The Singapore government has underscored the need to safeguard critical infrastructures and drive the necessary ecosystem to safeguard the nation's cyberspace, including pushing ahead with plans to restrict internet access among its employees.
In his opening address Monday at the inaugural Singapore International Cyber Week, Prime Minister Lee Hsien Loong said ICT had enabled the country to develop from a third-world to a first-world economy and continued to play a critical role in its efforts to become a smart nation. However, ICT also opened up new vulnerabilities, introducing cyberthreats and attacks that were increasingly frequent and sophisticated, and resulting in more severe consequences.
Lee pointed to the December 2015 attack on Ukraine's power grid and and this year's cyber theft involving Bangladesh Bank, which lost US$81 million. He added that the Singapore government, too, had been a target and had experienced phishing and malware attacks, as well as the defacement of its websites. Government systems also had been compromised and the financial sector had suffered DDoS attacks, he said.
The increased risks, particularly the potential for cyberattacks to bring down critical infrastructures, prompted the Singapore government to set up a separate body--Cyber Security Agency (CSA)--last year to oversee the nation's cybersecurity efforts. It also kicked off a year-long consultation with more than 50 stakeholders, including government agencies, professional groups, private companies, and academics, to put together a new national cybersecurity strategy, which the prime minister unveiled today.
The new plan expanded on previous national cybersecurity efforts and covered four key focus areas, which included beefing up critical infrastructures. creating a safer cyberspace, deepening capabilities in this space, and boosting international collaboration to fight cybersecurity threats.
Part of its plans to strengthen critical infrastructure would see all employees in the public sector restrict their internet surfing activities to secondary devices not connected to the government's internal network. Coined "Internet Surfing Separation", the initiative meant government officers would only be able to access the intranet and corporate email in the office, and would need to move to an internet terminal or use a different device to browse the web.
According to Lee, ministers, senior civil servants, and half of the country's government agencies already had begun separating their networks, with the rest of the public sector on track to do likewise by mid-2017.
The Singapore government also would expect operators and providers of essential services to "develop robust cyber risk management frameworks and responses", the prime minister said.
"CSA will have the powers to direct private-sector operators and essential services, such as financial payments systems," he said. "CSA will issue regular advisories to businesses on imminent cyberattacks and emerging cyberthreats to remind them to keep up their cybersecurity measures." The agency also would offer technical guides and self-help cybersecurity checklist to boost these networks, he added.
With regards to the extent of the agency's "powers to direct", CSA's chief executive David Koh pointed to ongoing efforts to establish a new standalone Cybersecurity Act, slated to be released next year. More details about the government's regulatory responsibilities would be available then, he said.
Challenge balancing citizen privacy, need to stop potential attacks
Speaking to media at the conference, Koh further underscored the importance of fostering international partnerships, noting that Asean ministers had gathered here this week to discuss cybersecurity issues.
ZDNet then asked for the Singapore government's take on recent news that Yahoo had secretly scanned its customers' email on the request of US intelligence agencies. Koh stressed that Singapore took a serious view on personal data protection, pointing to the Personal Data Protection Act, which he said safeguarded individuals' data.
This included citizen information exchanged between government agencies, such as allowing certain law enforcement agencies to share data under specified rules, and these agencies would have to take due care in ensuring the data was adequately protected.
Koh, though, noted that there were conflicting demands in any country that needed to protect an individual's data as well as ensure national security. In incidents of terrorism, for example, where terrorists were using the internet to transfer and share data to launch an attack, there was an impetus to share that information among law enforcement agencies. On the other hand, there also would be demand to protect user data, he said.
Under such circumstances, it would not be binary where there was an absolute right answer, he said. Local jurisdictions and legal provisions also would need to be considered, especially when cyber activities were likely to be cross-border, he noted.
This also drove the importance of international cooperation to better respond to cyberthreats. Lee said: "Cyberattackers do not respect jurisdictions. Attacks can come from anywhere in the world [and] can be routed through any number of intermediate nodes.
"We are working with other governments to share intelligence, work together to block attacks and shut down black networks," he said.
IBM's security CTO Sandy Bird concurred, urging the need for better collaboration not only between governments but also within industries. He noted that while there was a decent amount of information sharing in the financial sector, many other verticals still lacked such initiatives.
Speaking to ZDNet on the sidelines of the conference, Bird revealed that ongoing efforts were made to develop a way for cybersecurity-related information to be shared anonymously. Pointing to work currently focused on STIX 2.0, he said the anonymity would hopefully encourage more companies to cite information in a trusted, but anonymous, way so they would not have to worry about affecting their competitive advantage.
STIX, or Structured Threat Information eXpression, is a standardised programming language to facilitate the exchange of data about cybersecurity attacks and threats.
Bird also touted the need for advanced analytics and cognitive security to better predict and manage cyberattacks. This would enable unstructured data to be analysed for indicators of a potential compromise, identify security attacks, as well as the ability to trace the source of attack back to the attacker.
In addition, implementing a security-by-design culture would ensure the robustness of a system would be prioritised right from the development process, he said, adding that it would be more costly to have to identify the cause of security issues and fix them after the system had been rolled out.
Furthermore, rejecting unstable codes and compelling software developers to rework their source codes would help ensure these developers did not make the same mistakes again. A different developer would likely be involved if this process was done only after the product had been rolled out, leading to the original mistakes to be made repeatedly since the initial software developers were unaware of their design error.
Adopting a security-by-design mindset, hence, would improve the company or country's overall cybersecurity skills and build a pool of better software coders, Bird said.
He noted that the severe shortage of good skills in this market was a major concern, though, countries such as Singapore were making good progress in rolling out education programmes and training initiative.
Two local companies, Quann and Accel Systems & Technologies, today were added to Singapore's Cyber Security Associates and Technologists (CSAT) programme, which previously included Singtel and ST Electronics. The initiative aimed to help ICT graduates and working professionals to gain new skills in cybersecurity through on-the-job training with participating companies.