Sonya Chan, Deputy Director, Strategy and Planning (Emerging Technology), Cyber Security Agency of Singapore (CSA)

1. How do you use technology/policy to improve citizens’ lives? Tell us about your role or organisation. 

My team was set up late last year in the Cyber Security Agency of Singapore (CSA) and deals with emerging technology policy with a focus on security.

This was because CSA recognises that the rapid adoption and development of new technologies, such as AI and quantum computing, will bring new implications for security and resilience.

We have already seen some of these, including how AI is being (mis)used by malicious actors to write code or to scam victims. So our job is to stare at these really hard, and design and coordinate the levers (policy, operational, or technical) that are required to address them.

To do this effectively, we work with experts and stakeholders locally and internationally, both in the public and private sectors. 

Our goal is to ensure that even as we adopt new technologies nationally, our organisations as well as citizens are safeguarded as far as possible from new security risks.

This is so that they continue to have trust and confidence when interacting and communicating in the digital domain. 

To subscribe to the GovInsider bulletin click here.

2. What was the most impactful project you worked on this year? 

I think we have made some useful inroads in AI security this year.  

The security of AI is still relatively less understood – especially as compared to other issues such as bias – and fairly esoteric (tends to be discussed just between cybersecurity professionals).

But we see it as critical and urgent, especially as there is growing adoption of AI by organisations that may not traditionally be familiar with security. They may not know that what kind of testing they should do before deploying AI models.

This kind of uninformed use of technology is also sometimes referred to as “shadow IT” and can exacerbate risks that could otherwise have been addressed. 

This year, my team’s focus was on raising awareness and seeding our capabilities.

We co-developed the Trusted Environment enabler of the National AI Strategy 2.0 to reflect our intentions to raise the security and resilience of AI systems.

Following this, we worked with our engineering colleagues to develop the Guidelines and a Companion Guide for Securing AI Systems. This was to address the gap we saw internationally on practical, holistic advice for AI system owners.

We launched these documents recently at the Singapore International Cyber Week 2024 in October, following a public consultation where we received lots of useful feedback from government agencies, industry, and international partners.

This year, CSA has also contributed to Project Moonshot led by the Infocomm Media Development Authority, with security benchmarks for Gen AI systems. Many of our stakeholders said that they found the products useful. 

We will continue to step up our efforts to see how we can support safe and secure adoption of AI. 

3. What is your key takeaway in 2024?

A lot of my team’s work cuts across divisions within CSA, agencies, and countries.

Every stakeholder has different objectives, priorities, resources and competencies. The difficulty – but also the satisfaction – is in arriving at mutually agreeable positions.

Much of the time, you may end up with unexpected outcomes.

Ultimately, it is most important to be clear about why we want to do something. The how’s and what’s are usually where you can find space to agree. 

4. What are your priorities for 2025? 

We are looking to build stronger testing capabilities for AI in the coming year.

There are plenty of questions – what this would look like next to conventional cybersecurity testing, what sort of competencies you need to do this well, and what risks can we address now vs. others that we just need to wait for technology to keep up with.

We can’t do this alone and are exploring how we can most meaningfully engage ecosystem players from industry and academia to work together on this.  

CSA is also developing the national approach towards becoming quantum-safe, to ensure that critical systems and confidential data are safeguarded against quantum-enabled risks.

The release of the three post-quantum cryptography standards by the National Institute of Standards and Technology this year gave us migration options to consider.

We are studying how to support migration, while recognising that it will likely have implications in terms of cost and operations. 

5. What advice do you have for public sector innovators? 

I was advised earlier in my career that it is important to be comfortable with uncertainty. I pass this on but with a slight change – that it is important to know how to deal with uncertainty, even if you are uncomfortable.  

Things are becoming increasingly unclear. Technology moves so fast that it can be challenging to keep up even if you have a technical background.

The interplay of policy, operations and technology makes it often difficult to identify a good landing point between stakeholders. Geopolitical issues add another layer of complexity.  

I find it useful to have a frame for sorting out the way forward. This differs for everyone, but for me – I find most important to distil what we want to achieve, and what decisions have to be made now.

Then to read and ask as much as you can in order to make that decision – you may never be 100% sure that it was right. But being as prepared as possible can help you to own and address the outcomes.  

6. Who inspires you today? 

My parents raised my sister and I with a strong sense of values.

I have also had the benefit of working with fantastic bosses across my career that have dared to make difficult decisions, always kept in mind how to contribute to the organisation’s mission and took the effort to nurture and develop the potential of their staff officers.

I am also lucky to work with a team of committed and diligent officers. All of them inspire me to do my best. 

They challenge me creatively and push me to solve problems in new ways every day.