Speech by Mr David Koh, Chief Executive, Cyber Security Agency of Singapore, at the EWI-RSIS Global Cyber Policy Dialogue Series: Southeast Asia Regional Meeting

06 Aug 2020


1.      Thank you Bruce, and good afternoon, good morning, good evening to everybody. All the esteemed participants, thank you very much.

2.      I am honoured to be invited by the EastWest Institute (EWI) and S. Rajaratnam School of International Studies (RSIS) to speak on this very important topic against the backdrop of COVID-19. The global pandemic has shown how important digital capabilities are to all nations in ensuring that essential services, effective governance and communications can continue in a highly disrupted environment. Cybersecurity is a key enabler of this -- it underpins our citizens and businesses’ trust and confidence in the digital domain.

3.      Let me begin with the new normal that we now live in due to COVID-19. Well, first of all, the fact that we are having this meeting in this format is, I think, the clearest example of this new normal that all of us had to adapt to.

4.      COVID-19 has fundamentally changed the way that we work and live. Many countries including Singapore have imposed lockdown strategies to curb the spread of COVID-19, resulting in businesses being affected by stop-work orders, supply chain disruptions, and workforce having to adapt to working remotely, and society being forced to change our lifestyles literally overnight.

5.      Yet, the pandemic has also accelerated the pace of digitalisation, where we see businesses intensifying their adoption of digital tools for sustainability, and individuals amplifying their digital activities for continuity and sanity. At the regional level, ASEAN member states have switched to video teleconferencing to continue a myriad of discussions ranging from health protection to economic and security issues.

6.      While technological advancements may be deemed a saviour in this regard, the heavier reliance on the internet also introduces new vulnerabilities and it expands the attack surface, making a robust cybersecurity environment all the more crucial for sustaining digital trust.

7.      In fact, we have observed a marked increase in related malicious cyber activities during this period. There are two likely reasons for this. First, many businesses have rushed to ensure connectivity, whether it was through the adoption of new technology systems or virtually to connect their remote workers, without putting sufficient consideration to closing the security and control gaps.

8.      Second, threat actors have opportunistically pivoted their tactics to leverage on COVID-19 developments in order to make their campaigns more effective. These attacks ranged from capitalising on general pandemic-related interests such as fake COVID-19 news, to more targeted attempts such as hacking into healthcare facilities to steal patients data in exchange for ransom or the hacking of bio-tech companies to steal virus or vaccine data.   

9.      So how we live, work and play in the digital domain today is a confluence of the geopolitical, the economic and technological trends. Emerging technologies have disrupted traditional businesses, job and lifestyle models, but it can also provide some solutions to better secure the cyberspace landscape.

10.      For instance, the protection of core digital infrastructures as we move towards a hyperconnected landscape with the convergence of Internet of Things, Big Data Analytics, Cloud Computing, Artificial Intelligence (AI). We must recognise that as much as we try to secure our infrastructures, sophisticated threat actors will still find creative ways to breach our systems and networks. We want to be able to detect malicious cyber activities early through active monitoring of threats, and take swift action to address them and minimise the impact on users.

11.      We can leverage on IoT devices to collect data from various sources, and collate the information in the cloud for big data analytics or we can train and improve AI algorithms for automated threat detection and analysis. AI engines can swiftly go through huge troves of structured and unstructured cyber information, make sense and correlate these information, and conduct investigations more efficiently and effectively. With quantum computing and 5G technologies, cybersecurity threat detection and prevention can be boosted further in terms of speed.

12.      That said, these can also be a double-edged sword. Threat actors can use the same capabilities to outsmart cybersecurity systems, or exploit the new vulnerabilities generated by emerging technology. Hence, risk mitigation controls such as quantum information assurance, crypto-agile system architecture for digital systems and assets will be necessary to address sophisticated attacks. In Singapore, we also intend to implement the Cybersecurity Labelling Scheme to help consumers make informed choices about the security features of IoT devices. Over time, we hope this will incentivise developers to develop products with recognised and improved security features.

13.      Additionally, Singapore has developed a voluntary contact tracing app – TraceTogether – which uses Bluetooth technology to exchange connections between nearby devices that have the same app rather than trying to record geolocation, and randomised user IDs that are refreshed regularly, to address the issue of privacy and to prevent unauthorised disclosure of information. We have made the source code available to enable other countries to build similar solutions locally, while also enabling interoperability across jurisdictions because one day, we hope that we will be able to travel again. This is our contribution to the global community to cohesively combat cyber adjacencies brought upon by this pandemic.

14.      However, technology is only one part of the solution. As cyber threats become increasingly sophisticated with the advent of new technologies, there is a need to sustain a rules-based international order to govern behaviour in cyberspace, and advance the security and trust that is essential to international cooperation and the effective functioning of the digital economy. At the UN level, both the UN Group of Governmental Experts (the UNGGE) and Open-Ended Working Group (the OEWG) continue to have substantive discussions on these issues. Singapore actively participates in both of them. It is important that such discussions continue to be hosted at the United Nations, where all countries – big and small – have a voice.

15.      ASEAN has also been making positive steps on this front. Just last year, ASEAN ministers and senior officials meeting agreed at the 4th ASEAN Ministerial Conference on Cybersecurity to set up a working group to develop a roadmap for the implementation of the 11 norms contained in the 2015 UNGGE consensus report.

16.      At the same time, given the diverse cyber capabilities across countries, there is an urgent need for coordinated cybersecurity capacity building initiatives at both the policy development and the technical levels to ensure that countries are adequately competent to implement the rules and norms designed to advance peace and security in an increasingly sophisticated and hyperconnected cyberspace. There is a degree of self-interest in doing this; cybersecurity threats do not respect borders, and we are only as strong as the weakest link. The Global Forum for Cyber Expertise (GFCE) has been doing great work on coordinating capacity building at the international level. At the regional level, the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE) and the ASEAN-Japan Cyber Capacity Building Centre (AJCCBC) are also actively delivering capacity building initiatives in our region.

17.      I am happy to note that my fellow speakers will be covering these topics in greater detail during their presentations. Such discourse will help us better understand and navigate the challenges of the digital future.

18.      Moving forward, it is important not just to build defences for the cyber-threats of today, but also to identify opportunities in the emerging technologies and develop the infrastructure, capabilities and relationships to help us, to enable us to tackle the cyber challenges of tomorrow.

19.      Thank you.