Half of vulnerabilities Singapore government finds via bounties, disclosures are valid

Amongst more than 1,000 vulnerability reports involving government systems submitted via bug bounties and public disclosure schemes, 496 have been ascertained to be valid.
Written by Eileen Yu, Senior Contributing Editor

Half of security vulnerability reports the Singapore government received via bug bounties and public disclosure schemes have been ascertained to be valid. The public sector also recorded a 44% increase in data incidents over the past year, though, none were assessed to be of "high severity".  

The Singapore government reported 108 data security incidents in its fiscal 2020, ended March 31 this year, compared to 75 in the previous year. Despite the increase, the breaches were determined to be either low or medium in severity, according to a report released Tuesday by the Smart Nation and Digital Government Office (SNDGO). 

The level of severity was assessed based on the incident's impact on national security or national interests, and on an individual or business entity. There were five levels of severity ranging from low to very severe.

All data incidents also were addressed within 48 hours, the report stated. 

Singapore in April 2020 set up the Government Data Security Contact Centre to provide a channel through which members of the public could report data incidents involving government data or government agencies. 

In its first year of operation, the centre received 119 reports, six of which were flagged as data incidents requiring further investigation. The remaining 113 were not related to government data and were referred to the relevant departments for action, according to the report. These included queries on promotion calls and texts when the individual had opted out of the Do Not Call registry

The government also established a vulnerability disclosure programme in October 2019 for anyone to report vulnerabilities they found on the public sector's online platforms and mobile applications, which are used by citizens and businesses. To further identify potential security holes, the Singapore government also ran several bug bounty programmes, which previously had involved the Ministry of Defence and GovTech.  

As of March 2021, more than 1,000 vulnerability reports were submitted through the security contact centre and bug bounties, of which 496 were determined to be valid, SNDGO revealed. 

The smart nation office noted that several initiatives were rolled out over the past couple of years to bolster the sector's security posture. Highlighting those that were implemented between last October and March 31, 2021, the SNDGO said a privileged identity management (PIM) tool was implemented in November for the government's commercial cloud infrastructure

"With more government systems migrating to the cloud as part of our "cloud-first" strategy, the Government Commercial Cloud PIM solution will ensure that access by privileged users [including] those whose roles require wide access to data, such as system administrators, will be secured and monitored to prevent unauthorised use of data," SNDGO said. 

Data loss protection services also were being developed across the public sector, so technical and process controls would be in place to detect anomalous activities, such as unexpected download of large data volumes to personal computers, that could indicate potential malicious activities. Implementation of these services would begin by end-2021. 

Civil servants also needed to be prepared to respond to data security incidents, the smart nation office said. In this aspect, central ICT and data incident management exercises would be conducted involving multiple government agencies, with four ministries slated to participate in the first of such initiatives in September this year. 

This would be in addition to cyber and data security incident exercises that all government agencies were required to hold every year, according to SNDGO. 

Last year also saw the highest number of complaints made to the Personal Data Protection Commission, which oversees the country's Personal Data Protection Act (PDPA). Some 6,100 complaints were logged with the commission, compared to 4,500 in 2019 and 2,700 in 2018, noted the SNDGO report.

Since the public sector is exempted from the PDPA, these complaints presumably pertain to potential data breaches involving only private organisations. 

Reported cybercrime cases accounted for almost half of total crimes in Singapore last year, where both ransomware and botnet attacks saw significant spikes. The Singapore Computer Emergency Response Team (SingCERT) handled 9,080 cases, up from 8,491 in 2019 and 4,977 in 2018, revealed the Singapore Cyber Landscape report released earlier this month. 

The number of reported ransomware attacks climbed 154% with 89 incidents, compared to 35 in 2019. These mostly affected small and midsize businesses in various sectors including manufacturing, retail, and healthcare. 


Editorial standards