Wednesday, 12 October 2016

Singapore rolls out high-level cyber security strategy

More funds to be set aside for defending critical systems from attacks; new Bill also in the works
By Irene Tham, Tech Editor, The Straits Times, 11 Oct 2016

The Government is taking decisive steps to tackle cyber threats - including almost doubling the proportion of its technology budget dedicated to plugging security gaps in critical infrastructure.

The matter, said Prime Minister Lee Hsien Loong yesterday, is one of "national importance" as the country becomes more connected in its mission to become a smart nation.

At the opening of the inaugural Singapore International Cyber Week, he announced a high-level national strategy that includes strengthening international partnerships.

One key prong will be to direct more funds into defence against attacks. These have ranged from malware infection to the defacing of government websites.

About 8 per cent of the infocomm technology (ICT) budget will now be set aside for cyber security spending, up from about 5 per cent before. In fiscal 2014, Singapore spent $408.6 million on cyber security.

The new proportion is similar to what other countries spend; Israel stipulates that 8 per cent of its total government IT budget must go to cyber security, while South Korea channels as much as 10 per cent.

"We are investing more to strengthen government systems and networks, especially those that handle sensitive data, and protect them from cyber attacks," said Mr Lee.

"Singapore aspires to be a smart nation. But to be one, we must also be a safe nation," he told more than 3,000 public servants and technology professionals from 30 countries who were also attending the 25th GovernmentWare Conference.

Central to the strategy is the introduction of a new Cybersecurity Act in the middle of next year after public consultations, expected to be held after the draft legislation is tabled in Parliament next year.

There is currently no over-arching cyber security legislation in Singapore. The current system of working with various sector regulators is "patchy", said CSA chief executive David Koh, as the requirement to tighten gaps in critical infrastructure has not been worked into licensing conditions in some sectors.

Mr Lee said that, while ICT creates business opportunities and boosts productivity, it also makes its users vulnerable.

Globally, cyber threats and attacks are becoming more frequent and sophisticated, with more severe consequences, he added.

Last December, a successful attack on the power grid in Ukraine left many Ukrainians without electricity for hours. This year, thieves siphoned US$81 million (S$111.3 million) from the Bangladesh Bank, the central bank of Bangladesh, in a sophisticated cyber heist.

Singapore has not been spared.

"Our government networks are regularly probed and attacked," said Mr Lee, adding that attacks included "phishing" attempts and malware infection.

"From time to time, government systems have been compromised; websites have been defaced. We also suffered concerted DDOS (distributed denial of service) attacks that sought to bring our systems down," he said.

The financial sector, for instance, has suffered DDOS attacks and leaks of data. Individuals, too, have become victims of scams.

Fake websites of the Singapore Police Force, Manpower Ministry, Central Provident Fund Board, and the Immigration and Checkpoints Authority have been set up overseas to "phish" for personal information or trick people into sending money.

Mr Lee said the country must get cyber security right. "Only then can IT deliver innovation, growth and prosperity for our businesses and citizens."

Delinking of Web surfing from computers half completed
By Irene Tham, Tech Editor, The Straits Times, 11 Oct 2016

Ministers, senior civil servants and half of all the public agencies here have started separating Internet surfing from their work computers to boost the security of critical government systems, said Prime Minister Lee Hsien Loong.

The rest of the agencies are on track to implement the initiative by the middle of next year, PM Lee said yesterday, as he outlined the first pillar of Singapore's cyber security strategy that was launched on the same day.

Similarly, operators of essential services will have to develop robust cyber risk management frameworks and responses, he added.

The move to delink public servants' computers from Web surfing was first reported in June. It is aimed at preventing leaks from work e-mail and shared documents amid heightened security threats.

When the move takes full effect across 100,000 computers, civil servants can still access the Web via separate government computers dedicated to that purpose, or use their personal mobile devices. But their work computers, where they access their e-mail, will not have Internet surfing capabilities.

In adopting this policy, Singapore is preceded by Russia, whose intelligence services in 2013 went back to using typewriters to thwart alleged spying by the United States.

Govt launches $10m fund to help ASEAN fight cyber threats
ASEAN Cyber Capacity Programme will help train technical officers, policymakers and lawyers
By Lim Yan Liang, The Straits Times, 12 Oct 2016

Singapore is taking concrete steps to step up cooperation across ASEAN for a more secure cyberspace, Communications and Information Minister Yaacob Ibrahim said yesterday as he launched a $10 million fund to help fellow ASEAN nations build up their cyber response capabilities.

Dr Yaacob, who is minister-in-charge of cyber security, told the first ASEAN Ministerial Conference on Cyber Security at the Shangri-La Hotel the grouping could focus its efforts in three areas to fight the "full spectrum of cyber threats: cybercrime, espionage, and other malicious activities".

The meeting came a day after Singapore launched its National Cyber Security Strategy, in which building regional and global partnerships to fight cyber threats is a key pillar.

The first area ASEAN members can cooperate in is helping strengthen one another's technical capabilities to better respond to incidents.

