21 Mar 2018

KEYNOTE ADDRESS BY MR DAVID KOH, COMMISSIONER OF CYBERSECURITY, CHIEF EXECUTIVE, CYBER SECURITY AGENCY OF SINGAPORE, AND DEFENCE CYBER CHIEF, MINISTRY OF DEFENCE, AT THE 3RD ANNUAL BILLINGTON INTERNATIONAL CYBERSECURITY SUMMIT ON 21 MAR 2018, WASHINGTON DC, NATIONAL PRESS CLUB 

SECURING CYBERSPACE – PERSPECTIVES FROM SINGAPORE

Good morning, Mr Thomas Billington,

Distinguished Guests, Ladies and Gentlemen,

    Introduction

  1. It is an honour to be here today at one of the world’s leading cybersecurity conferences. I am glad to see many familiar faces. The diversity of the global cybersecurity leaders gathered here today – from the US and partners from around the world, including Sweden, Kuwait, Bahrain, Estonia and Singapore – is testament to how diverse and cosmopolitan the international cyber community has grown. 
  2. I am told one reason I’ve been invited to deliver the opening keynote is in recognition of Singapore’s top position in the UN International Telecommunication Union (ITU) Global Cybersecurity Index. To be frank, the top position was a bit of a mistake. We take test scores rather seriously in Singapore. We didn’t do too well in the previous ITU survey, so when ITU came around again, I told my team that we needed to do better. I was thinking maybe 3rd or 4th – that would be credible, and we would have room to improve in subsequent years. But sadly we over-calibrated, and we ended up in first place. Now, we have only one way to go in future – down. And we have succeeded in painting a big bulls-eye on ourselves for all the malicious actors out there.  
  3. One common misconception about the ITU’s index is that it ranks countries by the strength of their cyber defences – how wide their moats, or how impregnable their walls are. The index is in fact a measure of the commitment of Member States to cybersecurity. On this front, they are spot on about Singapore. Cyber is indeed an important, even existential, issue on Singapore’s national agenda. Today, I would like to share with you some thoughts on why cybersecurity matters so much to Singapore. In the spirit of info-exchange, which we in cyber circles advocate strongly, I will cover how we are tackling this challenge through a national cybersecurity strategy, including how we are putting in place a new law that will enable us to level up our national cybersecurity posture.

    Why Cybersecurity Matters to Singapore

  4. Singapore sees the world through a lens that is shaped by our geographic, demographic, and economic context. We are a tiny nation-state located in Southeast Asia, a rapidly developing region of the world. Our population of about 5.6 million is slightly less than that of the Washington metropolitan area. In terms of land size, the Washington metro area is about twenty times the size of my entire country. We are also one of the world’s most connected cities; each Singaporean has on average almost two mobile phones, and according to Speedtest Global Index, our national broadband infrastructure is the world’s fastest. 
  5. The pace and scale of Singapore’s connectivity and digitalisation will only become more intense under our Smart Nation initiative, which sets out a vision to harness digital and smart technologies to build a future Singapore. Just like how Waymo’s self-driving cars ply the streets of California, autonomous vehicles are being put through the paces in Singapore’s one-north business park. The National Digital Identity (NDI) system, and our push for simplified and integrated electronic payments, are geared towards allowing citizens and businesses to transact in a seamless, convenient, and secure manner. These, and other Smart Nation initiatives, will enhance the competitiveness and participation in our economy. 
  6. The more digitalised and connected our economy, the more important it becomes to secure our systems in cyberspace. Although Singapore was relatively unscathed by large-scale cyber-attacks like the WannaCry and NotPetya attacks in 2017, our global connectivity still puts us in the cross-hairs of Advanced Persistent Threats. Last year, our universities’ and government networks were breached. We investigated and found the breaches to be carefully planned and sophisticated; not the work of casual hackers or criminals. We even had a “mini-Equifax” incident, with attackers gaining access to an insurance company’s systems in Singapore through the Apache Struts vulnerability.
  7. The financial cost of cyber-attacks can be high, but indirect costs, such as the loss of trust from the public, can be even higher. This is especially relevant for Singapore, whose brand name is often associated with trust, transparency and efficiency. Cybersecurity is thus essential, even existential, to Singapore’s continued prosperity and survival. Cyber security is a key enabler for our Smart Nation initiative and my country’s future.
  8. So why does Singapore’s cybersecurity matter to you? I can offer you two reasons:
      1. First, Singapore is a gateway to Southeast Asia and the larger Asia-Pacific region. We are a major banking, aviation and maritime hub, and a significant proportion of the world’s financial capital, air traffic, and freight flows through our borders. These infrastructure are not merely critical national infrastructure, but they are supranational infrastructure. Cyber-attacks that impact such supranational infrastructure will have spill-over effects on systems beyond our shores. The tremors of a concerted cyber-attack on Singapore’s financial sector, for example, will be felt very quickly in New York and London.

