As we approach the 53rd National Day on 9th of August 2018, Singaporeans have all reasons to be happy and cheerful. The economy is doing well (enough), we all have a roof over our heads, we have food on the table, sunshine and fresh air.
Yet, something does not seem well in Camelot. In relative terms to other Camelots, we are doing very well. We could be doing even better.
A week ago on Friday 20th July, it was reported that at least 1.5 million medical records of people (I am told that it could be more and that the computer that the infiltration point was used by a non-Singaporean staff – hey, conspiracy stories can be fun sometimes) held by SingHealth was exfiltrated by some alleged state actors. My mom’s data was in the breached cache.
I’ve commented about this issue a few days ago and one of the things not addressed in the post, was the follow up steps, specifically about the convening of a Committee of Inquiry.
On Tuesday, 24 July, it was announced (mci-coi-singhealth in case the link is broken) that there will be a four person COI that will be looking into this breach.
The four man COI comprises former chief district judge and current member of the Public Service Commission Judge Richard Magnus who will chair it, executive chairman of security solutions firm Quann World, Mr Lee Fook Sun, group chief operating officer of Sheares Healthcare (a healthcare technology outfit) Mr Ram T. K. Udairam and, assistant secretary-general of the National Trades Union Congress, Ms Cham Hui Fong. Here’s their respective CVs – as posted on MCI.gov.sg (COI Pressrelease_Annex A if it is not available).
The Terms of Reference (in case it is not available COI Pressrelease_Annex B):
is to the point, fairly comprehensive and does give the COI about five months to complete the job.
All of this looks fine.
Let’s look at the members of the COI.
- Judge Magnus, given his extensive legal background, is very well suited for the role as the Chairman of the Committee.
- Mr Lee is the executive chairman of Quann Security. Quann was known as e-Cop and was renamed in 2016. Quann is a Temasek Holdings owned entity (Quann is owned by Certis Cisco, which is in turn owned by Temasek).
- Mr Udairam is the COO of Sheares Healthcare Management. Apparently the domain is sheareshealth.com and although it lists some services that are provided, the site is very static and offers no additional information. Sheares Healthcare is a Temasek owned entity.
- Ms Cham, is with the NTUC and has been with them for over 25 years. She was also a former NMP.
What should a COI comprise of? This is a COI that is going to look at what happened, how it happened, what mitigating factors, how it can be prevented and then make recommendations to a highly technical problem – I’d like to think it is so.
Points 2, 3, 4 and 5 would require a good understanding, i.e., technical chops, to be able to come to grips to have a good outcome.
Assuming good intent, I think the members of the committee, save for the Chairman, fall very short on the technical credentials (all based on their CVs).
Is it really critical to have that technical skill? Yes. To do well in points 2 – 5, you must have tech creds. Was it impossible for the Ministry of Communication and Information to find someone with technical credentials to be on this committee? The Singapore Computer Society’s Information Security Chapter has plenty of people who can fill that role.
So, given the list of four persons, no one, other than Mr Lee can claim any expertise in anything related to Internet security. I am giving the benefit of doubt to Mr Lee because his involvement with Quann. He could readily seek advise from his organization if needed.
I am sure the COI can, and will, co-opt people to help them. The COI will ultimately be responsible for the report they have to present by year’s end.
I guess I now have to address what I have delayed till now – so thanks for reading thus far.
There is an Elephant in the Room.
All members (other than the Chairman) are linked 100% with Temasek, which for all their protestations, is a sovereign wealth fund of Singapore and owned by the Minister of Finance. Granted that the NTUC is not under the wide Temasek banyan tree, but close enough around the periphery.
So, how is it that we have a situation where the COI is checking on an issue related to the government or quasi government entity with the COI manned by G-related people? Is this the proverbial “ownself check ownself“?
Again, I am assuming positive intent. I still find that things are not quite right in my Camelot.