explanations on target selection for weapon configuration and firing, among a host of critical minutiae. Of the leaked information, 6,841 pages elaborated on

Maritime

the submarine’s communications system, 4,457 pages on its underwater sensors, 4,209 on its above water sensors, 4,301 on its combat management system, and 493 on its torpedo system. Bared also were the diving depth ranges, magnetic, electromagnetic and infrared data, frequencies at which the submarine gathers intelligence, requisite speeds and conditions for use of the periscope, noise specifications of the propellers, radiated noise levels that occur when submarines surface, levels of noise at various speeds, and the locations where the crew can speak to avoid sonar detection. The Australian reported it had been informed that the secret data were stealthily drawn from DCNS by a former sub-contractor in 2011 and taken to a private company in Southeast Asia before being passed on to a branch of that company in a second Southeast Asian nation. A compact disk containing the data was then posted in regular mail to a company in Australia. Evidently taken aback, Indian authorities downplayed the incident, affirming it did not compromise national security, as such information was available on “many naval defence websites”, and The Australian blacked out vital factors, and besides numerous parameters have been modified since 2011 in the submarines under construction. While it is not unusual for parameters to be altered at the behest of the customers, at

times within a series production, with follow on vessels being finer tuned and more streamlined, a comprehensive disclosure as by The Australian’s undoubtedly conveys confidential information and cannot be belittled. Such sensitive data would not only be unobtainable in the public domain, they would not be publicised by any credible websites guided by professional ethics. Much similar information very likely vests with various media agencies worldwide, but they would be circumspect in revealing it. There is also the question as to what Canberra’s reaction would have been if an Indian paper had carried detailed descriptions of Australia’s own submarine programme or its two 27,800 tonne Canberra-class Landing Helicopter Docks (LHDs), also known as amphibious assault ships. The two LHDs, HMAS Canberra and HMAS Adelaide, were commissioned in November 2014 and December 2015 and were constructed for the Australian Defence Force (ADF) at a cost of $2.9 billion. To be jointly crewed by personnel from the three services, they will provide one of the most capable and sophisticated air-land-sea amphibious deployment systems in the world, each being able to land a force of over 2,000 personnel by helicopter and water craft, along with all their weapons, ammunition, vehicles and stores. Design and construction

Malaysia & Singapore Security Magazine | 67

Maritime

were by Spain’s Navantia, while BAE Systems Australia, a subsidiary of BAE Systems plc and the largest defence contractor in Australia, was the prime contractor. Navantia’s Ferrol-Fene shipyard in north-west Spain constructed the hulls to the level of the flight decks, including the majority of fitting out, and the island structures were installed at BAES’s Williamstown shipyard in Victoria. Though he said that the leakage was “of concern”, Australian Prime Minister Malcolm Turnbull specified that the Indian Scorpene was a model different from the one Australia was buying. “The submarine we are building or will be building with the French is called the Barracuda, quite completely different submarine to the Scorpene they are building for India,” he told Channel Seven. “We have the highest security protections on all of our defence information, whether it is in partnership with other countries or entirely within Australia.” According to DCNS, the 97-metre 4,000-tonne Shortfin Barracuda Block 1A, designed specifically for the Royal Australian Navy, is “the world’s most advanced conventionally-powered submarine”, with state-ofthe-art signature reduction technology, pumpjet propulsion replacing ‘obsolete’ propeller technology, retractable hydroplanes minimising drag and noise, and outfitted with the most powerful sonar ever produced for a conventional submarine. Quick access tech insert hatches moreover allow upgrades to be carried out easily. As with issues of this nature, India’s Defence Minister Manohar Parrikar asked the Chief of Naval Staff (CNS), Admiral Sunil Lanba, to have the extent of the leak examined. Maintaining that any information lapse is viewed very seriously by the Indian Navy, the CNS pointed out that DCNS had been asked to launch an urgent investigation into this. “Detailed assessment of the potential impact is being undertaken at Integrated Headquarters, Ministry of Defence (Navy), an analysis is being carried out by concerned specialists, and an internal audit of procedures is also being undertaken to mitigate any probable security compromise,” he indicated. India has also taken up this matter with the Director General of Armament of the French government, with the request to investigate with urgency and share its findings with India. “It is not a leak, it is theft,” a naval official affirmed. “We

