Speech by Mr David Koh, Chief Executive, Cyber Security Agency Of Singapore on “Recent Cybersecurity Challenges, Dilemmas And Solutions From A National Perspective”, at Israel Cyber Week 2021

21 Jul 2021

Speech by Mr David Koh, Chief Executive, Cyber Security Agency Of Singapore on “Recent Cybersecurity Challenges, Dilemmas And Solutions From A National Perspective”, at Israel Cyber Week 2021


Distinguished Speakers and Guests

Ladies and Gentlemen

Good morning to all. Thank you to the Tel Aviv University Blavatnik Interdisciplinary Cyber Research Center and the Israel National Cyber Directorate for the invitation to share Singapore’s perspectives on recent cybersecurity challenges, dilemmas and solutions.

I am very happy to join our esteemed guests and counterparts from Israel, Canada, the Czech Republic, UK and US for this year’s Cyber Week.

Let me begin with COVID-19 which has affected us all significantly. However my proposition is that COVID-19 has not changed the fundamental challenges and dilemmas faced by the cyber community. It has not created a new situation. It has accelerated digitalisation which started before the pandemic. It has rapidly exposed some pre-existing gaps. With the acceleration of digitalisation, cybersecurity has only grown in importance.

I would also like to point to global incidents such as SolarWinds and the recent supply-chain ransomware attack on Kaseya. These have heightened major concerns of  cybersecurity risks in the global supply chain across all industries.

These circumstances and incidences point to three observable near-term trends which CSA released as part of our Singapore Cyber Landscape 2020 publication released just two weeks ago.

First, ransomware has evolved into a massive and systemic threat, and is no longer restricted to the sporadic and isolated incidents. It has morphed into a massive systemic threat. The recent spate of high-profile ransomware incidents demonstrates the real-world effect and harm of such attacks. There is an urgency for organisations to review their cybersecurity posture and ensure systems are built to be resilient in recovering from such attacks.

Second, a successful breach in the supply chain provides cyber threat actors a single pivoting point to multiple victims. While such attacks are not new, they are becoming more sophisticated. The compromise of a trusted supplier or software can result in widespread repercussions.

Third, while countries continue to vaccinate its populations and manage COVID-19, social distancing measures and adoption of remote working will continue. Targeting of the remote workforce by cyber threat actors is likely set to continue.

As such, I would like to highlight three challenge areas and the steps Singapore is taking to try and address them. First, improving the general cyber hygiene in our populations; second, better supporting and developing a secure-by-design mindset; and third, managing supply chain risks in our Critical Information Infrastructure or CII in short.

COVID-19 has demonstrated how digitalisation enabled us to be nimbler and more adaptive in responding to crisis and how digitalisation can facilitate a more robust economic recovery post pandemic. But digitalisation needs a safe, secure, and stable cyberspace.

Last year, Singapore launched our Safer Cyberspace Masterplan with the aim of going beyond protecting only the CII, to providing some basic level of cybersecurity for the general public. We recognise that many of us are not digital natives. When I was growing up, in schools, my teacher taught us dental hygiene. but who is teaching us what and how to maintain cyber hygiene? We don’t have the instincts of digital natives and thus we need to engage our population on cyber hygiene so that enterprises and individuals can navigate and leverage the economic and social opportunities of digitalisation safely. Cyber hygiene can go some way to protect individuals and organisations from the threats from ransomware and remote work ecosystems.

In end June, CSA launched its fourth “Better Cyber Safe than Sorry” national cybersecurity awareness campaign. The campaign seeks to drive the adoption of four good cybersecurity practices - use of strong passwords and enabling two-factor authentication; spotting signs of phishing; use of anti-virus software; and updating computer software.

In tandem, the SG Cyber Safe Seniors Programme was launched to reach out to our seniors, one of our most vulnerable segments of our population. Topics such as cyber threats, cyber scams and cyber tips will be covered in Singapore’s four national languages through a mix of physical and online platforms.

Small and medium enterprises are also a vulnerable segment. A set of cybersecurity toolkits were created for enterprise leaders, employees and technical teams. It aims to shift enterprise leaders’ view of cybersecurity as “just an IT issue”, to understanding that it is a business risk management investment worth making. It also recognises employees as the first line of defence in the organisation and provides tools for employee cybersecurity awareness training.

It is not just about cyber hygiene, we also need to go upstream. The reality is that new technologies are fast evolving and becoming increasing complex. We can only put so much of the cyber hygiene responsibility on the man on the street. We want to encourage a secure-by-design mindset in the manufacturers.

A key initiative is our Cybersecurity Labelling Scheme, CLS. The CLS was launched to improve the security of Internet of Things or IoT devices. Poorly secured IoT devices pose a threat now and increasingly in the future, because they’re proliferating everywhere.

Yet, individuals don’t know what products are safe to buy. Considerations are usually price, functionality, and perhaps colour. No one is asking what the cybersecurity attributes of items are. While CLS helps instil cybersecurity consciousness amongst consumers through a simple one to four-star system similar to electricity consumption labels, it also aims to incentivise manufacturers to develop and provide products with recognised and improved cybersecurity features.

The four-level framework, together with a combination of self-declaration and third-party independent assessment, allows developers flexibility to choose a CLS level suited to market demand, product readiness, tech maturity, brand and device security profile. Through the CLS, we hope to encourage device manufacturers to incorporate cybersecurity into the devices they make – fulfilling the secure-by-design principle.

CLS now has more than 80 applications and labelled products already in physical stores and online shops. It has been particularly embraced by smart home solution developers as a quality branding with a competitive edge. We are also working on mutual recognition with like-minded partners internationally, to facilitate export and to reduce cost of compliance across different countries.

Finally, we observe a major concern with cybersecurity risks in the global supply chain across all industries. Securing the supply chain can be a challenging task as vulnerabilities can be introduced at any point in the supply chain and can be hard to detect. They are hard to guard against, because the attack compromises part of the trusted IT ecosystem. These often bypass organisations’ cybersecurity defences by slipping in through upstream vectors. International cooperation is thus crucial to promote the integrity, stability, and security of supply chains, so that end users can have confidence in the security of the ICT products.

Nationally, to help organisations better manage cybersecurity risks across the supply chain, CSA is developing a Critical Information Infrastructure Supply Chain Programme in Singapore. The programme is a national effort to establish processes and sound practices to help CII owners and their vendors manage supply chain risks holistically, and strengthen the overall supply chain cybersecurity posture.

The programme will develop and implement guidelines for CII Owners to better understand and manage their vendors, for vendors to maintain an adequate level of cybersecurity posture, and for the Government to improve policy decisions on the security of cyber supply chain.

In the longer term, our CII sectors and companies will need to adopt a zero-trust cybersecurity posture by verifying all digital activity, authenticating continuously, detecting anomalies in a timely manner, and validate transactions across network segments. CSA will continue to strengthen engagements with relevant stakeholders to adopt these measures.

In conclusion, I believe some of these experiences and views from Singapore’s perspective are also shared by our guest and speakers gathered here today. Our belief remains that no one agency, government or country can do cybersecurity alone.

Collaboration across multiple fronts and across different countries will be crucial to our success. It is platforms such as these that will help develop the ideas and relationships that are needed to tackle our collective cyber challenges – both today’s and those ahead of us. Cybersecurity is a team sport. I look forward to playing on the same team as many of you.

I wish everyone a productive session ahead. Thank you.