Skip to main content
Best News Website or Mobile Service
WAN-IFRA Digital Media Awards Worldwide 2022
Best News Website or Mobile Service
Digital Media Awards Worldwide 2022
Hamburger Menu

Advertisement

Advertisement

Commentary

Commentary: DBS, Citi bank outage has implications on national security

That two banks went offline because of a technical failure in one data centre shows the vulnerability of critical infrastructure. It’s a warning of what could happen in an intentional attack on Singapore’s systems, says S Rajaratnam School of International Studies’ Benjamin Ang.

Commentary: DBS, Citi bank outage has implications on national security

An error message on a DBS ATM at Central Mall and screenshots of the DBS iBanking service page and PayLah! service during the Oct 14, 2023 banking outage that affected DBS and Citibank.

New: You can now listen to articles.

This audio is generated by an AI tool.

SINGAPORE: Oct 14 was an otherwise ordinary Saturday afternoon until many in Singapore found themselves unable to shop, buy food, pay for public transport, or carry out many of their usual weekend activities. DBS and Citibank customers discovered that they could not withdraw cash from automated teller machines (ATMs) nor transfer money via online or digital banking.

Although the outage struck the two banks, customers of other banks also themselves unable to transact because many businesses also rely on DBS and Citi payment terminals. Around 2.5 million payment and ATM transactions could not be completed. The banks were only able to fully restore services more than 12 hours later, the next day.   

DBS PayLah! and digibank services were disrupted for hours in March earlier this year, and similarly for two days in November 2021. Citi, OCBC and UOB also suffered disruptions between July 2021 and July 2022. However, the problems were solved by the end of the day, and news cycles and attention spans are short.

Even this incident will be forgotten - at least until the next time. But one fact from this latest outage that should worry us is that two banks went offline because of a technical failure in one data centre.

It shows the vulnerability of the modern technology supply chain, that critical infrastructure can fail due to simple human error by a service provider outside of the regulator’s oversight.

Some may recall power outages that caused disruptions for hours on three MRT lines in 2020. More than a hundred thousand homes and businesses all over Singapore suffered brief blackouts in 2018.  

Life quickly returned to normal but these are a warning of what could happen if we were ever hit by an intentional attack on our systems, or a combination of unintended accidents. 

THREAT OF INTENTIONAL ATTACKS

A cyberattack on our power supply that caused extended blackouts would bring businesses, schools, and daily life to a halt. Food supplies would be threatened by the failure of refrigeration units. A coordinated cyberattack that disrupted multiple banks systems for days, combined with hostile information campaigns to create panic, could cause a run on the banks - even a financial crisis.

Especially with hacking tools proliferating in the unstable geopolitical situation, these scenarios cannot be ruled out. As my colleague Michael Raska has written, Hamas’ surprise Oct 7 attack on Israel shows the risks of assuming that military-technological superiority will always protect us. 

One response is to call for more regulation, tighter requirements for systems and stricter penalties for failure. The Monetary Authority of Singapore (MAS) already requires banks to ensure that mission critical systems and services can recover quickly from system disruptions, with no more than four hours of unscheduled downtime within a 12-month period. Consequently, MAS has ordered a thorough investigation into the recent outage.

On Nov 1, MAS announced it had barred DBS from any acquisitions of new business ventures for six months and ordered it to pause non-essential IT changes which could cause further disruption. The regulator had already imposed additional capital requirements on Singapore’s largest bank because of previous disruptions.

Such actions help protect customers, but also illustrate that regulation alone can only do so much, because the disruptions keep on coming. Even the regulator acknowledges that disruptions could still occur while the bank’s systems are being made more resilient.

Another response is to call for more resilient systems. Experts have shared several ways that banks and other businesses can do so, and enterprises should pay attention.

MAS has directed DBS not to reduce its branch and ATM networks so that customers have alternative ways to get cash. Enterprises also need to explore if their backup systems also have backup systems, and if they are all interconnected in ways that make them vulnerable to a single point of failure. 

Technology resilience and cyber resilience (the ability to bounce back after a technology failure or cybersecurity incident respectively) are costly because they require measures like back-ups, buffers, redundant systems, and multi-sourcing.

In the case of critical infrastructure and essential services, these are necessary costs, because issues will still arise despite everyone’s best efforts. More positively, resilience enables business to continue, reduces losses, protects customers and trust, and can be a competitive advantage. 

On a more personal scale, the most vulnerable entities are small businesses and individuals that have no choice but to rely on larger systems for transactions, payment, or data storage, or who cannot afford to set up redundant systems.  

IMPORTANCE OF SOCIAL RESILIENCE

As many of us experienced on Oct 14, you could have diversified cashless payments across GrabPay and Google Pay but still be hit if you needed your DBS account to top up the wallets. You could have diversified your credit cards across UOB and OCBC, but if the petrol stations were using Citi payment systems, you still could not buy fuel.  

The entire NETS system of cashless payments, used by all major banks in Singapore, could fail, as it did on Nov 3 during the peak lunch hours.

Having some cash on hand can add to our resilience if contactless payment networks are down. (File photo: TODAY)

Though Singapore is blessed to be relatively safe from natural disasters, we can learn from the aftermath of the 2018 earthquake in Hokkaido, the 2019 typhoon in Chiba, or the 2023 cyclones in New Zealand.

Hundreds of thousands of households who had been reliant on cashless payments were unable to pay for essentials like food and water for days. An elderly Japanese shopkeeper told me that the old payphone outside her store became her village’s main form of contact, because mobile phone networks had been knocked out. 

That blessing can lead to complacency in society, even while we grow increasingly dependent on technology in many aspects of life. The experiences in Japan and New Zealand show that some basic steps, like having cash on hand, can add to our resilience

We can also make some basic preparations for when - not if - other services like power or telecommunications fail. The Singapore Civil Defence Force provides guidance for preparing an Emergency Ready Bag, that should include a torchlight and batteries, first aid kit, cash, water and dry foodstuff and N95 masks. 

Finally, we need to build our psychological and social resilience. Even though the failures so far have been relatively brief and low-impact, many small incidents in a short space of time could have a cumulative effect of eroding public trust. A hostile information campaign could try to exploit these technology failures or a cyber incident through rumours, fearmongering and blame.

Panic and bank runs can ruin an economy, while distrust and polarisation can tear down a country. Other countries have experienced violent protests arising from hostile information campaigns that cause fear, which in turn leads to anger and hate. As a society, we must resist letting others push our buttons and choose courage, calm, and compassion to build resilience and bounce back. 

Benjamin Ang is Head of the Centre of Excellence for National Security and Digital Impact Research, at the S Rajaratnam School of International Studies.

Recent DBS, Citi outage - should we really revert to carrying cash again? Listen to CNA's Heart of the Matter:

Source: CNA/ch

Advertisement

Also worth reading

Advertisement