Exclusive interview: Singapore's cyber security czar

By Amit Roy Choudhury

Private sector needs to step up to help government in cyber security, says Singapore’s cyber security chief David Koh.

If you like team sports, cybersecurity could be your game.


David Koh, CEO of Singapore’s Cyber Security Agency, notes that the government cannot deal with the cybersecurity needs of the nation on its own.


“Cybersecurity is a team sport… private sector organisations need to do their part and take proactive steps to protect their systems,” he says, adding that the private sector (as well as individuals) needs to complement the government’s efforts by reaching out and helping a wider group of end users.


Koh is a veteran of public service in Singapore and with the recent passing of the Cybersecurity Act, his role and responsibility has gone up with his appointment as Singapore’s Commissioner of Cybersecurity, a position that could be described as that of a Cybersecurity Czar for the Republic.


Last month, Koh was given the first International Leadership Award by US-based Billington CyberSecurity at the Annual Billington International Cybersecurity Summit at Washington DC. The award is in recognition of his many years of public service.


Conferring the award, Billington CyberSecurity , an independent media company which organises high level executive forums, conferences and seminars about cybersecurity, noted that Koh has made great contributions towards shaping international and regional cooperation on cyber capacity building and he has played a significant role in Singapore being ranked number one in the International Telecommunication Union’s Global Cybersecurity Index (GCI) for 2017.

Prime target

Speaking to Govinsider, Koh observes that as a commercial hub with high inter-connectivity, Singapore continues to be a prime target for cyberattacks. Going forward cyber threats will only intensify and “we will have to keep improving our cybersecurity efforts to stay ahead of malicious actors”.


While the government will take the lead to protect Singapore’s cyberspace it cannot do the job alone. “Combating cyber threats requires collective action by individuals, organisations and communities. We need everyone to play their part in keeping our cyberspace safe,” Koh adds.


"Combating cyber threats requires collective action by individuals, organisations and communities.”

Globally, cyberattacks are occurring more frequently and are getting more sophisticated. Koh notes that by their very nature, cyberattacks are borderless, “[and] so what we see happening around the world will happen to Singapore too”.


This is evident from the WannaCry/not Petya ransomware attacks last year. Koh makes the important observation that government systems are also potentially vulnerable to these attacks, as seen from the breaches at Singapore’s MinDef (Ministry of Defence) last year and the recent phishing attack on four universities.

New cyber law

Talking about the new Cybersecurity Act, Koh observes that it defines the roles and responsibilities of Critical Information Infrastructure (CII) owners in ensuring the cybersecurity of their respective CIIs. It also empowers CSA to take pre-emptive action and investigate cyber incidents.


“This will strengthen our ability to prevent and respond effectively to national cybersecurity threats. It also prescribes a new licensing framework for cybersecurity service providers.


“This framework will be a light touch to strike a balance between industry development and cybersecurity needs.”


The CSA chief adds that, while the Act is important, it is just a part of Singapore’s broader Cybersecurity strategy. “CSA’s work in other areas, such as in raising cybersecurity awareness of the public and businesses, research and development, growing the pool of cybersecurity talents, supporting start-ups and the development of innovative solutions through funding and fostering closer collaboration with our international partners, are critical pieces of the puzzle which CSA is similarly devoting our resources to,” he notes.


Commenting on the internet separation rules that were mandated for government departments in Singapore, Koh adds that this policy has been effective in reducing the “attack surface, and to disrupt the cyber kill chain”. The policy mandates that government officials use separate devices to access the internet. Devices holding sensitive government data can no longer be connected to the web.


However, government systems still remain attractive targets to hackers and there are still other avenues that they can use to gain entry.


The government has a duty to protect “our secrets and citizens’ data”, and it is a constant battle to stay a step ahead of malicious actors, says Koh.

Education is crucial

“We need to invest in strong cyber defences, not just with new technology, but to also attract the right talent. The introduction of the Cybersecurity Professional Scheme of Service and our scholarship schemes are some of the recent efforts to this end.

“While we do all these, the weakest link remains the human factor. The government also has in place employee awareness initiatives to ensure that public officers are kept abreast of cyber threats and the cybersecurity measures to take.”


Elaborating on the human factor being the weakest link, Koh observes that this explains why phishing has been such a popular and successful tool for hackers as users continue to click on random links and attachments.


“Findings from our surveys have shown that while the public are generally aware of cybersecurity threats, they do not take the necessary precautions. This could be due to complacency stemming from Singapore’s reputation as a safe country. Education is the key.”


He adds that CSA, together with its partners, have been working to raise cybersecurity awareness and adoption of cybersecurity measures by individuals and businesses. “This is done through campaigns and events such as conferences as well as the dissemination of timely alerts and advisories through CSA’s SingCERT.


“Our attackers are well-resourced and highly skilled; we cannot win if we don’t level up,” he adds.

Building up skills

The government is committed to ensuring that Singapore has an adequate and well-trained cybersecurity workforce to meet industry demand. “We have launched wide-ranging schemes such as the Skills Framework for ICT, Cybersecurity Professional Scheme of Service, the Cyber Security Associates and Technologists (CSAT) Programme, MinDef’s Cyber NSF Scheme, as well as established the CSA Academy to boost cybersecurity expertise.


“These programmes are designed to raise awareness, and target different segments of the population to join the cyber security industry.” 

“Our attackers are well-resourced and highly skilled; we cannot win if we don’t level up.”

Koh adds that there has been a healthy take-up rate for these new initiatives. “We are also seeing encouraging increases in intakes for our degree and diploma courses. The results will not be immediate but we are encouraged by the responses so far.”


The CSA boss makes a final point that the cybersecurity sector is not all doom and gloom. Cyber security is a source of good jobs for our people, and cyber is a growth industry which offers many opportunities, say Koh.


Global spending on cybersecurity products and solutions is forecasted to exceed US$ 1 Trillion by 2021. At a local level, PwC estimates that the projected market for cybersecurity could exceed US $678 million by 2020.


There is demand to fill up to 3,400 full-time jobs in the cybersecurity profession to support our projected growth, Koh notes, adding: “Against these favourable market trends, our Smart Nation ambitions will be another key demand driver to create economic opportunities and good jobs for our people.”


While Koh captains the team, Singapore certainly needs a strong defence, good training, and reliable partners to clinch the goals.


Amit Roy Choudhury is a senior technology journalist who writes a weekly piece for GovInsider.


Main image by Cyber Security Agency of Singapore, Facebook