The cybersecurity threat emerging from the pandemic-induced rapid digitalisation required new thinking, innovation and multi-stakeholder cooperation. This was the over-arching theme of the recent Singapore International Cyber Week (SICW) and GovWare conference.
Various speakers dwelled on how cybersecurity practitioners need to adopt new ways of tackling the emerging cyber threat and also on the need to cooperate both nationally as well as internationally.
Senior Minister and Coordinating Minister for National Security, Teo Chee Hean, added that the fast rollout of new digital services have had the unintended consequence of opening up a wider attack surface for hackers, and this has raised the likelihood, impact and cost of a breach.
Gaurav Keerthi, Cyber Security Agency of Singapore’s (CSA) Deputy Chief Executive (Development), said in his keynote address at the GovWare conference that cybersecurity risks that “we were forced to accept” during the period of rapid digitalisation, induced by Covid-19, would continue to be a major problem going forward.
“It’s created a new security risk, both in the number as well as the depth and complexity of these risks,” he says.
He quoted SonicWall’s cybersecurity threat report which noted that global ransomware attacks rose by 62 per cent worldwide, totalling 304 million between 2019 and 2020. Other forms of cyberattacks have also increased including IoT (Internet of Things) attacks, which went by 66 per cent over 2019.
Keerthi shared a more alarming statistic. He noted that while it was well-known that cybercrime is on the rise in Singapore, what is less well understood is that “nearly half of all reported crimes” in Singapore – 43 per cent and totalling 16,000 cases – are cybercrime-related.
“This is nearly double from 9,000 cases in 2019. Think about what that means for criminals, as well as the victims,” he noted.
The way forward
This digital shift is changing society. What is the way forward?
The reality that we need to get used to is that cyberattacks are constantly evolving with new threats emerging, Keerthi said. Existing ones will continue to increase in sophistication.
Pointing out that attack on IoT devices are going up, he noted that Singapore has been embarking on the “path of digitalisation at the national level, and the government has been trying to lead by example and we’ve encouraged companies to digitise, automate and adopt innovation”.
He added that automation, in many cases, means the use of IoT devices. “Many of these devices, unfortunately, are just designed to cost or to function, but not for security. This makes them very susceptible to cyberattacks,” Keerthi said.
He added that like all electronic equipment, IoT devices are developed for ease of use and connectivity in mind. “They become vulnerable over time as hackers find new security issues”.
While patching the software on these devices is crucial, many IoT manufacturers are unlikely to issue regular updates for their devices, because they’ve moved on to the next range of equipment, he noted. Explaining why this could be dangerous, Keerthi added that at the interface level, an IoT device processes and communicates data and they’re often paired with communication apps, services and protocols.
“Many of the IoT vulnerabilities originate from insecure interfaces, including the Internet application API’s (application programming interface), cloud, mobile, and so on, and they can compromise the device and its data and possibly even the network it is sitting on,” he said.
Common issues faced included lack of device authentication authorisation with weak or no encryption even moving on to the operational technology (OT) space, he added. OT refers to the hardware and software used to control and monitor industrial equipment like, for example, pumps in public utilities.
Challenge of OT
Cyberattacks are not new, but “we’re much more concerned about them nowadays”, Keerthi said. More industries are automating their factories and connecting legacy OT systems, with little or no security built into them, to modern internet-connected systems.
Echoing the point raised by Minister Teo, Keerthi added that this has resulted in an increased attack surface for cyber threat actors.
“The reality is that because physical systems such as power grids and water plants affect our lives, they can have a huge impact. One recent example of a cyber-physical attack is that of the Oldsmar water plant hack in Florida,” he noted.
Oldsmar is a small city and home to about 15,000 people. Its water treatment plan was set up for access in such a way that its employees and external contractors could monitor the plant remotely.
In February this year, hackers accessed the system and attempted to poison the citizens by increasing the level of sodium hydroxide in the water to poisonous levels. Thankfully, an employee spotted this and reversed the action in time.
“A hack like this is a sobering reminder to us that cyberattacks are no longer confined to the IP space. It’s no longer just about data loss, but physical lives could be lost through these,” Keerthi noted.
Taking a broader view of the dangers posed by cyberattacks, Singapore’s Communications and Information Minister S. Iswaran, said at this year’s SICW, that global cooperation within the rules-based multilateral system is more important than ever for countries dealing with collective challenges in cybersecurity and tech.
The Minister likened his vision for the global cyber landscape to the existing multilateral trading system, which is governed by a set of common rules all countries abide by but also allows for closer collaboration between partners whose interests converge.
The United Nations’ work is very important in “developing that multilateral approach” for cybersecurity, he highlighted. He also emphasised the need for stronger collaboration between governments and the private sector to maximise the benefits of emerging technology.
In his concluding remarks, Keerthi said that with business leaders more aware of the dangers of cyberattacks and with digitalisation at the fore both nationally and internationally, it is a good time for the cybersecurity industry to sweep the cybersecurity backlog clean and come up with new approaches.
Companies looking to develop consumer apps in the cloud, and use cloud-native applications in development, should adopt the security by design framework, he said.
“Security by design is an approach to software and hardware development that seeks to minimise vulnerabilities by reducing the attack surface, and designing and building the security into every phase of the development cycle, including when it goes live. From a security standpoint, security by design addresses the cyber protection considerations throughout the lifecycle,” he added.
The central message that came out of this year’s SICW and GovWare conference was that while a new approach to cybersecurity was required, it was equally important to have a multi-stakeholder approach to security in a post-pandemic world where digitalisation would be the new normal.
Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.
Image of Senior Minister and Coordinating Minister for National Security, Teo Chee Hean from SICW Twitter.