68 | Malaysia & Singapore Security Magazine

have not found any DCNS negligence, but we have identified some dishonesty by an individual.” The matter is also being pursued with other concerned foreign governments through diplomatic channels to verify the authenticity of the reports. DCNS took the issue to the Supreme Court of the State of New South Wales that directed The Australian to withdraw the documents published on its website, to provide DCNS with all related documents in its possession and to desist from publishing any additional documents. “Confidentiality of information and communication is a matter of utmost importance and DCNS welcomes this decision of the court,” a DCNS statement mentioned. “In parallel to this action, DCNS filed a complaint against unknown persons for breach of trust, receiving the proceeds of an offence and aiding and abetting before the Paris Public Prosecutor.” The French contractor is understandably worried. Apart from having set up its subsidiary, DCNS India Pvt. Ltd, in Mumbai for the Scorpene construction, it is now establishing another fully-owned subsidiary to produce air independent propulsion (AIP) technology for its submarines. It has submitted its proposal for this to India’s Foreign Investment Promotion Board (FIPB). DCNS, after all, is seeking to bid for the lucrative $8.06 billion – possibly $12 billion - Project-75(I) contract for the construction of six new generation stealth diesel-electric submarines that is eliciting wide interest among shipyards both at home and abroad. Defence-oriented enterprises, which have invested heavily in creating and expanding their warship building facilities and competencies, are preening themselves for the competitive bidding for the tender that requires the submarines to be built in India at an identified shipyard, within the public and private sectors assessed to have the potential to build modern conventional submarines. It remains to be seen whether DCNS will be countenanced for the tender by the Indian authorities following this disastrous leak. The Indian Navy has already scotched all previous speculation of construction of three more Scorpenes being contracted out to DCNS.

YOUR ADVERT HERE Get in touch today T | +61 8 6465 4732 promoteme@mysecuritymedia.com Malaysia & Singapore Security Magazine | 69

International Maritime

The stats man and the sea Pirate hunter, undercover statistician or psychological medic? Karsten von Hoesslin's career is as hard to pin down as the oceans he covers as a 'maritime response consultant'.

I By Adeline Teoh ASM Correspondent

'm flying in an Antonov 27, 50 metres over the water, dropping $3.5 million to a bunch of guys in raggedy clothes. Really, the money is just a prop," says Karsten von Hoesslin on how to make a ransom payment to Somali pirates who've hijacked a ship and taken its crew hostage. Ask him what he does for a living and the answer is necessarily circumspect. On paper he may be a 'maritime response consultant', but delve a little deeper and more amazing details start to emerge. Best known publicly as the host of National Geographic's series Lawless Oceans, von Hoesslin began his oceanic voyage many years prior with an interest in the South China Sea disputes for his Masters. "Having examined the United National Convention of the Law of the Sea, I asked myself 'how can something be so simply laid out and yet so complex to implement?'" The grants and funding he secured for that research also allowed him to peek at piracy issues where there were plenty of open source statistics but suspicions of under-reporting. "I then started my PhD research looking at various human intelligence methodologies for infiltrating organised crime groups," says von Hoesslin. "I started testing that in South East Asia in pirate networks, seeing how far I could infiltrate. The results were unprecedented, especially in comparison to what was reported in open sources." In addition to working with law enforcement agencies in South East Asia, he worked jointly with authorities on West Africa, Somali and Horn of Africa pirate issues. That exposed him to specialist training in areas such as hostage negotiation and behavioural profiling. It was at

