Recently, the Singapore public health system was hit by a major cyber attack compromising the personal data of an astonishing 1.5 million patients. As a result of this cyber attack of "unprecedented scale and sophistication", individuals and organisations are now paying greater attention to cybersecurity issues and how to prevent a similar incident from occurring.
In light of these concerns, this is an introductory article in our series of articles on Cybersecurity & Singapore, which will highlight some of the cybersecurity issues in Singapore that organisations should take note of from a legal and operational standpoint and each article will focus on a specific sector relevant to organisations in Singapore. In particular, this introductory article will give a brief overview of the cybersecurity landscape in Singapore.
In recent years, there has been an increasing focus by the Singapore government on developing the cybersecurity capabilities in both the public and private sectors.
One of the major initiatives was the establishment of the Cyber Security Agency of Singapore in 2015 the national agency that oversees the general cybersecurity strategy, operation, education, outreach and ecosystem development in Singapore.
Generous financial grants have also been provided by government authorities to encourage and boost cybersecurity capabilities. For example, in December 2018, the Monetary of Authority Singapore launched a S$30 million Cybersecurity Capabilities Grant to enhance cybersecurity capabilities in the financial sector and assist financial institutions in developing local talent in the cybersecurity sector.
In addition, the Singapore government has developed several cybersecurity training, research and development facilities, ranging from facilities with a regional focus (e.g. the ASEAN-Singapore Cybersecurity Centre of Excellence) to facilities focused on developing cybersecurity start-ups (e.g. the Innovation Cybersecurity Ecosystem @Block 71).
The cybersecurity regulatory landscape in Singapore has also been experiencing major developments most notably the new Cybersecurity Act 2018 (No. 9 of 2018) ("Cybersecurity Act") which came into force in August 2018. The Cybersecurity Act provides an overarching legislative framework for the regulation of owners of critical information infrastructure and cybersecurity service providers.
"Critical information infrastructure" (or "CII") is defined as a computer or computer system that has been designated by the Commissioner for Cybersecurity to be "necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore" and is "located wholly or partly in Singapore".
"Essential services" is focused on 11 critical sectors: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, aviation and maritime.
If a particular computer or computer system is designated as a CII by the Commissioner for Cybersecurity, then the CII would generally have the following obligations:
1. Notification: CII owners are required to notify the Commissioner:
- of any prescribed cybersecurity incidents involving the CII or computer systems that interconnect with the CII ;
- of any material changes to the design, configuration, security or operation of the CII not later than 30 days after the date of change; and
- of any change in legal or beneficial ownership of the CII not later than 7 days after the date of change.
2.. Audit and risk assessments: CII owners are required to:
- conduct regular audits for compliance with legislation and related codes of practice at least once every 2 years; and
- conduct a cybersecurity risk assessment of the CII at least once a year.
3.Information: CII owners are required to provide information to the Commissioner regarding the technical architecture of the CII.
4. Cybersecurity exercises: CII owners will be required to participate in exercises organised to test a CII's response to significant cybersecurity incidents.
The Cybersecurity Act also provides the CSA with broad powers to investigate, examine any person, enter any premises to access the relevant computer system and direct any person to carry out remedial measures and assist in investigation in relation to a breach of the Cybersecurity Act.
In addition, the Cybersecurity Act also introduced a licensing regime for cybersecurity providers providing managed security operations centre monitoring services or penetration testing services.
One significant impact that the Cybersecurity Act creates is the potential increase in costs that may be incurred by CII owners and licensable cybersecurity service providers in seeking to comply with their respective obligations under the Cybersecurity Act.
Third parties may also be indirectly affected by the increase in compliance costs. For example, a proportion of such increased costs incurred by licensable cybersecurity service providers may potentially be flowed down to their customers in the form of increased service fees. Furthermore, in order to comply with the Cybersecurity Act, CII owners may be required to impose contractual obligations on their business partners (e.g. outsourced third party service providers) which will likely lead to greater costs for such third parties.
Every organisation should implement appropriate technical controls to minimise the risks and impact of cyber attacks. This may range from basic controls such as installing anti-virus software and firewall, scheduling automatic security updates and using a secure password (instead of "Password1" or "123456") to more advanced measures such as using multi-factor authentication, Virtual Private Networks for external access and secure data encryption for important data.
There is no universal set of security controls to be adopted as each organisation should consider which measures are appropriate by balancing its security needs with its operational requirements and costs constraints. In this regard, a proper risk assessment exercise would be highly useful in identifying the specific security threats to the organisation and determining the necessary controls required to eradicate or mitigate such risks. This would allow the organisation to allocate its resources more efficiently under its cybersecurity strategy.
In addition, the organisation should also implement effective policies that are regularly reviewed and updated. These policies should cover issues such as proper use of the organisation's IT systems, incident response and disaster recovery.
However, as shown from the recent SingHealth cyber attack incident, implementing policies and technical measures alone would not be an adequate safeguard against cyber threats if they are not properly effected. Therefore, it is equally important for the organisation to ensure that its staff or any other personnel would be able to effectively carry out the cybersecurity policies in practice.
For example, the organisation should ensure that all its employees are equipped with at least a basic level of cybersecurity awareness and are familiar with the organisation's cybersecurity policies. The organisation should also train its IT staff to ensure that they are equipped with sufficient knowledge to deter, identify and respond to a security incident in practice.
Cybersecurity risks may also arise where certain IT functions or processes are outsourced to third party service providers. Such service providers are obvious targets for cyber attacks and it is essential to ensure that the organisation's cybersecurity is not compromised as a result of such outsourcing.
In general, when considering a potential outsourcing arrangement, the organisation's decision-making process should also include cybersecurity as a key consideration instead of focusing solely on areas such as cost savings or efficiency improvements.
Specifically, it is important for the organisation to ensure that the service provider is well-equipped to implement and maintain an acceptable level of cybersecurity. For example, the organisation may conduct due diligence to determine the service provider's capabilities, track record, reliability and any relevant certification or accreditation.
The organisation should also evaluate the cybersecurity measures undertaken by the service provider to determine if they adequately fulfill the organisation's IT security requirements and adhere to its internal policies and regulatory obligations.
Throughout the course of the outsourcing, the organisation should also continually ensure that the service provider maintains an appropriate level of cybersecurity. This may be done by proper vendor management and conducting regular audit assessments.