A message from CAG security team, please be alert and standby to support.
Hi All,
Over the National Day period, there could be possible cyber threats targeting Critical Information Infrastructure (CII) systems and non-CII systems (including public facing websites) so as to cause disruption and embarrassment to Singapore. This could be in the form of DDoS attacks, web defacements or any form of cyber attacks that cause embarrassment to CII operators and the Singapore government.
System owners are advised to adopt a heighten security posture for the coming *one week ending 15 Aug 2017, with immediate effect*, with emphasis on the following measures:
(1) Security Operation Centres (SOCs) or any other security monitoring set-up to intensify monitoring,
(2) Activate operations resources on standby,
(3) Standby resiliency measures,
(4) Ensure full system patching of critical systems.
Please ensure that the system’s primary and backup remain contactable for the next 24/7 during this period.
Happy National Day ! Stay Vigilant !
Stay up to date about the latest cybersecurity threats and best practices at
CLOUDSEC 2017, 22nd August 2017, Singapore. Click here to attend.
As Singapore presses forward with its Smart Nation
initiative, increasing effort and attention has been put into
cybersecurity and its importance in facilitating the country’s digital
economy.
Whilst cybersecurity is a global issue affecting all
countries, in Singapore’s case, there have been a remarkable number of
new initiatives, partnerships laws and organisations that have been
launched to support the country’s aims.
To better understand what’s going on with
cybersecurity in Singapore, in this article we will examine the level of
cyber-threat facing Singapore and many of the latest developments the
country is taking to better protect itself.
Notable Cyber-attacks
There have been a variety of notable reported
cyber-incidents affecting organisations and individuals in Singapore.
Some of these include:
- In early February 2017 a targeted attack against the Ministry of Defence (Mindef) internet access system resulted in the theft of the personal data of about 850 national servicemen and Mindef employees.
- In October 2016, two cyber-attacks disrupted local telco provider, Starhub’s broadband service, leaving customers unable to access the internet on two occasions for about two hours each. This was caused by a distributed denial-of-service (DDoS) attack against Starhub’s Domain Name System (DNS).
- In March 2016, a Singaporean man was sentenced for having cracked the passwords of 293 SingPass accounts, the account that all citizens and residents use to access government services. The man was sentenced to five years and two months in jail. Since the attacks took place, Singapore has now implemented two factor authentication meaning that this type of attack is no longer possible.
Whilst each of these incidents is interesting in its
own right, it’s worth noting that individual incidents like these are
not representative of the country’s level of cybersecurity, so let’s
take a step back and take a broader view.
How Vulnerable is Singapore?
There is a lack of comprehensive data on
cyber-attacks not just in Singapore but worldwide, meaning that any
assessment that compares the number of cyber-attacks or their impact
between countries needs to be considered a best-estimate based on
available information rather than hard fact. Despite this, several
organisations have tried to create a measure of the most prepared and
most vulnerable countries.
In the Deloitte Asia-Pacific Defense Outlook 2016,
Singapore ranks 5th of the highest vulnerability economies to
cyber-attack. This is calculated according examining how extensively
each economy relies on internet-based interactions and is a reflection
of how digitised the country is.
Then according to the 2015 Global Cybersecurity Index
by the International Telecommunication Union (ITU) and ABI Research,
Singapore ranks joint 6th in the world in terms of cybersecurity
readiness, alongside Israel and other countries. (An updated 2017 index
is currently being prepared).
So according to these two reports, (there are many others) Singapore ranks amongst the most prepared and also most vulnerable.
What is Singapore doing to Enhance Cybersecurity?
In short; lots. Too much to list in its entirety if
you include all the international partnerships and new cybersecurity
centres that have been launched. But to answer this question, we will
focus on some of the major initiatives.
In 2015 Singapore launched its dedicated Cyber
Security Agency, (CSA) which brought together all existing cybersecurity
agencies and initiatives such as the Singapore Computer Emergency
Response Team (SingCERT) and the responsibility of cybersecurity
master-planning. This mirrors what other countries around the world are
doing as well, consolidating disparate cybersecurity organisations under
fewer senior decision makers to strengthen decision making.