70 | Malaysia & Singapore Security Magazine

this point he decided to pivot from intelligence work into more operational roles, "doing delivery drops, negotiations, support work and then actually commanding operations myself ", including that of delivering one of the highest value ransoms in Somali piracy history. But the rewards are less about the money and more about the people, von Hoesslin says. Having trained in paramedicine, tactical, flight and remote medicine as well as major incident medical management prepared him to work with the hostages of hijacked ships. "The people who were hostages were simply not in good enough condition to provide actionable intelligence. A lot of them are at various stages of PTSD and they haven't actually been given any psychological first aid," von Hoesslin explains. "There was a tremendous difference in the four days we would have with them, they were much better off. That was the most rewarding thing." Hunting phantom ships Filling in the gaps of some questionable statistics led von Hoesslin to his current role. There was a 'boom' in South East Asian piracy in 2014-15, he explains. "There were a lot of vessels that would disappear or were hijacked and sometimes they were off the books, it wasn't reported. I was able to find some of these vessels in Indonesia and various places where they were being heldâ&#x20AC;&#x201D;some of them were insurance scams." It was at this point he crossed paths with National Geographic, who were filming an episode of Underworld, Inc on South East Asian pirates. National Geographic followed

Maritime

von Hoesslin as he worked to locate phantom tankers, then approached him to develop a series called Lawless Oceans, which "examines the various crimes at sea ranging from drug smuggling to piracy to migrant smuggling and illegal fishing," he describes. Being on an international TV channel has its drawbacks as a maritime investigator, von Hoesslin admits, and it's doubly hard when he can be the only white man in a village in Asia or Africa. "I prefer to keep a low profile. Let's say there's an episode of Underworld, Inc on pirates, then that probably means that I have to be a bit more careful when I'm in the field afterwards," he notes. Fortunately he does have other occupations that seem to satisfy most people he meets: doing medical work, such as volunteering in hospitals, and practising heritage photography. For everything else there's human interaction. "I've been places where I've got my camera and I'm just taking pictures—not even intel pictures—and people go, 'you're CIA'. I just look at them and I say: 'You're right, I'm here for you.' They freeze and don't know what to say. I will break that moment with a laugh and they usually realise how silly their accusation sounds. You de-escalate their suspicion and then you can talk to them." Von Hoesslin is potentially open to a second series of Lawless Oceans. In any case, he's about to obtain a commercial licence to fly his drone—a handy piece of kit to record maritime crime unobtrusively, and for surveying—and he has advanced care paramedics training to complete. He says his next role is likely to be in crisis response on the medical side, "helping companies as well as NGOs better prepare for incidents, and more importantly, preventing them

from getting involved in bad situations". In the meantime, past success is reasonably easy to define. "On the law enforcement side, nothing gives me more joy than to see an active interest in a case, an arrest and then, most importantly, a conviction. On the human side it's to see people recover from bad things or even to see pirates not wanting to be pirates anymore. There are cases of people I've worked with in the past, assets, who then cleaned up and got regular jobs." As for von Hoesslin, his job is anything but regular with international travel always on the cards and a lot on his mind at all times. "If I take holidays I'm always calculating and figuring out how to do projects—'I will not stop until this current case is properly investigated'." And despite the frequency of guns, money and espionage in his career, he says he's not addicted to the thrill of it as some might be. "I get more of a thrill out of backcountry skiing."

US$1.32 billion was the estimated cost of maritime piracy in the Western Indian Ocean during 2015, down from $7 billion in 2010. Source: oceansbeyondpiracy.org

Malaysia & Singapore Security Magazine | 71

Maritime

Shipping companies are under attack! In the new era of cybersecurity and cyberwarfare, many shipping companies fare poorly when it comes to taking on cyber warriors. Laxity is no excuse. It causes huge financial losses and shipping companies do not know what they are up against. Jaya Prakash files this story from Singapore. By Jaya Prakash Singapore Correspondent

new threat is confronting the globe's shipping industry and it is not piracy anymore. Just when everybody thought that piracy was gone for good, what the world's leading shipowners least anticipated was the danger that could arise from the very Information technology (IT) systems that had kept them connected to their customers and agents. Ignorance is no longer bliss. Shipping companies, port operators, ship managers and shipping agencies better know what the digital age of computer networks, IPhones, IPADS and smartphones have wrought and the havoc they can wreak. Devices purportedly invented to make life better for all of humankind is perhaps, an 'enemy' far more sinister that anything the shipping fraternity have been used to. Not even the Somali pirates who once terrorised commercial shipping have come close to what the double-edged sword in the Internet now threatens and presents. "Digital technology has unleashed some bewildering crime", exclaimed Vincent J Loy, a partner in Financial Crime & Cyber & Data Analytics Leader, in PwC Singapore to MySecurity.com

