Singapore announces new cybersecurity strategy


11 October 2016
Lee Hsien Loong

Singapore has taken a broader approach to cybersecurity readiness planning with the launch of a national strategy that encompasses the protection of critical infrastructure; the creation of a safer cyberspace; capability building; and international collaboration.

Building on the past three cybersecurity masterplans (launched in 2005, 2008 and 2013), Singapore’s new cybersecurity strategy, which was announced by Prime Minister Lee Hsien Loong at the opening of Singapore International Cyber Week in October, retains as a key focus the protection of critical infrastructure and essential services.

In his speech, PM Lee highlighted how globally, cyber threats and attacks are becoming more frequent and sophisticated, with more severe consequences. He spoke about the successful attack on a Ukrainian power grid which left many Ukrainians without electricity for hours and highlighted how Singapore, too, has been targeted with its government networks regularly probed and attacked, and its financial sector suffering distributed denial of service (DDOS) attacks and data leakage.

Under the first pillar of the new cybersecurity strategy - building a resilient infrastructure - the Cyber Security Agency (CSA) will have powers to direct operators of essential services to develop robust cyber risk management frameworks and responses.

Speaking at a media briefing, the agency’s chief executive David Koh said CSA is working actively with operators of critical information infrastructure (CII) either directly or in coordination with sector leads who are usually the regulators of the respective essential services, such as the Monetary Authority of Singapore for the banking and finance sector, and the Energy Markets Authority for the energy sector. “We have been working with the operators to educate them on the threat of cyber and to help them level up in terms of understanding the risk, managing the risk and taking appropriate action to harden their systems.”

In his speech, PM Lee also said Singapore will be investing more of its ICT budget to strengthen government systems and networks, especially those that handle sensitive data, to protect them from cyberattacks.  

As a guideline, about 8 per cent of the ICT budget should be spent on cybersecurity. Providing comparative estimates, Koh said in the banking and finance sector, cybersecurity spending could go up to 10-15 per cent of the ICT budget while other sectors may spend between 7 to 10 per cent. “It depends on the nature of the business and the threat you are facing; the kind of risk mitigation that you need to do; and your risk appetite.”

Likewise, for the public sector, each project will have to be examined on its own merit, and the cybersecurity budget will depend on the nature of the environment, the kinds of threats the agency if facing and the kind of information that it is holding on to. It will also be a function of were the agency is, in terms of cyber-maturity.

The bottom line, however, is that cybersecurity will have to be pushed up the agenda, even if it means sacrificing some other projects or system functionalities, said Koh.

Another key pillar of the Singapore cybersecurity strategy is to work with businesses and individuals to create a safer cyberspace. “The CSA will not just regulate by fiat, but partner businesses too,” said PM Lee. The agency will issue regular advisories to businesses on imminent cyberattacks and emerging cyber threats and provide technical guides and self-help cybersecurity checklists to help businesses strengthen the security of their networks.

“Companies must understand that cybersecurity is also their problem and make the necessary investments to protect their customers, because businesses are prime targets too,” he said.

If the second pillar is about broadening the reach of cybersecurity efforts, the third is about deepening Singapore’s operational and technical capabilities in this space, said Koh of CSA.

One area within this is cybersecurity manpower development, and this is being tackled on three fronts. The first is to provide working adults with opportunities to move from another profession into cybersecurity, and this is being done through initiatives such as the Computer Security Associates and Technologies (CSAT) programme. The second is to partner institutes of higher learning to develop curricula which are useful and relevant, in order to grow the pipeline of cybersecurity talent. And the third is to create awareness in schools, for example, through secure competitions such as the Singapore Cyber Conquest.

Going beyond the previous masterplans, the new cybersecurity strategy also introduces the international dimension with “strengthening international partnerships” as a key pillar in Singapore’s cybersecurity efforts. In his speech, PM Lee highlighted the need to cooperate with other countries to respond to cyber threats because cyber attackers do not respect jurisdictions. “Attacks can come from anywhere in the world. They can be routed through any number of intermediate nodes, and the IP addresses we can see are probably not the ultimate attackers”.

Recognising this, Singapore is looking to foster regional and international collaboration on cybersecurity in the form of dialogues and projects, said Koh, pointing to the strong international presence at the inaugural Singapore International Cyber Week and the hosting of the first ASEAN Ministerial Conference on Cybersecurity. Singapore also hosts the Interpol Global Complex for Innovation, which provides a strong impetus for international collaboration on cybersecurity.

Summing up, Koh said cybersecurity is important as an enabler of Singapore’s Smart Nation vision. “We can’t achieve Smart Nation, we can’t deliver the kinds progress that technology promises us, unless we can have a resilient, cyber safe environment to operate in,” he said. And this can only be achieved in partnership with industry, businesses, communities, individuals, research institutes and academia.

The cybersecurity strategy is not a whole-of-government activity, said Koh. “It is not the Singapore government cybersecurity strategy; it is the Singapore cybersecurity strategy.”