Singapore intends to use CrowdStrike incident to enhance capabilities

In its first detailed response to the recent CrowdStrike outage, the Singapore government has said it intends to learn from this incident and enhance its recovery capabilities.

The Ministry of Digital Development and Information (MDDI) spokesperson told GovInsider: “As we have said before, it is not a matter of if but when incidents happen, and we should always be prepared to respond effectively.”

The spokesperson added that while essential and government services in Singapore were mostly unaffected by this incident, the outage caused significant service disruptions worldwide.

The MDDI spokesperson reiterated the government’s plan to introduce a Digital Infrastructure Act (DIA) to ensure the adoption of baseline security and resilience standards, and to improve the government’s visibility and understanding of significant disruptions.

The DIA will cover digital infrastructure that will have a high level of systemic impact on our economy and society if disrupted, the spokesperson said.

On the thinking behind the DIA, the spokesperson noted that Singapore “has always taken the security and resilience of our critical systems seriously”.

Faulty configuration update

On July 19, CrowdStrike issued a faulty content configuration update for its Falcon software which is used by millions of Windows-based computers to help manage against malware and security breaches.

These updates are delivered regularly by CrowdStrike and other cybersecurity companies, to keep their software up to date to tackle continuously evolving malware. In this particular update, a one-line code error resulted in 8.5 million Windows computers crashing. This was the largest IT outage in history and its total cost could exceed US$1 billion (S$1.35 billion).

The MDDI spokesperson noted that the government’s regulatory approach focuses on protecting critical systems, or Critical Information Infrastructure (CIIs) and systemically important digital infrastructure, from potential threats.

“We pay close attention to recovery plans. Our approach is to balance the need for robust security measures with practical considerations, such as risk assessment and compliance costs.” 

Regulating CIIs

To minimise disruptions to essential services, the Cybersecurity Act regulates the cybersecurity of CIIs, the spokesperson noted.

The Cybersecurity (Amendment) Bill was recently passed to expand its scope beyond CIIs to regulate the cybersecurity of Singapore’s foundational digital infrastructure. These include cloud services and data centres, and key entities in Singapore that hold sensitive data and perform important public functions.

The Cyber Security Agency of Singapore (CSA) is working closely with its partners to further raise awareness and strengthen digital resilience in organisations, the spokesperson said. 

“While the Government takes extensive measures to secure digital infrastructure and services, organisation leaders must also play their part.

“We encourage businesses to design systems with resilience in mind and avoid single points of failure where possible. They should also have comprehensive plans for business continuity, disaster recovery, and incident response,” the spokesperson said.

She added that these are strategic business decisions that enterprises should make, taking into consideration risks, potential disruptions to customers, and cost-effectiveness.

Offering practical resources

The spokesperson added that as part of supporting enterprises in their next round of digitalisation, MDDI also offers practical resources and financial assistance to encourage robust IT practices and cybersecurity measures.

“While these measures may not specifically address IT outages like that related to CrowdStrike, they can help businesses prevent incidents and recover more quickly should disruptions occur,” she said.

She noted that CSA has tailored cybersecurity toolkits for different types of organisations, such as larger organisations with Boards and C-suite or Small Medium Enterprise (SME) owners unsupported by dedicated IT teams.  

Organisations may also refer to the Cyber Essentials and Cyber Trust standards when designing their systems, she said.

“They can also get help with implementing cloud security for Software-as-a-Service (SaaS) and other cloud computing service models. CSA has worked with Amazon Web Services, Google Cloud and Microsoft to develop companion guides that are specific to their respective cloud services/environment,” the spokesperson said. 

MDDI also noted that the Infocomm Media Development Authority (IMDA) collaborates with CSA to pre-approve cybersecurity solutions under IMDA's SMEs Go Digital programme. SMEs can readily adopt these solutions with grant support, thereby strengthening their digital resiliency.

Working closely with partners

The spokesperson added that MDDI would continue to work closely with government partners, industry, and technology companies to stay informed and support organisations in Singapore when issues arise.

“We are also working with CrowdStrike and Microsoft to understand the root cause of the recent incident.  We will assess the extent to which findings can be made public so as not to compromise security,” she said. 

In a Facebook post on July 20, MDDI Minister and Minister-in-charge of Smart Nation and Cybersecurity, Josephine Teo, wrote that the government would engage Microsoft and other companies as well as consult government counterparts in other countries to “learn as much as we can from the incident and its aftermath”.