Singapore has recorded fewer instances of common cyber threats in 2018, but expects to see more frequent data breaches and disruptive attacks against the cloud in the near future. The city-state also remains a target of advanced persistent threat (APT) attacks and must learn from previous incidents to better defend itself as it looks to build a digital economy.
According to Cyber Security Agency (CSA), there were 605 instances of website defacements last year compared to 2,040 in 2017, with most of the affected websites owned by small and midsize businesses (SMBs). Two government sites, however, also were impacted by such attacks last year, where a sharp climb was noted in November. This was likely the result of a hacker who exploited vulnerabilities in an unpatched web server, CSA explained, noting that various businesses hosted on that server were compromised by the attacker in a single day.
The government agency also pointed to a 30 percent drop in phishing URLs containing a Singapore link, from 23,420 in 2017 to 16,100 URLs last year. Organisations in the banking and financial sector as well as those offering technology and file-hosting services accounted for almost 90 percent of affected companies.
The number of ransomware incidents also fell to 21, from 25 in 2017, as did the number of command-and-control servers, which fell 60 percent to 300 in 2018. CSA added that almost 2,900 botnet drones with Singapore IP addresses were identified on a daily basis last year.
It also detected 470 malware variants in 2018, with five generating more than half of the observed infections, namely, Gamarue, Conficker, Mirai, WannaCry, and Gamut. That these were successfully deployed indicated that many users had not adopted measures to safeguard their systems, including patching their devices and implementing antivirus software, CSA said.
It further noted that the number of reported cybercrime cases continued to climb, clocking at 6,179 last year--compared to 5,351 in 2017--and accounting for some 19 percent of total crime in Singapore. Of the reported cases, 1,204 were investigated under the country's Computer Misuse Act, which was up 40 percent from 2017.
In addition, there were 2,125 reported instances of e-commerce scams last year during which victims lost S$1.9 million (US$1.38 million) in total. Some 70 percent of these scams occurred on consumer-to-consumer online marketplace Carousell and involved electronic products and tickets to events and attractions.
In a 2017 ZDNet report, Carousell had said it was exploring the use of machine learning and artificial intelligence (AI) to combat fraud on its site, tapping TensorFlow and Google's Cloud Machine Learning engine to identify and flag potential fraud risk.
Apart from e-commerce scams, however, CSA also noted an increase in email impersonation instances, with 378 reported in 2018 compared to 332 the year before. Such cases led to businesses incurring S$58 million (US$42.26 million) in losses last year, up 31 percent from 2017.
With more frequent data breaches expected in the near future, the government agency underscored the need for organisations and consumers to be vigilant and beef up their cybersecurity posture to keep pace with increasingly targeted and sophisticated threats.
In its projections of upcoming threats, CSA also pointed to increased risks faced by global supply chains as well as more disruptive attacks targeted at the cloud. It added that smart buildings and connected systems would face greater risks of attacks, especially as Internet of Things (IoT) devices and connected industrial control systems become more pervasive.
The agency also anticipated the use of AI amongst threat actors to seek out vulnerabilities and create smarter malware as well as the likelihood of more hackers targeting biometric data to build virtual identities and gain access to personal data.
CSA's chief executive and cybersecurity commissioner David Koh said in the report: "As cyberthreats grow in scale and sophistication, it is clearly no longer a question of 'if', but rather 'when' an attack will hit us. Even as we strive to make our systems as secure as possible, it is imperative that we respond to an incident swiftly, robustly, and decisively. The cyberattack on SingHealth was a stark reminder for us to push further in our cybersecurity efforts collectively as a nation.
"On the international stage, Singapore remains firmly committed to the establishment of a rules-based international order in cyberspace and condemns all malicious cyber activities, which threaten the safety and security of Singapore and Singaporeans," Koh said.
The personal data of more than 1.5 million patients were compromised in the SingHealth attack, which later was found to be the result of bad system management and undertrained IT staff, amongst other lapses. SingHealth was fined S$250,000 while Integrated Health Information Systems (IHIS), the IT agency responsible for Singapore's public healthcare sector, was slapped with a S$750,000 fine, for failing to take adequate security measures to safeguard personal data. Two IHIS employees also were sacked and five senior management executives, including the CEO, were fined for their role in the security breach.
Koh noted that the Singapore government last year took several steps to enhance the country's cybersecurity posture, including the implementation of the Cybersecurity Act and introduction of initiatives such as the Industry Call for Innovation to pave the way for "long-term, holistic cybersecurity investments". An Asean-Singapore Cybersecurity Centre of Excellence also was established with the aim to build regional cyber capacity and drive global collaboration, he added.
The Singapore government in April said it had assembled a committee to review data security practices in the public sector, following a spate of breaches involving government entities, which had resulted in the personal information of 808,201 blood donors and 14,200 individuals with HIV being compromised. The committee had been tasked to assess measures and processes, amongst others, related to the collection and protection of citizens' personal data by government agencies as well as vendors appointed to handle personal data for the government.
Expected to be included as part of the upcoming amendment to the country's data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.
Following several breaches involving government entities, Singapore's prime minister has assembled a committee to review data security practices in the public sector, but the government stands firm on excluding these agencies from the country's Personal Data Protection Act.
New pilots including a drowning detection system are in the works, as the government continues to push its smart nation goal alongside an open, API-driven framework. But it stresses the importance of security in rolling out new services and acknowledges the country needs to do better, particularly, following the SingHealth data breach.
Monetary Authority of Singapore is looking to introduce changes to existing technology risk and business continuity management guidelines that will require financial organisations to implement more measures, including cyber surveillance, to boost operational resilience.
Now a certificate authorising nation for the Common Criteria, Singapore is one of 18 countries that can assess and certify cybersecurity products under the technical standard, which it says will enable local developers to attain the certification more quickly and at a lower cost.