The Singapore government has pledged to adopt new measures to bolster its cybersecurity posture and improve the way it safeguards public data. The move comes after a series of security breaches involving agencies from the public sector, including one just this week, that compromised personal data of its local population.
These security lapses had pushed the government to set up a committee to review its data security practices, assessing measures and processes, amongst others, related to the collection and protection of citizens' personal data by government agencies as well as vendors appointed to handle personal data for the government.
The committee spent the past eight months inspecting 336 systems across all 94 government agencies and looked at best international data security practices in the financial and healthcare sectors, including Canada and the UK. These countries faced similar challenges as Singapore, including the need to use data securely to make better policy decision, provide public services to the local population, and instil public confidence that citizens' data was safe with the government.
Following this review, the committee made several recommendations that had been accepted by Prime Minister Lee Hsien Loong, said Senior Minister and Coordinating Minister for National Security Teo Chee Hean, who led the committee. Amongst these were the need to: enhance technology and processes to safeguard data against threats; build data security competencies and "inculcate a culture of excellence" around sharing and using data securely amongst government agencies; and improve the accountability and transparency of the public sector data security regime.
"Even as we do the utmost to prevent data incidents, these can never be fully eliminated," said Teo, detailing another recommendation from the committee. "We will strengthen processes to detect and respond to data incidents swiftly and effectively and learn from each incident."
"We will ensure our data security efforts are not one-off, but sustained and continue to evolve to address future challenges," he noted.
According to the minister, three technical measures recommended by the committee had been implemented last month. He added that all recommended measures would be deployed by end-2021 across 80% of government systems, with the remaining to be completed by end-2023.
Teo said: "These systems are the ones that are most complex or will require significant redesign. In the meantime, we will have processes and measures to cover the risks."
He said these measures would "significantly enhance" data protection and "hold officers to account".
The minister, though, reiterated the inevitability of breaches in the future, stressing the importance of speed in response. "While we will do our utmost to reduce the risk of data breaches, we cannot completely eliminate the threat. When such breaches do occur, we will detect them and respond quickly and effectively to limit the breach and damage."
In a statement issued by the Prime Minister's Office, Lee described data as the "lifeblood" of the digital economy and a digital government.
The prime minister said: "We need to use and share data as fully as possible to provide better public services. In doing so, we must also protect the security of the data and preserve the privacy of individuals and, yet, not stifle digital innovation."
The Singapore government said it would be setting up a new Government Data Security Unit to oversee such efforts across the public sector. In addition, capabilities in data protection and privacy tools would be nurtured within GovTech to boost the government's expertise in these technologies.
Earlier this week, personal data of 6,541 individuals in the country was compromised when a folder containing the information was "inadvertently" emailed to multiple parties. The security lapse was uncovered only months after, by the Singapore Accountancy Commission, when it implemented an email protection tool as part of the government-wide deployment in October.