Meet one of the men behind Singapore's 1st secure email system

In the 1990s, Professor Yu Chien Siang helped create Singapore’s first secure email system. For his contributions to improving cybersecurity in Singapore, he was awarded the Hall of Fame Award at the inaugural Cybersecurity Awards and Gala Dinner 2018. TechNews spoke to the cybersecurity pioneer to find out more about his career and and his thoughts on today’s fast-evolving cybersecurity landscape

When Professor Yu Chien Siang was in Germany for an internship in the 1970s, his eyes were opened to the promises and perils of computing and cybersecurity. At tech giant IBM’s German R&D lab, he witnessed how computer scientists were using mainframes the way personal computers would come to be used only a decade later.

Meanwhile, with cybersecurity precautions more robust than any he had ever seen, the cybersecurity analysts there were catching two spies a year. Professor Yu was deeply impressed.

“When I started work in Singapore, I learned cryptography from a colleague. I wrote my own encryption algorithm and later, a colleague helped me to refine it, but I recoded it in Intel assembler,” said Professor Yu, now an adjunct professor at the National University of Singapore, as well as senior vice president and chief innovation officer at cyber security services provider Quann Asia Pacific. The revised programming language “was so fast that encrypting real-time network data suddenly became possible using software instead of hardware,” he recalled.

This was among his first forays into developing secure IT systems, and his expertise became immensely useful at a time when personal computers lacked passwords and local area networks were spreading malware within enterprises.

“It was easy to be an attacker, and when web servers finally appeared, the Singapore government experienced its first hack—a web defacement—via a PHP vulnerability. The hackers were never caught,” Professor Yu said. This was just one of the many cyberattacks that Singapore experienced in the early days of the internet.

On the shoulders of giants

The Singapore government was quick to understand these implications and moved swiftly to counter the security issues, Professor Yu noted.

“In the late 1990s, it was the dotcom boom and we saw the start of commercial development of cyber defences, such as firewalls and anti-virus software. However, the attackers were getting ahead and finally they became a part of organised crime, more sophisticated than the defenders.”

It was an arms race in cyberspace, and Professor Yu was in the thick of it. He helped create the first secure email system in Singapore, complete with end-to-end encryption, allowing government officials to transmit sensitive information without fear of being eavesdropped on.

For his commitment and contribution to the cybersecurity landscape in Singapore, he was awarded the Hall of Fame Award at the inaugural Cybersecurity Awards and Gala Dinner in February 2018.

In an interview with TechNews, Professor Yu explained how he created the secure email system by drawing on a wealth of knowledge and experience he had obtained through close interactions with some of the pioneers in cryptography.

“At that time, terms like certification authority (CA) and public key infrastructure (PKI) did not exist. It was Jim Omura and James Massey, founders of Cylink, the first company with a public key chip, who explained to me how PKI would work. We were discussing the design of the first public key smart card for national identity, ten years ahead of time,” he explained.

He also credits David Naacache, a cryptographer whom he met at digital security firm Gemplus R&D (now Gemalto), for introducing him to elliptic curve cryptography, which requires smaller cryptographic keys compared to other existing methods at the time to ensure the same level of security.

No looking back

Asked about the limitations he faced in the development of IT infrastructure in general, Professor Yu said that “the biggest difference [between now and in the past] is ‘open source’ software and hardware, which are game changers. In the past, there was no Kickstarter and no Github.”

“Collaboration on software development was also uncommon, and software was expensive! Hardware creation was also slow, and we did not have graphics processing units and artificial intelligence (AI) accelerators to run deep learning systems,” he added.

Given today’s technology, Professor Yu thinks that the cybersecurity landscape is more challenging now than ever before—AI and robotics are increasing in complexity, and the cybersecurity issues associated with them are becoming more difficult to solve, he noted.

Even so, Professor Yu is not one for nostalgia. “I don’t miss the past, which is more siloed, without the internet, Wikipedia and mobile phones. However, in the old days, you would have more time to learn. Now, it’s always a rush to get things done.”

But this urgency is warranted. “We should expect to be attacked by hackers who could be very skilled, and they will use attack tools that will be highly automated.

Hence, we need to push for security automation using AI and cloud-based self-defending models,” Professor Yu said, outlining what the cyber battlefield of the future will look like.

“Cybersecurity needs to be adaptive, fast-evolving and ‘liquid’, meaning that we must be agile and fight off the attacker using asymmetric methods, and not simply wait to be attacked,” he concluded.