South-east Asia is a prime target for cyber attacks, and a Singtel-FireEye study found organisations in the region face a 45 per cent higher risk of a targeted cyber attack than the global average. One in four such attacks is aimed at governments.

"Attack targets could range from financial to data theft, reputational damage, and also disruption to our critical information infrastructure," Dr Yaacob said.

The new $10 million ASEAN Cyber Capacity Programme is aimed at building up a credible response to such threats, he added. It will help train technical officers to deal with attacks, and train policymakers and prosecutors to shape members' cyber-security strategies and laws.

Second, ASEAN members can tap into global efforts to build a trusted cyberspace, like the Interpol Global Complex for Innovation (IGCI) that is based here, Dr Yaacob said.

"We can support the IGCI by seconding more ASEAN law-enforcement officers to the IGCI. By partnering Interpol, we can conduct more joint operations against cyber criminals and enhance the collective safety and security of ASEAN."

Singapore will also contribute $900,000 to the CyberGreen global initiative that provides tools for a country to measure its level of cyber health, announced Dr Yaacob.

With this funding, all ASEAN members can access the CyberGreen platform through Singapore for free and better identify different levels of threats and ways to counter them.

The third area is for ASEAN states to start a dialogue on cyber norms - a conversation that began globally a decade ago - to develop a regional understanding of such norms and take part in the global effort, he said.

"Cyber capacity-building, cyberspace awareness, and cyber norms: these are three suggestions to ASEAN for enhancing cyber-security cooperation," said Dr Yaacob.

"Singapore is committed to these ideas, and we are backing our words with resources and investment."

Cyber security a regional battle
By Lester Hio, The Straits Times, 12 Oct 2016

Cyber security is a "team sport" which requires close partnerships among all involved, including governments in the region and industry partners in the private sector.

This is why the Republic wants to "start the conversation" and share best practices and experiences on cyber security with its ASEAN neighbours, said Singapore's Cyber Security Agency (CSA) chief executive David Koh yesterday.

He told reporters at the ASEAN Ministerial Conference on Cyber Security here: "No one country can do it by itself - that's why Singapore is partnering with the other ASEAN member states, and partnering with industry partners, trade associations and expert groups."

He was explaining the factors behind two high-level cyber-security strategies announced by Communications and Information Minister Yaacob Ibrahim yesterday: a $10 million ASEAN Cyber Capacity Programme (ACCP) and a $900,000, three-year sponsorship of non-profit organisation CyberGreen, which grades countries' cyber health.

The ACCP, which will be launched in April next year, comprises events and initiatives such as workshops and conferences aimed at building up the cyber-security capabilities of ASEAN member states.

At least two events will be carried out under the ACCP's calendar next year, with other initiatives to be announced. These include the annual Singapore International Cyber Week, which incorporates the ASEAN Ministerial Conference on Cyber Security, and the Cyber Security Workshop jointly conducted by Singapore and the United States.

Singapore is the third country in the world to sponsor CyberGreen, after Japan and the United Kingdom. The sponsorship will allow ASEAN countries to get a report on their cyberhealth and access CyberGreen's tools to protect themselves.

"CSA's sponsorship will foster the mitigation activities within the ASEAN region, and help us to develop an ASEAN mitigation portal which has all kinds of useful information, including mitigation tools and methods on how to fix open, vulnerable or misconfigured servers," said CyberGreen executive director Yurie Ito.

Dr Yaacob said such cooperation is needed so that no ASEAN member becomes the "weakest link" in the regional fight against cybercrime.

"What we want to do is ensure that all the ASEAN member states pay attention so that they don't become that weakest link," he said.

Private-sector collaboration is also essential for cyber security here. Yesterday, the CSA signed four agreements with private cyber-security companies - BAE Systems, ISC2, Microsoft and Palo Alto Networks - to boost cyber-security training and capabilities here.

Smart Nation, but will we be secure?
Cyber security is a challenge, as everyone plays a part, not just the Government. Consider cyber drills, akin to fire drills, to sensitise people to online threats.
By Shashi Jayakumar and Benjamin Ang, Published The Straits Times, 14 Oct 2016

The launch this week of Singapore's Cyber-security Strategy by Prime Minister Lee Hsien Loong marks a milestone in Singapore's cyber development and aspirations.

The pillars of the strategy - building a resilient infrastructure, creating a safer cyberspace, developing a vibrant cyber-security ecosystem, and strengthening international partnerships - bring definition and much-needed clarity to Singapore's trajectory in this arena. But while the unveiling of the strategy marks a milestone, challenges lie ahead.

Our citizens have developed a normalcy expectancy - the belief that we will be shielded from high signature, unexpected or disruptive events. As PM Lee noted when launching the SGSecure initiative in response to terrorist threats against Singapore, the first question people ask (on terrorism) is "What is the government going to do about it?" Just as Singaporeans have relied on the Government for physical security for decades, there is a propensity to similarly rely on the Government for cyber security.

The Government will do its part for cyber - securing systems and networks, protecting citizens' and official data, and working with the relevant private-sector companies in critical sectors including energy, banking, healthcare and transport, to improve their response and recovery plans.