72 | Malaysia & Singapore Security Magazine

With the globe ever more interconnected than before, what is now somebody else's problem is no longer the way it was and is. Now it is everybody's concern because what the Internet has now done is to connect us all to criminals, terrorists and stalkers in the far-flung regions of the globe, and the security we once took for granted in our own homes and backyard will now have to be traded for the uncertainty the age of the Internet now brings. As more and more devices and a rising number of companies get online, they become ripe tempting targets for attacks and coercion and maritime companies better know they have a weaknesses hackers can easily exploit with impunity. To be sure hackers have without doubt been rife. Just ask Google of its experiences in China and the answers will come thick and fast. Not only did hackers once compromise the safety of a floating rig by tilting it off the coast of West Africa but, what happened in the Belgian port of Antwerp for it to be reported widely in newspapers with hackers, filching containers takes the whole scheme of hacking and phishing, to an entirely new level and new plane.

Maritime

"...cyber attacks against oil and gas infrastructure will cost energy companies up to $1.9 billion by 2018. What is worse the British government has tabulated that cyber attacks have already cost UK oil and gas companies some 400 million pounds (US$672 million), annually."

And if that was not enough, hackers have also assisted Somali pirates choose their targets. They did this by compelling ships to resort to faking their navigational data thus throwing the crucial spotting mechanisms of the sophisticated AIS tracking device shipping companies designed to locate ships on the open oceans, completely off the rails. If such a measure is taken to extreme lengths, hacker activity can plausibly even allow for the free and unhindered transport of contraband cargo like nuclear material - a prospect the likes of Iran and rogue nations like North Korea would relish because for once there is a new-found way to circumvent sanctions. It Is An Interconnected World "Cyber is connected to the world and we are highly dependent on the Internet", exclaimed a panelist over Singapore's Channel News Asia (CNA) during a prime time talk-show, televised on 14th September. That dependence has come with a double-edged sword as it now appears. Cyber criminals it has been learned, rake in some US$150billion annually CNA heard on the day of its television talk show, thus lending why cyber crime continues adlib with little or no known ways to tackle it resolutely. Encryption may be an option but, just how viable an option it is has never been distilled enough. Globally, Reuters wire service estimates cyber attacks against oil and gas infrastructure will cost energy companies up to $1.9 billion by 2018. What is worse the British government has tabulated that cyber attacks have already cost UK oil and gas companies some 400 million pounds (US$672 million), annually. Still if there is something deadpan worrying about it all, is the size of vessels shipowners have assigned themselves which far being from a commercial imperative, is fraught with security implications. With a growing tendency to build larger than usual vessels to save on fuel consumption and operating costs what the global shipping industry is hurling itself into is the creation of a new set of problems whilst resolving yet another. By having smaller crews with a heavier than usual reliance on software for navigation and operational needs, the risk and indeed the unmitigated risk only just escalates to the degree of a vessel's software being

left unsecured and relied upon heavily by its crew. As matters stand, with technology running every mite of a ship operation from the loading of a cargo, to plotting its navigation across oceans, nothing perhaps is left to chance. To compound an already tenuous situation is the tendency shipowners exhibit in wanting to report against security lapses, either out of adverse publicity or, of raising alarm amongst their stakeholders. What is worse than imagined is that software weaknesses in the maritime universe could be used to cause ships to malfunction or even run aground, according to research from the global information assurance firm, NCC Group. They have revealed security vulnerabilities in ECDIS (Electronic Chart Display and Information Systems), information technology product used by the shipping industry. These systems are usually installed on ships and used by navigation officers. And the real danger of increased usage of computer systems for navigation, container inspection, rapid unloading, distribution of goods and handling goods at ports can be easily exposed to cyber threats, if no proper security controls are implemented. No solution for now... There are just two kinds of scenarios confronting those living the cyber sword of Damocles: one is the nagging perception of threat estimates and the other is how to stave off that threat and remain safe as one could. Because security and attack scenarios against technologies and protocols have been ignored for too long in the maritime industry, the problem has just persisted that long. Windward, an Israeli firm that analyses AIS data found a rising number of ships 'afflicted' either for security, financial reasons, smuggling or plain pirate attacks. A particular U.N. report was specially scathing. It alleged efforts by North Korea to procure nuclear weapons were commited with the aegis of compromised AIS data. And that investigators on one ship carrying concealed cargo turned off its AIS signals, to disguise and conceal its trip to Cuba. If ever there is something to be done and done urgently, it ought to begin with a revolutionary change in mindset and training priorities in all shipowning companies; not just in the big ones. More investment has to to assigned to block hackers by denying them access however, ubiquitous they maybe. And these can range from having continuous cyber security assessments to evaluate incident response capabilities, detect if an active breach is in progress or to keep the company security conscious. Perhaps an ideal recommendation is to borrow a leaf from the hacker himself and be deceptive than predictable. The mere fact that most organisations look to automation to help assist in their cyber security defences give hackers valuable leads on when they can raid the networks of a company. Having scans at the same time every week or patches once per month and assessments once per quarter or per year, is just what a hacker needs to raid a company. The idea therefore, is to keep changing the routine of such housekeeping measures and keep a hacker guessing and thereby forcing him somewhat to give his vile life, up. Jaya Prakash can be reached at prakruby@hotmail.com

