The way forward for Singapore’s Digital Defence
By Shashi Jayakumar
Dr Shashi Jayakumar, Head of the Centre of Excellence for National Security at the S. Rajaratnam School of International Studies, on why Singapore must step up people’s resilience.
It is to be hoped that these moves continue. Cyberspace is unregulated, with state-backed actors and criminal enterprises hiding behind difficulties in attribution when undertaking malicious activity, as well as trusting to their ingenuity – and relying on human folly.
Criminal hackers are unlikely to heed appeals to reason (the callous ransomware attacks healthcare institutions around the world through during the COVID-19 pandemic), but at both at the ASEAN and UN level (where the wider debate is being being played out), it is vital to try to come to agreement on rules of the road for state behaviour.
The International Stage : Cyber Offence
When it comes to big-ticket cyberattacks, a great deal of the headline-grabbing activity is reported in the West. But we cannot afford to be naïve about this. Southeast Asia is a theatre for this too. Some of the APTs active in Southeast Asia use sophisticated techniques, social engineering and watering hole attacks that are similar in sophistication to what is seen elsewhere.
Motives could be data theft, intellectual property, stealing government secrets. Hacking is also a tool of state espionage. Some APT (Advanced Persistent Threat) groups, including those operating within Southeast Asia, are well known in the cybersecurity community. Some are thought to have targeted businesses in Singapore. APT 32, with allegedly Vietnamese links, is a case in point.
It would be invidious however to single out any particular nation for using cyber to further state interests: the APT thought to have been involved behind the worst cyberattack in Singapore’s history, Whitefly, is thought to have targeted other organisations in Singapore across a range of sectors, and likely has links to a state power too.
The Singapore threat landscape
While the 2017/2018 SingHealth/IHiS cyberattack was the most serious breach Singapore has experienced, it was not the only attack to target government agencies. In the past few years, other ministries like Foreign Affairs and Defence have also been targeted and breached.
There are other targets that bear mentioning. In April 2017, hackers infiltrated the networks of the National University of Singapore and Nanyang Technological University in what appeared to have been an attempt to steal sensitive government and research data.
Given the world-class stature of our institutions of learning, and the cutting-edge research done there, we should in the coming years expect an intensification of these attacks. Covid-19 has for example taught us to expect cyber-attacks against medical institutions – some have been opportunistic ransomware attacks, but others appear to have been aimed at exfiltrating cutting edge research such as biomedical data and data related to vaccine development.
What we have not had, but which others have, is a multidimensional attack that affects the nation holistically – not just institutions, but at the people level too. Estonia suffered in 2007 a cyber-attack (involving botnets and DDoS attacks) that crippled banks and some government agencies. This was a wake up call and led to deep thinking on aspects of resilience and continuity.
We should recognise the risks of this type of attack happening in Singapore. The risk is in fact inherently bound into our future as a Smart Nation. As the Chief Executive of the Cyber Security Agency (CSA), David Koh, has observed, “Cyber security is a key enabler for Smart Nation. We can't be a Smart Nation that is trusted and resilient if our systems are open and vulnerable.”
This is worth pondering. The reality of the Smart Nation means innumerable IOT nodes at the individual, household or precinct level. If sheer inertia or a prevailing attitude of poor cyber hygiene means the majority are left unsecured, then the Smart Nation vision is critically hamstrung from the start.
This weakness has already been remarked on by those in the know: a 2018 report by cybersecurity firm F5 Labs notes that Singapore has consistently appeared in the top five destinations for IoT attacks.
The safety and security we take for granted in our daily lives sets up what might be called the “normalcy conundrum”. At the people level, there is the expectation that security is ensured, leading us to neglect basic precautions - in part because we assume the government will handle serious incidents.
A major nationwide cybersecurity survey conducted by CSA in 2019 found seven out of 10 respondents exhibiting high levels of concerns when it came to having their computers hacked, having personal information stolen, or falling victim to an online scam. But less than half of respondents felt like they themselves would fall victim to a cyberattack.
The IHiS/Singhealth breach was an attack against Critical Information Infrastructure (CII). There are other parts of CII – utilities (the power grid and water, to name just two) connected to complex ICS and SCADA systems, that in other countries have come under attack, or under reconnaissance by hostile actors.
Given this, it is not surprising that CSA has in recent years placed emphasis on building capabilities and resilience in this area. There are now sector-specific cyber exercises to ensure CII readiness (Exercise CyberArk being an example); these involve tabletop exercises that gradually build up to realistic crisis simulation.
The Ops-Tech Masterplan (2019) should also be counted as a milestone in this regard. Besides OT cybersecurity training, the Masterplan envisions information sharing through an OT Cybersecurity Information Sharing and Analysis Centre (OT-ISAC) – a model that has been successfully tried in the United States.
Within government, there has been an emphasis on remediation and learning from past lapses. A concerted push to accelerate remediation could be discerned from late 2019 onwards, with the Smart Nation and Digital Government Group (which consists of the Smart Nation office under the Prime Minister’s Office and GovTech) working with public agencies to effect deep changes at the “technical, process and people levels to address the systemic causes” behind findings of vulnerabilities by earlier committees.
Several measures were announced in early January 2020 to reduce vulnerability at the IT, systems, and people level. These pertained to areas of concern that had been flagged repeatedly by previous committees, such as the introduction of automated tools across government agencies that would enable reviews of activity logs of privileged user accounts and flag any unexpected behaviour.
Finally, in the works is a comprehensive revision of the government instruction manual dealing with IT security, with the new standards to be benchmarked against leading industry practices.
These moves are important as continued lapses can affect public trust in government.
Moves for the future
The best hackers are adaptable and versatile. They think in an insurgent but still logical way when it comes to the exploitation of human and technical weaknesses. On the defence side, what is needed is more by way of empowering people and unearthing talented individuals.
CSA is leading a new and promising national SG Cyber Talent initiative – this aims to nurture a new generation of cybersecurity talents, and aims too to deepen the skills of current cybersecurity professionals. Bug bounty programmes have also been used with increasing regularity by government agencies.
These programmes thus far appear to have proved reasonably effective in unearthing vulnerabilities. Added plusses include demonstrating a culture of openness and willingness on the part of officialdom to engage the ethical hacking community (including the international hacking fraternity), in addition to spotting talent that can potentially contribute to national cyber defence down the line in more tangible ways.
More could certainly be done. It would be interesting to see for example whether more bug county competitions are organised specifically for IoT vulnerabilities – much like the challenge Microsoft has thrown down for ethical hackers to break into its Azure Sphere IoT OS.
One also wonders whether devolved but still empowered groups of “cyber militia” with the requisite experience could come together – as they have done in Estonia and in various parts of the United States. Some of these cyber volunteers coalesce for info sharing or threat escalation/reporting (the COVID-19 Cyber Threat Coalition is an example), to protect key infrastructure like healthcare, or in some instances, to directly take on malicious actors.
States that have considered the issue deeply know that cyber resilience is not simply an issue of technical or engineering competence. High-level direction, empowering the private sector and individuals - all these need to be captured within a comprehensive vision that clearly communicates national objectives.
Only when this communication permeates thoroughly at the people level can we reach a holistic notion and understanding of cyber resilience.