Meet GI's Cybersecurity Champion: Dr Liu Yang, Executive Director, CyberSG R&D Programme Office, Singapore

This interview is part of GovInsider's inaugural Cybersecurity Champions report featuring public sector cybersecurity officials around the world.

Please give a brief description of your job function as a cybersecurity professional, as well as what your organisation does. 

Prof. Liu Yang is a Full Professor at Nanyang Technological University (NTU) and serve as the Executive Director of Cyber Security Research Centre @ NTU, as well as the Executive Director of CyberSG R&D Programme Office (CRPO).  

His expertise spans cybersecurity, software engineering, and artificial intelligence, with research focused on bridging the gap between theoretical foundations and practical applications in program analysis, data analytics, and AI-driven security solutions.  

Having published over 600 papers in top-tier conferences and journals and received 30+ best paper awards, Prof Liu is leading several major research initiatives, including Cysren, Trustworthy AI in NTU (TAICeN), CREATE Center with ICL on medical device security and CyberSG R&D Programme Office (CRPO).  

The CyberSG R&D Programme Office (CRPO) is a national cybersecurity research and development centre based in Nanyang Technological University (NTU) Singapore. It was established by the Cyber Security Agency of Singapore (CSA) in September 2023, with S$62 million in funding.  

CRPO spearheads the translation of research prototypes into usable products and services for both the national security agencies and industry. It facilitates the commercialisation of cybersecurity technologies, positioning Singapore as a global leader in cybersecurity innovation and implementation. 

In your view, what are the biggest threats and challenges (be it in the network layer, and/or in areas such as scams, phishing and identity theft) in the public sector cybersecurity scene globally? 

Cybersecurity is a constant tug-of-war between attackers and defenders.

The rise of AI, advancements in operational technology, and shifts in human behavior and lifestyles have redefined the cybersecurity landscape, introducing new complexities and vulnerabilities. 

The resulting technical threats that define today's challenges can be categorised into the following areas: 

First, Social Engineering. Things like phishing, scams, and impersonation are getting more advanced, especially with AI making fake emails, voices, and videos more convincing. These attacks target people, not just systems. 

Second, Legacy Systems. A lot of government systems still run on old technology that’s hard to update. These systems often lack basic protections and are easy targets for attackers. 

Third, Supply Chain Risk. Public agencies use a lot of third-party and open-source software. If one part of that supply chain has a hidden vulnerability, it can impact everything else connected to it. 

Fourth, AI-Powered Attacks. Attackers are starting to use AI to find weak spots faster and to make their attacks more adaptive. Defenders don’t always have the tools to keep up at the same pace. 

Fifth, Insider Threats. Mistakes or intentional misuse by people inside an organisation, like lost credentials or unauthorised access, can lead to serious breaches, and they’re often hard to detect. 

Sixth, Long-Term Intrusions. Some attacks aren’t just quick hits—they’re slow, quiet, and focused on staying hidden for months. These persistent threats can cause long-term damage if not caught early. 

Cybersecurity considerations in the public sector are influenced by the complexity of governmental networks and the large volume of sensitive data they manage.

These factors present distinct security challenges and shape the potential consequences of cyber threats, affecting areas such as national security, public trust, and institutional stability. 

To subscribe to the GovInsider bulletin, click here. 

Many say that we are entering an age of AI-driven cyberwarfare where both hackers and cybersecurity professionals use AI tools for attack and defence. What is your view? 

AI Innovations has indeed transformed Cybersecurity from knowledge adaptation into insights generation and advanced methodological development.   

In my recent panel discussion at the STACKx Cybersecurity 2025, I highlighted these three key areas that we should take note of: 

Automated Discovery: AI-driven systems can autonomously identify novel attack vectors and defense mechanisms, enhancing the ability to detect threats in real time. 

This allows organisations to detect threats in real time, reduce dwell time, and prioritise risks based on context. For example, AI models can analyse massive volumes of logs and traffic data to flag suspicious behaviors that traditional rule-based systems would miss. 

Adversarial Simulation Battles: AI-powered techniques that simulate adversarial scenarios to refine both offensive and defensive cybersecurity strategies, enabling organisations to anticipate and counter sophisticated threats. 

These simulations allow defenders to test how well their systems hold up under various threat models, including zero-day scenarios or advanced persistent threats. By automating red-teaming and scenario planning, AI helps refine both offensive and defensive tactics with greater accuracy and speed. 

Attack and Defense Frameworks: AI-enhanced methodologies that strengthen security postures by proactively adjusting to evolving cyber threats. 

We’re also seeing the emergence of AI-enhanced security frameworks that can adapt on the fly. These frameworks combine behavior analysis, predictive modeling, and automated policy enforcement to respond to evolving threats in real time.

Rather than waiting for patches or alerts, these systems proactively adjust configurations, block malicious behavior, and even isolate affected components to prevent spread. 

The core challenge is that cyberwarfare is becoming a high-speed arms race—whoever wields AI more effectively gains the advantage. Governments, businesses, and individuals must invest in AI-driven security to keep up, while policymakers regulate AI tools to prevent misuse. 

Cybersecurity is often described as a team sport whereby a network's vulnerability is often defined by its weakest link. In this context, how important is having a whole-of-government or whole-of-country cybersecurity posture?

A whole-of-government or whole-of-country cybersecurity posture is crucial in today’s hyperconnected world. Cybersecurity extends beyond just the technology; it is a coordinated and shared responsibility for all to build up the resilience of the nation.  

Cybersecurity defense operates as an interconnected loop, where various stakeholders must remain aware of their roles in sustaining security and resilience. Any weakness within this framework, whether technical, procedural, or human, can compromise the entire framework. 

As part of this ecosystem, CRPO seeks to bolster the R&D of cutting-edge technologies and increase collaborations between agencies, industry and public – private partnerships to commercialise these cybersecurity technologies and reinforces its commitment to build innovation-driven resilience of the ecosystem. 

The lack of qualified cybersecurity professionals is a global problem, how do you think this can be overcome?

Yes, the shortage of cybersecurity professionals is a serious global issue, and addressing it will require coordinated efforts across multiple stakeholders. 

First, governments and educational institutions can help broaden the talent pipeline. That means updating curricula, funding scholarships, and creating programs that welcome people from diverse backgrounds—not just computer science majors.

It’s also about raising awareness early on, even at the high school level, that cybersecurity is a viable and meaningful career path. 

Second, training providers and industry leaders need to focus more on practical, hands-on learning. Certifications, bootcamps, and real-world simulations are far more effective than theory-heavy courses alone.

Companies can also provide internships or apprenticeships that help people build experience before entering the workforce. 

Third, employers play a big role in encouraging mid-career transitions. People in IT, software engineering, or networking already have a strong foundation, they just need support to pivot into security roles.

That might mean offering internal reskilling programs, mentoring, or flexible certification support. 

Fourth, technology vendors and cybersecurity firms can help by continuing to build tools that automate routine tasks, like threat detection, log analysis, or patch management. That allows smaller teams to work more efficiently and reduces the pressure caused by staff shortages. 

Finally, everyone in the ecosystem, from educators to employers to policymakers, needs to work on changing the image of cybersecurity. It’s not just about technical hacking skills.

It’s about protecting real-world systems that affect lives, economies, and national stability. Framing cybersecurity as a high-impact, purpose-driven field can attract a more diverse and motivated workforce.