Also in 2015, a special cybersecurity department
named Cybercrime Command was established within the Criminal
Investigation Department of the Singapore Police Force. This was
followed by the launch of the National Cybercrime Action Plan in 2016,
which prioritised the actions needed to fight cybercrime including
public education, capability building, strengthening laws and
international partnerships.
In October 2016, Prime Minister Lee Hsien Long
announced Singapore’s latest cybersecurity strategy, expanding on
previous plans by incorporating and emphasising the importance of
international cooperation. The four pillars of the strategy are:
- Building a resilient infrastructure;
- Creating a safer cyberspace;
- Developing a vibrant cybersecurity ecosystem;
- Strengthening international partnerships.
Then in March 2017 it was announced that Singapore
will launch a new Defence Cyber Organisation (DCO), which will exist to
monitor and defend the Singapore Armed Forces’ (SAF) networks from
cyber-threats. Notably, this came quickly after the cyberattack against
Mindef that happened in February 2017. Usually the creation of new
branches of government organisations take a long time to plan and
finance but in this instance, Mindef wasted no time in their response.
In April 2017, the Computer Misuse and Cybersecurity
Act (CMCA) was updated, so that activities such as dealing in hacking
tools or in personal information obtained via a cybercrime is now
classified as an offence.
Also on the topic of law, the Personal Data
Protection Commission (PDPC) has been acting against organisations in
breach of the privacy obligations set out in the Personal Data
Protection Act (PDPA). As of December 2016, the PDPC had issued fines to
sixteen organisations in breach of the PDPA, actions aimed to encourage
other organisations to take their data privacy obligations more
seriously.
In addition to all this, there are also many
initiatives encouraging students to get into cybersecurity and for
professionals to train in this area. Funding has been made available and
many agreements between universities and private companies have been
made to grow the talent pool. Additionally, CSA launched its “Live Savvy
with Cybersecurity” roadshow and advertising campaign in February 2017,
to educate the public on cybersecurity best practices.
Cybersecurity Challenges Ahead
Enhancing cybersecurity is an ongoing journey, with
no fixed destination. According to Chai Chin Loon, Senior Director of
Cyber Security Group at GovTech, who spoke to CIO Asia in late 2016,
there are three main challenges on Singapore’s road ahead.
"[Firstly,] we need to find a balance between users’
needs and organisations’ needs, as well as having a view of the macro
cybersecurity landscape. As a government, we also need to think beyond
the traditional concepts of confidentiality, integrity and availability.
We have to also balance usability against cost with security. The
right pragmatic balance of these three parameters is becoming more and
more important."
Secondly, it is not easy to get people to understand
that they are truly the weakest link. Cybersecurity is very much
dependent on the end user as the last line of defence after a malicious
email or software manages to get past the system's initial defences. It
is therefore important that end users are aware of cybersecurity
matters, something which is not always on the back of people's minds, Mr
Chai asserted.
Lastly, it is crucial to create an ecosystem. This
can be a challenging task, due to the large number of agencies and
stakeholders within the government. "Piecemeal security or agency-level
arrangements do not make our networks safer, because an attacker can
still enter the network via a weaker agency," explained Mr Chai.
The Future of Cybersecurity in Singapore
As shown in this article, between 2015 – 2017
Singapore announced a vast array of new cybersecurity initiatives, laws
and organisations in rapid succession. As a result, it is the opinion of
this author that Singapore’s cybersecurity preparedness ranking will
rise in the next edition of the Global Cybersecurity Index. Yet
Singapore’s cybersecurity journey is far from over, with even more
initiatives scheduled over the coming years.
For example, as part of Singapore’s Smart Nation
Initiative, the Ministry of Trade and Industry is creating Industry
Transformation Maps (ITMS) for 23 key industrial sectors in Singapore’s
economy, which make up over 80% of the country’s GDP. The ITMS will
promote growth and competitiveness by encouraging, amongst other things,
innovation, digitisation and employee training. As the ITMS are
planned, members of Singapore’s cybersecurity industry are working to
make sure that security considerations are factored in.
Seven ITMS have already been launched, with the
remaining being rolled out of the next two years. Following that, the
real challenge begins for the various industries to not only transform
themselves, but to do so securely.
Stay up to date about the latest cybersecurity threats and best practices at CLOUDSEC 2017, 22nd August 2017, Singapore. Click here to attend.
No comments:
Post a Comment