Exclusive: Inside Singapore’s Cyber Security Agency

By GovInsider

GovInsider meets David Koh, Chief Executive of Singapore’s Cyber Security Agency

When Singapore was invaded in the 1940s, bullets and bombs formed the bulk of the assault. But now, lines of code can be used instead; potentially, a country could be attacked without noticing.


The seriousness of this threat led Singapore Government to found the Cyber Security Agency, with a senior military officer - David Koh - placed in charge.


“Part of the military career deals with managing challenges when the situation is still developing, and when you don’t have the full extent of information but you still need a decision,” he explains.


“In the area of cyber security, we don’t have full information, and the landscape is changing very rapidly.” Koh has moved quickly, making big announcements on security, and setting strategies across government and industry.


GovInsider caught up with him to find out more about how Singapore is bolstering its forces in this crucial area of defense.

Hit where it hurts


“In Singapore, we have divided the critical infrastructures into 11 sectors”, Koh explains, with three industries topping the agency’s priority list: energy, telecommunications, and finance.


If the energy and telco sector were attacked, it could have severe repercussions across the country, he says.


Power grids, are “an underlying layer which everything else depends on” - traffic lights, factories and businesses can’t run without electricity. The same is true of telecommunications.


But a “significant” disruption within banking and finance would have far greater implications, he warns. “The knock-on effects would be felt, potentially, well beyond Singapore shores.”


These sectors have been well-protected through the separation of sensitive systems and strong software defenses, he notes. They are much harder to hack than customer-facing sectors - which face the bulk of attacks.


Each sector has different regulations, so Koh’s team works closely with industry regulators to set broad frameworks for cyber protection. CSA seeks to ensure a balance between usability and security, juggling cost as a third factor.


“We shouldn't, and we can’t, impose cybersecurity in an absolute sense”, he cautions, because “the only secure computer is the one that’s still in the box”. Instead, “we need to find a balance which will be acceptable to both parties”.

It’s only as strong as the weakest link


Cyber security awareness are a key focus of Koh’s work. “Singapore is a very attractive target for cyber criminals” because of its role as a commercial hub, he says.


There is a rise in complex attacks like ransomware, which take control of a computer. However, “80 to 90 percent of the attacks are not technically sophisticated”, he says, with simple measures able to prevent them.


This is why CSA is cultivating public awareness, publishing outreach messages to citizens through its SingCERT website.


“We need to do work in a coordinated manner and get everyone to understand the threat,” Koh says. “Singaporeans are used to living in a relatively safe environment, so we inadvertently conflate our physical security with cyber security”, he continues.


“These mindsets need to change.” It doesn’t matter if 95 percent of defenses are sound: “If you don’t play your part and you leave a loophole open, then you are bringing potential risk to the entire network”, he says. “If you don’t play your part and you leave a loophole open, then you are bringing potential risk to the entire network.”

Security by design


Government system design should incorporate security features, Koh says, but many existing systems were “designed with convenience and usability as the foremost consideration”.


He cites two reasons - governments were trying to get people to use their platforms, and risks associated with cybercrimes were then lower.


But as it is, “risks have risen much faster than we have understood and reacted to them”, he admits. This has led to higher costs to secure networks.


Trying to set up intrusion detections after building systems is a “big challenge”, he says, because it affects usability and user convenience.


This results in an underlying culture problem: “If they are not happy and you don’t manage them properly, they may undermine the system and leave the doors open.”


The government took the decision to close off the email network from the internet to ensure greater security across these networks.

Plugging the skills gap


Koh notes that the world will lack 1.5 million cyber security specialists by 2020, with Singapore requiring 9700 skilled manpower in the field.


It is developing a skills framework that can be applied across whole-of-government, and gathering inputs from the private sector as well.


“We hope by doing this, we will make the career more attractive”. (See our news piece for more). Koh carries a heavy weight on his shoulders.


“Unless we can get cybersecurity right, we won’t be prepared to share our information.” He believes this is integral to the country’s Smart Nation vision.


Without assurance of data privacy, there will be reluctance to share data among government and individuals, and without that, “we won't realise all the potential benefits” that technology can bring.


It’s “invigorating work”, and “exciting that we have been given this opportunity”, he says. Koh leads the brigade that is heading up Singapore’s defenses.


But he’s recruiting reserves across all sectors to ensure that there aren’t any breaches. He’ll continue growing this army of cyber troops because a Smart Nation is a secure one.