All businesses must step up their investment in cybersecurity, which is currently inadequate in several industry sectors, and countries need to do better in prosecuting cybercriminals, the majority of which are getting away scot-free.
While some industries traditionally had higher impetus to invest in cybersecurity, such as banking and financial institutions, other organisations also would face high risks as they moved to digitise their systems and processes.
Speaking at the Financial Times' Cyber Security Summit held in Singapore Wednesday, Minister for Communications and Information Yaacob Ibrahim said cybersecurity should not be seen as a cost, but as an investment to manage risk.
"Underinvestment in cybersecurity does not mean 'business-as-usual. Weak cyber defences suffering from underinvestment could be breached more easily, leading to disruption of business activities and significant losses," said Yaacob, who is also Minister-in-Charge of Cyber Security. He referred to the 2015 cyberattack on French television network, TV5Monde, which disrupted its broadcasts and social media platforms. The breach was estimated to cost between 4.3 million euro (US$4.72 million) and 5 million euro (US$5.49 million).
He also pointed to last month's security breach that affected 500 million Yahoo email user accounts. He added that the incident occurred during a sensitive time when the US internet company was being acquired by Verizon and could adversely impact its valuation.
"With such high stakes, there are worrying signs that underinvestment in cybersecurity is a real problem in Singapore," the minister said. Citing a PwC study on Singapore's cybersecurity landscape, he said the government was the largest contributor of cybersecurity expenditure in the city-state, accounting for almost 25 percent of the market last year.
The next two largest spenders were banking and securities as well as communications and services sectors, each spending nearly 25 percent. The manufacturing industry accounted for about one-eighth of overall cybersecurity spending in Singapore.
This meant the rest of the economy, including healthcare, utilities, retail, and transportation together accounted for under a third of the country's total cybersecurity expenditure. "This is not enough," Yaacob stressed. "Cybersecurity expenditure has to keep pace with increased digitisation of business in all sectors. Based on PwC's study, Singapore's cybersecurity expenditure is only 2.4 percent of IT expenditure."
He said the government hoped to lead by example by setting its cybersecurity spending to at least 8 percent of its overall IT budget.
Cybercriminals getting away with their deeds
More efforts also were needed to ensure cybercriminals were duly identified and prosecuted, according to Madan Oberoi, director of cybercrime at Interpol Global Complex for Innovation. Speaking in a panel discussion at the summit, he noted that this was still lacking in the cyber realm, whereas most countries had been successful at protecting the physical space by establishing credible deterrence to thwart crime.
Oberoi revealed that in one particular nation in Asia-Pacific, for example, where 111,000 cybersecurity incidents were identified as prosecutable charges, only 5,400 went to trial while the others were closed. Of these 5,400 cases, just 900 ended in convictions.
This meant that just 1.7 percent of cybersecurity cases had successfully concluded with a conviction. He added that this would have been a much lower 0.66 percent if figures were based on industry estimates that put the total number of cybersecurity incidents in the country at more than 300,000.
"So, cybercriminals are working on an assurance that 99% of the time, they won't be punished [for their crimes]," he said, noting that such statistics were similar in other countries around the world.
Oberoi also urged the need for nations to collaborate and respond collectively. While there was increased awareness that multi-jurisdiction coordination was critical to combat cyberattacks, he said the necessary frameworks and processes had yet to be put in place. Noting that it was a complex issue to address, he said the Interpol was in discussions with different jurisdictions on establishing the necessary steps to move forward.
Fellow panelist Ceri McGuire, CISO for Standard Chartered Bank, added that while organisations might be willing to share information, some would worry doing so could expose their infrastructure to attacks. There also were concerns that doing so could potentially violate personal data privacy rules or compliance regulations, while others were worried about directing regulatory scrutiny towards their organisation, McGuire said.
There was, however, increasing recognition that exchanging information would yield more benefits as long as this was done on the right foundation and legal construct, she said.
Oberoi agreed, adding that the Interpol had received tremendous response for feedback particularly from the financial sector, probably because this industry was most commonly targeted by cybercriminals. Stressing the need to provide the right forums to encourage organisations to exchange data, he said the global organisation currently was formulating a best practice template to help facilitate information sharing.
McGuire further noted that this should extend beyond the financial sector, where there already was concerted effort among banks to work together and share information. She said this level of interaction was not necessarily evident in other sectors.
With cybersecurity getting wider attention and increasingly cross-organisation, she urged the need for all industry sectors to adopt the same level of attention and focus.
Also stressing the need for global collaboration, Yaacob said: "Just as cyberspace transcends borders, cyberattacks are unrestrained by geographical boundaries. No cyber-enabled business is completely safe from them.
"Singapore is an open and highly-connected business hub for trade, finance, and logistics. The effects of a cyberattack on Singapore could potentially impact the wider regional and global economy," the minister said. "We are studying and addressing the risks. These include the implications from last Friday's attack against the US-based Domain Name System service provider, Dyn, and the disruption to [local telco] StarHub's Internet broadband service."
He said Singapore's prime minister earlier this month had unveiled the national cybersecurity strategy, outlining efforts in four key areas that include beefing up critical infrastructures and deepening capabilities in cybersecurity.