Malaysia & Singapore Security Magazine | 73

Cover Feature Terrorism

Children of war: The rise of a nation of young Jihadists

T By Anoosh Mushtaq Anooshe Mushtaq is Chair and founder of The Raqīb Taskforce. She is a Canberra-based advisor on Counter Terrorism & Countering Violent Extremism

housands of Syrian children affected by trauma, unwanted by the international community, and courted by Islamic extremists may be cornered into jihadism. According to the NGO Save the Children at least a quarter of a million Syrian children are living ‘under brutal siege’. Their homes ‘have effectively been turned into open-air prisons’ where they endure ‘enormous suffering and injustice’. What’s in store for these children who’ll grow to shape the Syria of the future? Right now, evidence suggests that they’re on a path to long-term psychological issues – and radicalisation. To date, the civil war has claimed at least 200,000 lives and displaced approximately 8 million inside Syria. Close to 650,000 people are living in areas under regime besiegement, completely cut off from humanitarian access. 12 million Syrians inside of the country are in need of humanitarian assistance (Abboud, S, 2016). The numbers are staggering. The conflict has created 4 million refugees and yet, as the violence and desperation worsens, many among the international community tighten their borders and reject the desperate appeals for refugee status, out of fear of exposing their states to Islamic extremism. Jordan accepted Syrian refugees, but after a suicide car

74 | Malaysia & Singapore Security Magazine

attack that killed Jordanian soldiers in June 2016, the country restricted all access to refugees – even to the UN and other aid agencies that would deliver food, water and medical care. Save the Children’s recent report details how Syrian children are faring in the conflict. They’re becoming more aggressive, withdrawn, depressed, and isolated and are losing hope for their future. Malnourished, they’ve resorted to eating animal feed and leaves, which has led to an increase in juvenile petty crimes. Military groups have recruited children with the promise of receiving one meal a day. Traditional social structures have disappeared with the physical breakdown of family units. There’s an increase in child marriage in an effort to reduce the burden on families of feeding and housing all their children. Devastating reports describe parents being killed in search of food and medicine, leaving orphans as young as two years old, crying and distraught, wandering the dangerous streets lined with snipers. According to UNICEF, the children of Syria will represent a ‘lost generation’, since they’ve had little to no education for at least five years. Schools have become the targets of shelling and many education workers have fled or been killed. This has effectively collapsed the education system in most parts of Syria and forced approximately 40%

