'

Singapore moves to galvanise Asean efforts in cybersecurity

Asean member wants to help drive conversation around cybersecurity, including the need to establish cyber norms, and is investing in initiatives such as a regional capacity building programme.

Singapore wants to play a key role in galvanising efforts across Asean in cybersecurity and hopes to get things started with its investment towards initiatives such as CyberGreen and a new regional capacity building programme.

The city-state played host to the Asean Ministerial Conference on Cybersecurity, held here Tuesday, where ministers from member states gathered to discuss issues related to the sector. During his opening address, Singapore's Minister for Communications and Information Yaacob Ibrahim stressed the need for Asean countries to actively collaborate on cyber issues in order to build a "trusted and resilient cyberspace" that benefitted all member states and their respective citizens.

Yaacob, who is also Minister-in-Charge of Cybersecurity, said a key focus of Singapore's new cybersecurity strategy was building international partnerships, which would be critical to combat cyberattacks.

"Attack targets could targets could range from financial to data theft, damage [to reputation], and also disruption to our critical information infrastructure," he said. "These could harm our economies and societies. Furthermore, as our countries become more inter-connected, the impact of a cyberattack in one country may well spill over to another."

To help drive efforts among member states, the Singapore government unveiled a new Asean Cyber Capacity Programme (ACCP), which aimed to fund resources, expertise, and training to help nations build up the necessary infrastructure. These also would include workshops, seminars, and conferences as well as consultancy efforts in forming national cybersecurity strategies and related legislations.

According to David Koh, chief executive of Singapore's Cyber Security Agency (CSA), the country would invest S$2 million a year spanning five years, making its total investment in ACCP S$10 million. The programme also included the annual Asean CERT (Computer Emergency Response Team) Incident Drill (ACID), currently in its 11th iteration, during which member states participated in testing and improving their cooperation and responses to cybersecurity incidents.

Speaking to media at the event, Koh explained that the ACCP aimed to support technical professionals as well as policy makers and facilitate the exchange of experiences and best practices in cybersecurity.

In his speech, Yaacob also urged Asean to begin discussions on cyber norms, which already had begun globally in the past decade and were necessary to ensure international peace and stability in cyberspace as well as foster an environment of trust.

Pointing to the United Nations Group of Government Experts (UNGGE), he said the global organisation had provided recommendations on cyber norms and Singapore was keen to support the need for basic rules for behaviour in cyberspace. "Such a set of regional cyber norms would ensure the safety and security of regional and international cyberspace, and in extension, contribute to the stability and economic progress of the Asean community," the minister said.

Asked for details on what these norms would be for Asean, Koh said it was still premature to discuss the shape of such rules or whether a separate list would be necessary for the region. He added that the government, for the time being, was focused on getting the conversation started.

CSA said it signed agreements with four vendors--BAE Systems, (ISC)², Microsoft, and Palo Alto Networks--to provide training and various capabilities in cybersecurity.

Metrics needed to ensure transparency

The Singapore government also had become a "cornerstone sponsor" of global initiative, CyberGreen, which aimed to assess a country's cyber health and identify potential vulnerabilities within their borders. Officially founded last year, the project was initiated by the Japan CERT in 2014 and currently had the UK government as a sponsor.

The non-profit group's next-generation statistics platform was touted to provide a data and heat map of infections and vulnerable devices of participating nations. The metrics-based measurement and visualisation tool was slated to be finalised in December this year.

With Singapore now a CyberGreen sponsor, forking out an investment of US$900,000 stretching three years, all Asean member states would have free access to a new portal that would offer, among others, metrics on their cyber health, mitigation tools and methodologies, and data on vulnerabilities including misconfigured servers.

Yaacob said information provided by CyberGreen also could help cyber incident responders better identify and remediate various levels of threats.

According to Yurie Ito, founder and executive director of The CyberGreen Institute, the portal would include recommendations on how to plug vulnerabilities and fix open servers and DNS, as well as offer step-by-step mitigation process and coordination with various CERTs.

Ito noted that such metrics currently were not available to countries and there was a lack of transparency to facilitate the necessary mitigation.

She stressed the need for countries to be aware of their cyber health not only for their own welfare, but also for other nations interacting with them. This would ensure they would not pose a risk to others, she added.

Koh said "[Singapore's] perspective is that cybersecurity is a team sport. No one country can do it by itself, that's why Singapore is partnering with other Asean member states."