What will the Singapore Government do about Cybersecurity in the Smart Nation?

Published in The Straits Times, Friday 14 October 2016 as ‘Smart Nation — but will we be secure?’

Cyber security is a challenge, as everyone plays a part, not just the Government. Consider cyber drills, akin to fire drills, to sensitise people to online threats.

The launch this week of Singapore’s Cyber-security Strategy by Prime Minister Lee Hsien Loong marks a milestone in Singapore’s cyber development and aspirations.

The pillars of the strategy — building a resilient infrastructure, creating a safer cyberspace, developing a vibrant cyber-security ecosystem, and strengthening international partnerships — bring definition and much-needed clarity to Singapore’s trajectory in this arena. But while the unveiling of the strategy marks a milestone, challenges lie ahead.

Our citizens have developed a normalcy expectancy — the belief that we will be shielded from high signature, unexpected or disruptive events. As PM Lee noted when launching the SGSecure initiative in response to terrorist threats against Singapore, the first question people ask (on terrorism) is “What is the government going to do about it?” Just as Singaporeans have relied on the Government for physical security for decades, there is a propensity to similarly rely on the Government for cyber security.

The Government will do its part for cyber — securing systems and networks, protecting citizens’ and official data, and working with the relevant private-sector companies in critical sectors including energy, banking, healthcare and transport, to improve their response and recovery plans.

But worldwide, it is becoming patently clear that the national authorities alone cannot guarantee cyber security. So where do the concomitant interests in ensuring cyber security lie?

COLLECTIVE RESPONSIBILITY

The second pillar of the cyber strategy states that cyber security is the “collective responsibility of the Government, businesses, individuals and the community”. On the Government’s part, the Ministry of Home Affairs launched the National Cybercrime Action Plan earlier this year, to enhance the Singapore Police Force’s capability to handle cybercrime, and to work with Internet service providers and other countries. But communities, businesses and individuals then need to stay informed and take preventive measures, make cyber security a priority, improve understanding of cyber-security issues and encourage adoption of good practices.

Visitors at Singapore International Cyber Week 2016 checking out virtual reality goggles. Whether Singapore can be a secure Smart Nation depends on the extent to which those with a vested stake — including ordinary citizens — rise to the challenge of cyber threats.

The human element will be key, as it is implicated all too often in cyber security and is indeed often the weakest link — individuals allowing malicious software into systems because of deception by attackers, negligence, ignorance, or bad intentions. One study by cloud security vendor Skyhigh Networks found that 82 per cent of organisations surveyed had experienced an insider threat, and 96 per cent of organisations had at least one user who had been compromised with weak passwords.

This would be like installing the most sophisticated lock but leaving the key under the doormat.

The fact that government protection has its limits can be nowhere more clearly seen than in the 2015 cyber attacks on the Ukraine electricity grid (which saw hundreds of thousands of homes left without power in the middle of winter). These attacks remind us that virtual attacks can have immense real-world ramifications, and that even states can be overcome by cyber attacks, especially those powered by much larger states or their proxies.

The concern is not simply one of a massive takedown akin to a digital Pearl Harbor. Cyber-security threats are all the more insidious because they can lurk undetected in our systems for months or years — 500 days is an average in Asia. During this time, attackers can slowly erode the reliability and accuracy of systems instead of destroying them outright, in order to damage trust and resilience.

It is no exaggeration therefore to say that cyber security needs to become embedded in the basic fabric of our thinking, and ways should be considered to embed this into Total Defence (not least its psychological pillar) and initiatives such as SGSecure.

CYBER DRILLS

Citizens and businesses need to learn how to respond to cyber-security emergencies, preparing for cyber drills as we do in fire drills. For example, if our computers or mobile devices are taken over by ransomware, will we have backup plans or will we panic? Many countries — from Singapore to Estonia to Zambia — conduct cyber drills, which see government agencies and key businesses planning responses to cyber attacks.

But such attacks would also affect thousands of citizens and small businesses, destroying their work or personal data, or disabling communication for days or weeks. They, too, need to be brought into this ecosystem of preparation.

They also need to know who to contact in the event of a cyber attack, and where to seek help for cyber attacks that are beyond the capability of ordinary citizens and SMEs to fend off. At which point will the police or SingCERT (Singapore Computer Emergency Response Team) step in to help?

With a dire shortage of cyber-security professionals worldwide, we should consider tapping national servicemen with cyber-security skills and knowledge, even listing cyber security as one of the preferred vocations that pre-enlistees can choose from.

SHARING RISK

Deep thinking will be needed on the issue of how to allocate risk — through policy measures or legislation — and liability among various stakeholders, such as government, smart-device manufacturers, service providers, businesses, customers and insurers. For example, will the Housing Board be responsible for the cyber security of 3,000 “smart living” HDB flats? Will we have cyber-attack insurance in the same way we have fire insurance?

There is a delicate balance in sharing responsibility between private and public sectors because this also involves sharing of information about threats and attacks. Legislation can increase the obligation on businesses to disclose information to government, but will there be a corresponding increase in government sharing new threats or vulnerabilities with businesses, or will the information be classified?

Questions such as these will no doubt be addressed in the next iteration of the National Cyber Security Masterplan, and a whole-of-government approach will be needed because of the diverse stakeholders.

PARTNERSHIPS

As nations grow more interconnected, and cyber attackers target networks of less secure countries in order to infiltrate their neighbours, no country can ignore the global importance of teamwork in cyber security, as underscored by the personal message from the United Nations Secretary-General Ban Ki Moon that , significantly, was read following the cyber-security strategy’s launch.

This concern drives Singapore to invest in helping fellow Asean members come up to speed, through efforts like the $10 million Asean Cyber Capacity Programme (launched by Dr Yaacob Ibrahim the next day) to boost cyber-security resources and know-how. Funding may well be available, but the challenge is whether Asean can then come together to build a cohesive approach to cyber security.

Singapore’s Cyber-security Strategy is built on an implicit recognition that teamwork is the sine qua non to deal with the rapidly expanding scale of cyber threats — a co-equal partnership, between citizens, businesses, Government and other nations. The challenge lies in all players responsible stepping up to take collective responsibility for security.

We will almost certainly be, in time, a Smart Nation. But whether we can be a secure Smart Nation depends on the extent to which those with a vested stake — including ordinary citizens — rise to the challenge.

Dr Shashi Jayakumar is head of the Centre of Excellence for National Security at the S. Rajaratnam School of International Studies, Nanyang Technological University.

Benjamin Ang is coordinator of the Cybersecurity Programme at the Centre of Excellence for National Security at the S. Rajaratnam School of International Studies.

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.