Singapore is studying the feasibility of implementing a National Authentication Infrastructure (NAI) which will enable the government and businesses to offer more secure e-services by leveraging on a common, trusted identification and authentication framework.
The NAI was one of the many initiatives highlighted during the recent announcement of the Infocomm Security Masterplan. Developed under the guidance of the high level multi-agency National Infocomm Security Committee, the Infocomm Security Masterplan is a strategic roadmap that charts Singapore’s national efforts to develop capabilities to prevent cyber security incidents, protect its critical infrastructure from cyber threats and to respond swiftly to recover from actual attacks, said Deputy Prime Minister and Coordinating Minister for Security and Defence Dr Tony Tan. The government will invest about S$38 million (US$23.5 million) over three years — from 2005 to 2007 — to implement the plan.
According to the Infocomm Development Authority, the NAI initiative is aimed at developing reliable and robust means of authentication for users of online transactions.
Lim Khee Ming, chief information officer, NETS, said a national authentication infrastructure is certainly feasible. “The volume and complexity of online transactions is growing rapidly and the security threat to end users is increasing as spyware and the like becomes more prevalent, which means that there is more risk of third party interception and the fraudulent acquisition of online identities,” he said.
However, he pointed out that a major barrier to setting up a national authentication infrastructure is that it takes time, investment and significant co-operation among agencies.
Therefore, the best way to ensure its successful implementation is for the government and/or regulatory agencies to support its implementation, he said. “They can impose common technical standards to be used by all the parties. This aids universal acceptance, compatibility and, of course, heightened security.”
This is where the work of committees such as the Cards and Personal Identification Technical Committee (CPITC) comes into the picture. NAI will encompass many ideas and many technologies, including the Singapore Standard for ID (SS-ID), which is a standards work item being developed by CPITC under the Singapore IT Standards Committee. According to CPITC chairman Lin Yih, the purpose of SS-ID is to provide a standard for smart cards that are used for identification. “It opens up the opportunity for an application and reader to read ID cards issued by different issuers,” he said.
The SS-ID standard will eliminate the situation of having “many cards, many readers” and instead have one reader or application for multiple cards.
“Hence if you have a reader that can read an ID card issued by a school, it should be able to read a card issued by a company, or hospital and so on,” said Lin.
Aloysius Cheang, president of the Special Interest Group in Security and Information Integrity Singapore (SIG^2), pointed out that technologies such as biometrics and smart cards are now cheap enough for a nationwide initiative such as the NAI. “It will bring us up to speed with the regional trend of having smart IDs like in Malaysia and Australia,” said Cheang. “If these can be merged with initiatives such as SingPass such that we can do e-government transactions or even transactions with our bank accounts … with features such as security and non-repudiation factored in, it will propel us into the digital economy faster and promote ecommerce that has not been moving as fast as predicted because of identity theft and fraud problems,” he said.
However, Anthony Lim, chairman of the Security Chapter of the Singapore IT Federation, said he cannot imagine every citizen having to purchase a USB bar-code reader or USB fingerprint reader (or retina-scanner) or RSA-like pocket token, dongle or USB key to use online services. “Such ideas have been mooted for years now and physical authentication devices, apart from being cumbersome to carry around, prone to inadvertent loss or misplacement, a nightmare for technical support (including backup, upgrading, re-coding or replacement) are socially unpopular,” said Lim, who is also brand director — Security, Asia South, Computer Associates International.
In Lim’s view, a good starting point is a software-based three-factor authentication service — UserID, Password and some other challenge-handshake-protocol which can be variable from a base pool of, say, five personal, social questions. The third authentication factor rotates or randomly asks for one or the other each time a user logs in. “It’s a pain but is quite foolproof. Of course the other pain is to encrypt and store such information safely and reliably,” he said. But it is much safer than having “static” information such as date of birth of NRIC number as secondary or tertiary authentication factors, he pointed out.
The Infocomm Security Masterplan identifies strategies to secure the infocomm environment of the people, private and public sectors. It also seeks to develop national capabilities; to enhance security technology research and development; and to ensure a reliable underlying national infrastructure. In addition to the National Authentication Infrastructure, other key initiatives include the following:
— A National Infocomm Security Awareness Programme will be implemented to educate home computer users on security best practices and the appropriate security tools to protect themselves from security threats and risks.
— An Infocomm Vulnerability Study for National Critical Infrastructure will be carried out to assess the state of cyber security health and ascertain the resiliency of the critical infrastructure.
— A Business Continuity Readiness Assessment F
— An Infocomm Security Health Scorecard will be developed to provide an overall picture for the public sector so that common issues can be identified and weaknesses can be removed.
— A Common Criteria Certification Scheme is being established so that Singapore will have the capability of certifying infocomm products against the Common Criteria, an international security standard.
— A National Cyber-threat Monitoring Centre is being set up to provide a central facility to maintain round-the-clock vigilance and analyse threat information.