Cover Terrorism Feature

"Their narrow and radical views of the world have been formed by a mix of ignorance, isolation and extreme exposure to violence.”. of children out of school. We may hope that it can’t get any worse, but in reality, it will. Children are the most vulnerable to the aftershock of war. They’re more likely to show long-term effects than adults when exposed to unrelenting, sustained violence. They can be susceptible to relapse if exposed to subsequent stress later in life. In studies of states that have been exposed to war, it’s clear that, later in life, survivors are likely to have PTSD and a propensity to violence. Their mental health issues include: psychosomatic symptoms; disturbed play; behavioural and emotional issues; sleep problems and nightmares; and anxiety. In many cases, children have been used as suicide bombers or brainwashed into becoming child soldiers – all forms of abuse that shape their futures. Since the end of the the civil war in 1992, El Salvador faced a growing problem of youth street gangs. It’s argued that the country’s current high level of violence and crime is mainly caused by civil war-related poverty, social exclusion, access to illicit guns, organised crime, weak institutions, and corruption. A 2002 study of internally displaced children from the war in Bosnia showed that 94% had features of PTSD. Further to this, over 90% of the children interviewed

expressed the fear of dying in the conflict, and over 80% felt that they could not cope with daily demands and that life was not worth living. There’s evidence that the Taliban and Northern Alliance soldiers are products of traumatic and violent childhoods – children of war. Their narrow and radical views of the world have been formed by a mix of ignorance, isolation and extreme exposure to violence. Today, Syrian children suffer this same mix, which makes them susceptible to the recruitment efforts of Islamic extremists. A sense of belonging to the international community could prevent radicalisation, but surely Syrian children won’t forget the international community’s response to their plight: rejection. It’s likely that they’ll seek revenge rather than acceptance in the future. We can still help these children to heal and to build resilience against the manipulation of Islamic extremists. At the very least, we must provide clear opportunities and compassion to those fleeing the Syrian conflict. If we don’t work to end inhumane religious and political wars, we’ll experience the uncontrollable rise of terrorism. When we ask what’s in store for the children of Syria, we’re asking what’s in store for all of us in the years to come.

Malaysia & Singapore Security Magazine | 75

Terrorism

By Ron Bartsch

f 900g of weapons-grade anthrax were dropped from a drone at a height of 100m just upwind of a large city of 1.5 million people, all inhabitants would become infected. Even with the most aggressive medical measures that can realistically be taken during an epidemic, a study estimates that approximately 123,000 people would die—40 times more fatalities than from the 2001 World Trade Centre attack. Chilling Scenarios The chilling scenario above was one that was put forward more than a decade ago by Eugene Miasnikov in his report “Threat of Terrorism Using Unmanned Aerial Vehicles” (2005). If drones in the hands of terrorists back in 2005 caused a plausible threat, imagine the threat that exists today. As science and technological innovation continues to rampage we often lose sight of how much the world has changed—and in this instance, the extent to which terrorists

76 | Malaysia & Singapore Security Magazine

will go to in order to achieve their objectives. With this is mind, consider the following modern-day scenario. A terrorist organisation parks a small removals van in a crowded street of a major city under the flight path of a nearby international airport. The van’s canopy has an open top but the sides are high and its payload of half a dozen high-performance quadcopter drones are obscured from the view of passers-by. To each drone is attached an explosive device—not dissimilar to those worn by suicide terrorists. The day and time chosen have been well planned to coincide with the runway being used for take-off. The targeted aircraft—an Airbus A380—is departing with a full payload of passengers and fuel, possibly in excess of 500 passengers and over 250 tonnes of fuel. The aircraft lifts off and the drones are launched remotely and rapidly ascend. With the aid of the high-resolution cameras on-board, the controllers are able to direct the drones into the path of the A380’s four enormous engines. The situation described above is not inconceivable.

Terrorism

If 900g of weapons-grade anthrax were dropped from a drone at a height of 100m just upwind of a large city of 1.5 million people, all inhabitants would become infected.

Hoping that such a deplorable act upon humanity would never eventuate is no deterrent to the minds of terrorists seeking to inflict maximum carnage and media attention. What is the scope of the drone terrorist threat? Outside areas of civil unrest and war zones, there are increasing instances of home-grown drone terrorism. In 2012 the USA came under threat when a graduate student from Massachusetts plotted to strap plastic explosives to small drones and fly them into the Pentagon, the White House and the US Capitol building. In Japan it has been reported that a drone carrying a bottle of radioactive sand from Fukushima landed at the office of the Japanese Prime Minister in April 2015. In the UK the Metropolitan Police has recorded over 30 suspicious drone flying incidents around London between 2015 and 2016. Unidentified drones have also been flown over various landmarks in France, including the US Embassy

