Singapore says its new status as a certifying body for a global cybersecurity standard will enable local developers to attain the certification more quickly and at a lower cost. Products developed in Singapore can also be exported, boosting the country's competitiveness in the global cybersecurity market, the government said.
Singapore in January became a certificate authorising nation under the Common Criteria Recognition Arrangement (CCRA). Also called ISO/IEC 15408, Common Criteria (CC) is a technical standard used to evaluate and certify cybersecurity products and is the de-facto standard for such product certification adopted by governments and the industry.
According to the Ministry of Communications and Information (MCI), Singapore is one of 18 nations that can authorise certificates, joining a list that includes India, Malaysia, Australia, Germany, France, and the UK. Another 12 nations, which includes Indonesia, Greece, and Israel among others, are deemed to be able to consume certificates, which means they can accept CC certificates but cannot issue them.
A local CC Certification Body was set up by Singapore's Cyber Security Agency (CSA) and tasked in ensuring ensuring the product evaluation conformed to the requirements of the CC standards. The certification body also would maintain approved Common Criteria Testing Laboratories that carried out product evaluation.
Developers looking to certify their products would have to engage an approved lab to assess their product. Germany's T-Systems International is among global companies that have set up an evaluation lab in Singapore under the Singapore Common Criteria Scheme.
With Singapore now a certificate authorising nation, developers in the nation-state no longer need to send their product overseas for evaluation or arrange for testers and evaluators to come to Singapore. This will enable them to reduce costs and shorten the time required to attain a globally recognised certification mark, MCI's Senior Minister of State Janil Puthucheary said in parliament during the Committee of Supply Debate.
"It is a step towards becoming a regional hub for product evaluation and certification," Puthucheary noted. "We are attracting global evaluation laboratories to anchor their operations in Singapore. These developments will accelerate Singapore's exports of world-class cybersecurity products and create good jobs for Singaporeans."
The MCI added that it would improve the exportability of cybersecurity products made in Singapore and boost the country's competitiveness in the global cybersecurity market.
In addition, to encourage small and midsize businesses (SMBs) to adopt CC certification, Singapore will be introducing a "SecureTech" track under the Accreditation@SG Digital programme this quarter, in which companies have to obtain CC certification to have their cybersecurity products accredited. The initiative aims to drive the adoption and procurement of SecureTech products among government agencies and businesses.
SingHealth and Singapore's public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country's personal data protection act. The fines are the highest dished out to date.
Industry regulator has set up a committee comprising government officials and industry experts to establish a "multi-year roadmap" that aims to identify cyber threats and develop capabilities and tools needed to better secure Singapore's telecommunications sector, including IoT deployments.
Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a "value-add service", and it's time the Singapore government holds those that fail to do so accountable.
Singapore government has inked partnership agreements with both countries that encompass data sharing as well as joint technical certification programmes and capacity building initiatives.
Monetary Authority of Singapore has proposed converting current cybersecurity guidelines to mandatory requirements, which financial institutions operating in the country must adopt to safeguard their IT systems and build up their cyber resilience.