But worldwide, it is becoming patently clear that the national authorities alone cannot guarantee cyber security. So where do the concomitant interests in ensuring cyber security lie?


The second pillar of the cyber strategy states that cyber security is the "collective responsibility of the Government, businesses, individuals and the community". On the Government's part, the Ministry of Home Affairs launched the National Cybercrime Action Plan earlier this year, to enhance the Singapore Police Force's capability to handle cybercrime, and to work with Internet service providers and other countries. But communities, businesses and individuals then need to stay informed and take preventive measures, make cyber security a priority, improve understanding of cyber-security issues and encourage adoption of good practices.

The human element will be key, as it is implicated all too often in cyber security and is indeed often the weakest link - individuals allowing malicious software into systems because of deception by attackers, negligence, ignorance, or bad intentions. One study by cloud security vendor Skyhigh Networks found that 82 per cent of organisations surveyed had experienced an insider threat, and 96 per cent of organisations had at least one user who had been compromised with weak passwords.

This would be like installing the most sophisticated lock but leaving the key under the doormat.

The fact that government protection has its limits can be nowhere more clearly seen than in the 2015 cyber attacks on the Ukraine electricity grid (which saw hundreds of thousands of homes left without power in the middle of winter). These attacks remind us that virtual attacks can have immense real-world ramifications, and that even states can be overcome by cyber attacks, especially those powered by much larger states or their proxies.

The concern is not simply one of a massive takedown akin to a digital Pearl Harbor. Cyber-security threats are all the more insidious because they can lurk undetected in our systems for months or years - 500 days is an average in Asia. During this time, attackers can slowly erode the reliability and accuracy of systems instead of destroying them outright, in order to damage trust and resilience.

It is no exaggeration therefore to say that cyber security needs to become embedded in the basic fabric of our thinking, and ways should be considered to embed this into Total Defence (not least its psychological pillar) and initiatives such as SGSecure.


Citizens and businesses need to learn how to respond to cyber-security emergencies, preparing for cyber drills as we do in fire drills. For example, if our computers or mobile devices are taken over by ransomware, will we have backup plans or will we panic? Many countries - from Singapore to Estonia to Zambia - conduct cyber drills, which see government agencies and key businesses planning responses to cyber attacks.

But such attacks would also affect thousands of citizens and small businesses, destroying their work or personal data, or disabling communication for days or weeks. They, too, need to be brought into this ecosystem of preparation.

They also need to know who to contact in the event of a cyber attack, and where to seek help for cyber attacks that are beyond the capability of ordinary citizens and SMEs to fend off. At which point will the police or SingCERT (Singapore Computer Emergency Response Team) step in to help?

With a dire shortage of cyber-security professionals worldwide, we should consider tapping national servicemen with cyber-security skills and knowledge, even listing cyber security as one of the preferred vocations that pre-enlistees can choose from.


Deep thinking will be needed on the issue of how to allocate risk - through policy measures or legislation - and liability among various stakeholders, such as government, smart-device manufacturers, service providers, businesses, customers and insurers. For example, will the Housing Board be responsible for the cyber security of 3,000 "smart living" HDB flats? Will we have cyber-attack insurance in the same way we have fire insurance?

There is a delicate balance in sharing responsibility between private and public sectors because this also involves sharing of information about threats and attacks. Legislation can increase the obligation on businesses to disclose information to government, but will there be a corresponding increase in government sharing new threats or vulnerabilities with businesses, or will the information be classified?

Questions such as these will no doubt be addressed in the next iteration of the National Cyber Security Masterplan, and a whole-of-government approach will be needed because of the diverse stakeholders.


As nations grow more interconnected, and cyber attackers target networks of less secure countries in order to infiltrate their neighbours, no country can ignore the global importance of teamwork in cyber security, as underscored by the personal message from the United Nations Secretary-General Ban Ki Moon that , significantly, was read following the cyber-security strategy's launch.

This concern drives Singapore to invest in helping fellow Asean members come up to speed, through efforts like the $10 million Asean Cyber Capacity Programme (launched by Dr Yaacob Ibrahim the next day) to boost cyber-security resources and know-how. Funding may well be available, but the challenge is whether Asean can then come together to build a cohesive approach to cyber security.

Singapore's Cyber-security Strategy is built on an implicit recognition that teamwork is the sine qua non to deal with the rapidly expanding scale of cyber threats - a co-equal partnership, between citizens, businesses, Government and other nations. The challenge lies in all players responsible stepping up to take collective responsibility for security.

We will almost certainly be, in time, a Smart Nation. But whether we can be a secure Smart Nation depends on the extent to which those with a vested stake - including ordinary citizens - rise to the challenge.

Dr Shashi Jayakumar is head of the Centre of Excellence for National Security at the S. Rajaratnam School of International Studies, Nanyang Technological University.

Benjamin Ang is coordinator of the Cybersecurity Programme at the Centre of Excellence for National Security at the S. Rajaratnam School of International Studies.

No comments:

Post a Comment