and the Eiffel Tower. In 2016 at the Euro Cup qualifying match between Albania and Serbia the game was abandoned after a drone carrying a pro-Albanian banner was seen flying over the pitch. The incident caused brawls to break out between players, team officials and fans. An alarming report, â&#x20AC;&#x153;The Hostile Use of Dronesâ&#x20AC;? (Abbott et al., 2016) was released in the UK in 2016 and warns that terrorists wanting to cause chaos, such as attacking nuclear power stations, have the potential to convert drones that are currently commercially available into flying armed missiles. The report suggests that the technology of remote control warfare is impossible to control. A UK government counterterrorism adviser, Detective Chief Inspector Colin Smith, has warned that terrorists could use commercially available drones to attack passenger planes. The security expert warned that small quadcopter drones could easily be used by terrorists for attacks and propaganda purposes. Terrorists could fly drones into an engine or load them >>

Malaysia & Singapore Security Magazine | 77

Terrorism

...over 500,000 drones were registered in the first few months of October 2015. It has also been suggested that drone controllers should be subjected, at a minimum, to the same background check standards as persons granted unescorted access to security restricted areas of airports

with explosives to try to bring down a commercial airliner. Smith poses the question: “Are drone mitigation strategies going to be like the concrete bollards in front of airport terminals—something we can expect once the horse has bolted?” Recently in the US, the Department of Homeland Security issued a terror alert warning that drones could be used by terrorists to attack commercial aircraft after three drones were spotted in a single weekend in late 2015 flying above JFK International Airport. The sighting of the first drone was reported by the crew of a JetBlue flight arriving from Haiti. Just 2.5 hours later a Delta pilot, arriving at JFK from Orlando, reported a drone at approximately 1,400 ft. and only 100 ft. below the aircraft. The third report was from a Shuttle America flight arriving from Richmond, Virginia. And all this in the space of just two days. Combating the threat Aviation is generally regarded as the most strictly and extensively regulated industry. It is therefore logical to conclude that the solution for controlling this new form of aircraft will be found in passing relevant laws and regulations. However, attempting to legislate against random acts of stupidity is difficult, particularly in the fast-moving world of technology. Also, “don’t be an idiot” lacks legal clarity. Jonathan Rupprecht, a Florida-based lawyer specializing in unmanned aircraft, divides stupid drone owners into two groups, the “how high can it fly” group and the “I will fly it wherever I want” group. Obviously the latter grouping may also include acts of terrorism. It is the freedom and agility by which aeronautical activities can readily transcend previously restrictive

78 | Malaysia & Singapore Security Magazine

geographic and political boundaries that truly differentiates flying from all other modes of transport. To harness this freedom for the betterment of all, aviation regulation provides the requisite authority, responsibility and sanctions. The regulation of aerial activities is as fundamental and rudimentary to the aviation industry as civil order is to modern society. In no other field of human endeavour or branch of law does there exist such a vital yet symbiotic relationship. International harmonization of aviation standards have been achieved through treaties. The Chicago Convention of 1944 is by far the most prolifically ratified international treaty. More than 190sovereign states have ratified this convention and in so doing have agreed, under international air law, to be bound by the technical and operational standards developed by ICAO. Compulsory registration of drones As drones become more common, many governments are considering a number of options to restrict their use. Registration of drones, as with cars, airplanes or even guns, is now being introduced all over the world with the FAA leading the way, and over 500,000 drones were registered in the first few months of October 2015. It has also been suggested that drone controllers should be subjected, at a minimum, to the same background check standards as persons granted unescorted access to security restricted areas of airports as is required under ICAO Annex 17. The UK and Australia are also building similar registration systems to follow suit. It’s far from clear how registration would mitigate an act of terrorism, as it is more of a system for tracking law-abiding citizen’s drones. David Dunn (2016), Professor of International Politics at Birmingham University, believes that any licensing system is unlikely to deter terrorists: Law abiding citizens are likely to register, but it would be very difficult to stop terrorists and other criminals from purchasing drones abroad and then using them here. Up until now it was expensive and required skill to be able to fly an aircraft—which acted as a form a regulation in itself. Now, you can fly these things relatively easily over people’s heads.

