Singapore urges nation to adopt security-by-design mindset

Stressing the need to think about cybersecurity from the design phase, the Singapore government says it is reviewing its budget to ensure sufficient resources are set aside to support a robust defence system.
Written by Eileen Yu, Senior Contributing Editor

Singapore needs a national cybersecurity strategy that ensures sufficient resources are allocated to build a robust defence infrastructure and an ecosystem that encompasses the right skillsets and capabilities.

Above all, the country must adopt a "security-by-design" mindset in order to prevent costly and inefficient tweaking at a later stage, said Singapore's Minister for Communications and Information Yaacob Ibrahim, who also is the country's Minister-in-Charge of Cybersecurity.

Speaking at the GovWare 2015 conference Tuesday, he noted that with cyberattacks increasingly sophisticated and pervasive, Singapore's national cybersecurity strategy was necessary to prioritise its efforts and raise public awareness. It must ensure the right resources were dedicated to build the country's cyber defences, as well as develop the necessary capabilities and foster close collaboration within the public and private sectors.

A vibrant cybersecurity ecosystem also would be essential to beef up local capabilities and drive employment. In particular, security-by-design was critical to boost Singapore's national cyber capabilities, Yaacob said.

"Security-by-design is about assessing threats and risks, building, and configuring our systems with security in mind from the start, checking for intrusions after implementation, disposing the assets securely at the end of their life span, and educating the end-users to be 'cybersmart'," the minister explained. "If we do this right, we will avoid piecemeal implementation and the need for costly and often ineffective 'retrofitting' later on."

He added that the government itself, moving forward, would adopt this principle when implementing new systems or retrofitting existing systems.

"The crux of Singapore's approach is simple," said David Koh, chief executive of Singapore's Cyber Security Agency (CSA), which was formally established in April this year and parked within the Prime Minister's Office. "Rather than being a cost and liability, cybersecurity is an enabler for achieving the full potential that technology promises. Well secured cyber systems and networks can help improve the way we do business, govern our countries, and live our lives."

"This will require us to put on a security-by-design mindset and build cybersecurity features into all our systems and processes even as they are being designed," Koh said. "We cannot hope to implement cybersecurity after the fact, as an afterthought, or as a bolt-on. It will not be effective, and will likely cost more."

Singapore reviewing cybersecurity budget

Yaacob also pointed to the need to ensure the "right budget" was allocated to cybersecurity. He revealed the Singapore government currently was assessing its cybersecurity budget, with CSA tasked to determine the appropriate amount.

The minister noted that Israel, for instance, had mandated that 8 percent of its overall government IT budget would go toward cybersecurity. South Korea also had set aside 10 percent of its ICT budget to cybersecurity.

"We intend to adopt a similar approach for government ICT projects," Yaacob said, noting that CSA was reviewing how this could be established beyond the government's critical ICT infrastructure.

He added that implementing security during the design phase helped ensure systems were "as free of vulnerabilities and impervious to attack as possible".

While he did not reveal the current proportion of its budget that was dedicated to cybersecurity, he said this figure "should be relooked and revised" to ensure sufficient resources were set aside to mitigate the emerging threat landscape.

Relating the French government's stance on cybersecurity, Guillaume Poupard, director-general of Agence Nationale de la Securite des Systemes d'Information (ANSSI), said his agency also comprised a regulatory team that looked at implementing legislation necessary to ensure the country's cybersecurity wellbeing. In France, for instance, identified critical systems must have the necessary safeguards against potential attacks, with ANSSI empowered to put in the necessary controls and ensure the country's stipulated cybersecurity rules have been applied.

Poupard added that the government agency must be notified of security breaches and attacks, though the information would be kept confidential.

Stressing the need for the government to have its own experts, "and not simply rely on the private sector", he said ANSSI operated its own team of engineers who monitor the agency's network of sensors 24/7, with the capabilities to analyse cyberattacks and react accordingly when necessary.

ANSSI and CSA in May 2015 signed an agreement to beef up national cybersecurity capabilities through regular bilateral exchanges, sharing of best practices, and joint efforts to develop cybersecurity expertise. Apart from speaking at the conference, Poupard was in town to lead a contingent of French cybersecurity companies exhibiting at the GovWare exhibition.

Industry partnerships to boost cybersecurity readiness

CSA also unveiled it had signed three MOU agreements with Check Point, FireEye, and Singtel, aimed at beefing up the country's cybersecurity capabilities.

Its collaboration with Singtel, it will look at developing manpower resources through training and certification as well as research and development related to cybersecurity products. The agreement with Check Point also will focus on growing local capabilities to deliver "advanced" cybersecurity offerings to Singapore and will include technical training.

FireEye will be working with CSA on information sharing related to cybercrimes and cybersecurity trends, with both parties working to establish the necessary measures for incident response.

Yaacob said: "Demand for cybersecurity is growing due to increasing threats and cybersecurity awareness. However, there is insufficient manpower supply to fulfil the growing demand. Fresh ICT professionals lack the necessary skillsets and experience to take on specialised roles, while mid-career ICT professionals find it challenging to convert to the cybersecurity profession."

To address this, the minister said CSA alongside ICT regulator, Infocomm Development Authority (IDA) would be introducing the Cyber Security Associates and Technologists Programme (CSAT) to train and "up-skill" ICT professionals.

In addition, the Singapore government will create common certification and standards to support the local ecosystem, he said.

Yaacob said CSA also signed a Memorandum of Intent (MOI) with CREST International (Council for Registered Ethical Security Testers) and the Association of Information Security Professionals (AISP) to introduce CREST certification for cybersecurity penetration testers in Singapore.

"The certifications will serve as a competency baseline for practising professionals and service providers," CSA said, adding that the MOI would see the organisations jointly set up a CREST Singapore Chapter next year.

Editorial standards