As Prime Minister Lee Hsien Loong unveiled the most detailed plan yet to tackle cyber threats in Singapore today, it was timely that he called cyber security an issue of national importance.
The Republic has to be a safe nation as it aspires to be a smart one, he rightly pointed out.
Singapore’s cyber security plan calls for a hardening of defences, for example, with requirements for telecom, power and gas companies to strengthen their systems.
It also seeks to educate the public of the dangers of cyber crime, and create more jobs in cyber security and cooperate with other countries to tackle a growing global menace.
The comprehensive plan could not have come more urgently. Singapore, in its goal to connect up everything from cars to personal wearables, cannot afford to have its networks or data threatened.
This year, state-backed Russian hackers have been accused of trying to influence a United States election by hacking into a political party’s computer systems.
With more resources poured into cyber attack capabilities by states and criminal organisations, it’s clear that we are no longer dealing with lone hackers with a bit of mischief about them.
Three years ago, there was a lack of cyber security experts in Singapore (read our commentary). A wake-up call came in the hurried and at times poorly executed response to a hacking of government agency websites.
Today, it is rightly scrambling to attract IT professionals to join the cyber security sub-sector, one that takes years of training and experience.
The government knows too that it cannot depend on private companies too much, given how much national interest is at stake.
Singapore needs a “Singaporean core” to defend its critical infrastructure, just like how NSmen are deployed at airports and other strategic locations.
What is heartening to learn is that Singapore hasn’t just put out a nice plan on a piece of paper. Already, there has been an exercise that mimics an actual cyber attack and lets government agencies and the private sector practise how to respond to such a crisis.
Behind these efforts is the Cyber Security Agency (CSA), set up just last year. It works with the private sector, including those operating critical infrastructure such as energy, to harden their defences against attack.
And in the newly formed GovTech agency launched last week, the government also has a sharper focus on dealing with security across the whole of government.
A snafu like the SingPass hacking incident in 2014 could have been avoided if government agencies had taken a stronger, concerted stand on two-factor authentication over the years.
If there’s one thing that seems lacking in this well thought-out setup, it is that you should assume some parts of your network are already compromised.
That is, a hacker may already have planted the seeds for further attacks. This may be through hacking an unprotected printer, through yet undisclosed vulnerabilities in software or any of a number of new ways only being found each day.
In its strategy paper today, the CSA said prevention is key to countering the threat of cyber crime. That may not be possible in a world where cyber threats appear to be developed at a faster pace than defences can catch up.
How well one prepares for a successful attack, or to mitigate the damage, may be just as important as trying to assure everyone that miscreants are going to be kept out.
That inevitably brings us back to the policy to remove Internet surfing from staff at public agencies. Half of them have already embarked on this, revealed the prime minister today.
Nobody will argue against this policy if it is an ironclad way of keeping threats out. However, even the most secure of systems – think of the National Security Agency in the US – gets compromised in a borderless online world.
To prepare the population for a potentially devastating cyber attack, the authorities have to be clear that it is highly possible. As the country beefs up its defences, it also has to prepare for the worst-case scenario.
As the Singapore government has reminded citizens, the country has to be ready for a terrorist attack that may one day breach its safety nets. This could well be in the form of a cyber attack.