Terrorism

In the UK the House of Lords has called upon the EU to introduce a compulsory registration system for the devices, but the plans have stalled. Drone owners currently don’t have to register their devices in the UK, but operators need permission from the British CAA to fly them for commercial purposes or over long distances. Currently in the UK, anyone can own and operate a drone for non-commercial purposes that weighs less than 20kg (3st 2lb). Mitigating the drone terrorist threat? As we have seen above, it is obvious that legislative restrictions alone on the use of drones would in most instances prove to be futile when it comes to acts of dronerelated terrorism. There has been very little indication that governments are prepared to prohibit the importation or manufacture of drones or even of limiting the payload capacity of commercial drones that are sold. Further complicating this issue is the fact that, in many instances, drones are purchased online. Creating a greater awareness in the broader community of the extent to which drones may be used by terrorists (and other criminals) including publicizing the dangers—without hysterics—may be a good start. Also, manufacturers and distributors of drones and training establishments throughout the world should be more vigilant of the possible use of drones for terrorist activities. By way of parallel, many governments have passed legislation requiring retailers of chlorine (for swimming pools) and household fertilizers to report certain sales or suspicious transactions. International arrangements regulating the export of drone technology could be refined and strengthened with terrorist activities in mind, with special attention on drones equipped with technologies that can evade radar or have high-performance capabilities. While the rapid advancement of drone technological development has created the problem it may also provide the solution. By far the most effective method of protecting targets from drone attacks may be with the installation (or possibly mandating) of geo-fencing or g-gate technology software. Pre-programing geo-fencing areas would mean that drones would be automatically shut down if they tried to enter certain sites. NASA is also currently working on a tracking system but a working prototype is not expected until 2019. Drone manufacturers could be required to install the GPS coordinates of government-mandated no-fly zones and have drones automatically shut down if they approach such a space. DJI, the world’s largest commercial drone-maker, is one of the leaders in geo-fencing technology. With drone sales in excess of US$1 billion in 2015, it recently released its geo-fencing software to restrict drones from flying near aerodromes and other restricted areas on a worldwide basis. The drones will no longer be able to fly near wildfires, prisons, power plants, near professional sporting events or areas the US president is visiting. It is proposed that all DJI drones will have the software installed by default. In practice, this means that drones will not be able to enter into, take-off or land in restricted areas. The software will automatically update with new information on restrictions, meaning drones will be able to

respond to changing environments such as areas of natural disasters or one-off sporting events. Other technological defences against the hostile use of drones are with the installation of security alert systems when drones appear in no-fly zones. One American company—DroneShield—has been awarded contracts to protect certain locations from possible terrorist attacks including the Boston Marathon. It is likely that this technology will be increasing utilized in security-sensitive sites and restricted areas. In the UK the Remote Control Project, run by the Oxford Research Group, has called on the British government to fund the development of military-style lasers to shoot drones down and the creation of jamming and earlywarning systems to be used by police. But such devices would require amendment of UK laws over the use of such jammers. Laser technology to destroy drones in many instances have failed to live up to expectations either struggling to stay fully powered for long periods or being disrupted by dust and fog. However, in the US, Boeing has unveiled its new laser-powered anti-drone technology. The Compact Laser Weapons System is a portable, tripod-mounted device armed with a high-powered laser that can destroy a quadcopter drone in a matter of seconds. The system is relatively inexpensive to operate and features an unlimited magazine, which means a many drones can be destroyed. However, this system will not be available for a few more years. About the Author - Ron Bartsch Ron is CEO of Innovating Australia and currently a presiding member with the Commonwealth Administrative Appeals Tribunal (AAT) having held this position on a part-time basis since his appointment in 2013. Ron is also a Senior Visiting Fellow at the Australian National University and the University of New South Wales and lectures in Business Law and Technology and International Air Law. Ron was admitted as a barrister in 1993 and then took up a senior management position with the Australian Civil Aviation Safety Authority and then later was appointed as Head of Safety and Regulatory Compliance for Qantas Airways Limited and held this position until 2009.

Malaysia & Singapore Security Magazine | 79

YOUR ADVERT HERE Get in touch today T | +61 8 6465 4732 promoteme@mysecuritymedia.com