Singapore assessing WhatsApp privacy policy change, not 'adversely affected' in SolarWinds breach
Singapore has yet to see any significant impacts from the SolarWinds security breach on its critical information infrastructures (CIIs) or government systems, but it has urged organisations to safeguard their systems against potential threats. It is also looking into concerns related to upcoming privacy policy changes on WhatsApp, which is amongst messaging platforms the government uses to push information to the local population.
When news about the SolarWinds security breach broke, Singapore's Cyber security Agency (CSA) raised the national cyber threat alert level, said Minister for Communications and Information S. Iswaran.
Noting that the attack was sophisticated and evaded detection for months, he said the breach was particularly "noteworthy" since the SolarWinds software was part of the network control and management infrastructure and, hence, was trusted and had privileged access to internal networks.
"There is no indication, thus far, that Singapore's CII and government systems have been adversely affected by the SolarWinds breach," said Iswaran, who was responding to questions raised in parliament Tuesday. "The government is, nonetheless, adopting a cautious stance."
He said CSA had issued public advisories on steps enterprises should take to safeguard their systems against potential threats, including having full visibility of their networks and detecting unusual activity in a timely manner. He added that the situation still was evolving as affected companies continued to investigate the breach.
Hackers involved in the attack were believed to be acting for the Russian government and had deployed a malware-laced update for SolarWinds' Orion software, infecting the networks and compromising sensitive data of several US government agencies and Fortune 500 companies, including the US Treasury Department, Microsoft, and FireEye.
Iswaran said the attack highlighted the need to move towards a Zero Trust security posture, where activities should not be trusted until they were verified and there was constant monitoring and vigilance for suspicious activities. This also encompasses compartmentalising and restricting access to various segments within the network, validating transactions across segments, reconciling any escalation of user privileges, and actively hunting for threats.
In addition, organisations should establish cyber incident response plans to deal with situations in which they are breached in an attack, he said.
"The SolarWinds incident underscores the global and trans-border nature of cyber threats," the minister said. "Though difficult to completely prevent, we need deliberate, targeted, and consistent efforts to strengthen our cyber defences against [such] sophisticated threats, which exploit the supply chain of trusted vendors and software."
Government's WhatsApp channel has 1.22M subscribers
Iswaran also responded to questions with regards to WhatsApp's upcoming privacy policy changes, revealing that the government was "looking into concerns" raised by consumers.
WhatsApp in recent weeks has begun pushing notifications to users about an update to its privacy statement, noting that they would have to accept the changes after February 8 in order to continue using the messaging platform or, otherwise, delete their account. Its previous policy had allowed users to opt out of most data-sharing with Facebook.
The news prompted many to seek out alternatives, fuelling downloads in particular for Signal and Telegram. The public outcry was enough to convince WhatsApp to delay the policy change to May 18 and force Facebook to issue several clarifications about the update.
It said the policy changes were related to how organisations used the messaging app and would not affect the privacy of users' messages. "This update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data," it said in an FAQ.
According to Iswaran, there are currently 1.22 million subscribers to Singapore's Gov.sg WhatsApp channel, which was amongst several platforms it used to communicate with the public. These included Telegram, Twitter, as well as its own Gov.sg website, he said, adding that these platforms were tapped for broadcasts of "non-classified and publicly available information".
Noting that communication of classified data through commercial messaging platforms is prohibited, the minister said the Singapore government has rules on the use of such applications. These rules are independent of changes to the terms and privacy policies of messaging platforms, including WhatsApp, he added.
"Private-sector organisations contracted by the government to perform data-related activities, including the processing and communication of personal data, are bound by contractual terms and conditions. These will determine whether organisations are permitted to share, for their own commercial purposes, the data that has been provided by, or collected on behalf of, the government," he explained.
"Depending on the nature of the data involved, organisations may also have to comply with the data protection requirements in the Personal Data Protection Act and adhere to the Official Secrets Act," he said. "Private-sector organisations that use WhatsApp as a business communications tool should be aware of the changes, and review their data protection policies and contracts with third parties to ensure they continue to align with the requirements under the PDPA."
He said the Personal Data Protection Commission was "engaging" WhatsApp with regards to the latter's updated privacy policy and sharing of personal data with Facebook.
RELATED COVERAGE
- Singapore must return data control to users to regain public trust
- Singapore industry needs stronger codes of conduct as consumer data gains value
- Singapore government must realise human error also a security breach
- Singapore sets up committee to review public sector data security, but stands firm on PDPA exemption
- Singapore government pledges to improve data security with new measures
- Singapore updates data protection law to exclude user consent for 'legitimate' business purposes