      2. Second, as a small but highly-connected nation-state, we offer a test-bed for innovative solutions in a relatively controlled environment. We do not claim to have the model answer to navigating this “wild, wild west” of cyberspace, but the solutions we have adopted are what we have deemed best suited for our own priorities, capabilities and operating context.  We have put significant thought and resources into these efforts. Sharing our “war stories” can be a basis for further discussions with all of you, on how we as an international community can deal with cyber threats together.

  9. Singapore's Approach to Cybersecurity

    Formation of CSA

  10. This sets the context to the formation of my organisation, the Cyber Security Agency of Singapore (CSA). CSA was formed on 1 April 2015 under the aegis of the Prime Minister’s Office. This was not an April Fool’s joke. Rather, it came from the recognition of the need for dedicated and centralised oversight of Singapore’s cyber security functions. 
      1. CSA’s primary focus is the protection of critical information infrastructure and essential services. We cover from policy and legislation, to operational, technical and intelligence, as well as investigations and incident response. In terms of breadth, we also cover small and medium enterprises, and the man-in-the-street. The whole cyberspace, as it were, in Singapore. Beyond operational, we also have a responsibility to nurture the wider ecosystem, so that it can support our ops demands. In recognition that cyber is borderless, we perform an international role as well – for collaboration in cyber, and to represent Singapore internationally.  

      2. No one agency can do all of this by itself. CSA works closely with diverse stakeholders from government, industry, and academia. The responsibility remains with the primary agency – for example, cyber-crime remains under the national police force. But CSA coordinates the overall national cybersecurity strategy.

  11. We are still a young agency – in fact, we will only be celebrating our third anniversary next week. In the short time we have been in existence, we have not reinvented the wheel in cyber. Rather, our key value proposition lies in the holistic approach we have taken, in recognition that many of these fronts are complementary and mutually reinforcing.
  12. Singapore's Cybersecurity Strategy
  13. This approach is encapsulated by the four mutually supporting pillars of Singapore’s cybersecurity strategy, launched in 2016 by our Prime Minister. Let me briefly take you through some of the key initiatives under each of these pillars. 
  14. First, building a resilient infrastructure to ensure continued provision of essential services. 
      1. CSA plays the role of regulator and partner, to ensure that our CII agencies have the capabilities and measures in place to detect, respond and recover from cyber threats in a prompt and expedient manner. We have developed a multi-tier national cybersecurity response plan, and conduct regular cross-sector exercises. For instance, Exercise Cyber Star was a whole-of-government effort that puts Singapore’s cyber incident management and emergency response plans to the test. Our second run last year involved over 200 participants from all designated CII sectors. 

      2. As Government systems remain a prime target for cyber-attacks, we have to walk the talk. In 2016, the Singapore Government announced that it would take the unprecedented step of separating our internal networks from the Internet. (To clarify, we did not “cut off from the internet” completely. We still use the internet as a transport layer. We still can send and receive emails from citizens and from overseas. We just cut off internet surfing from government computers.) This move came under strong criticism – some called it a step back into the “stone age”; others joked that we would have to use pigeons for communication. This decision was not taken lightly, and was done to make it harder for attackers, by disrupting the cyber kill-chain.  The internet surfing separation was completed in 2017. It was a year that saw many high-profile cyber-attacks globally. Some of our critics who had joked about pigeons a year earlier, now see the value of this bold move to secure our government networks.

  15. Second, we go beyond our CII sectors to engage businesses and individuals to develop a safe and secure cyberspace. 
      1. In cyber, we are only as strong as the weakest link. It is important for the public and small businesses to be more diligent about protecting their digital lives and assets, to improve our collective safety in cyberspace. As seen from the spate of ransomware campaigns over the past year, small businesses and individuals are often the victims of such indiscriminate attacks.  

      2. To improve everyday cyber hygiene and savviness, we have undertaken outreach and awareness campaigns that target different segments of the population, including the general public, students and parents, and small and medium enterprises (SMEs). One example is when we launched a National Cybersecurity Awareness Campaign to reach out to individuals from all walks of life on the importance of cybersecurity.

  16. Third, by building a vibrant cybersecurity ecosystem.
      1. Cybersecurity is not just doom and gloom. We have identified cybersecurity as a growth sector and opportunity for Singapore’s economy and a pillar for our digital future. Cyber opens up jobs and opportunities for our citizens.  Building up the industry and our talent pool will not only bring about economic opportunities to Singapore, but also ensure a sustainable source of expertise and solutions, to contribute to a more resilient national infrastructure.

      2. To this end, we have attracted a critical mass of the world’s top cybersecurity companies to establish a presence in Singapore. We also help to grow local companies and expertise. We also partner with our government economic agencies to promote and support various initiatives to help promising cybersecurity start-ups scale and internationalise, and to catalyse the development of innovative cybersecurity solutions to meet our operational needs. 

      3. Manpower is our best resource, but also a potential bottleneck in this growing industry. We have launched several initiatives to deepen our cybersecurity capabilities, and to promote the growth and career development of professionals.  One example is from the Singapore Armed Forces. In Singapore, all males are required to serve two years of compulsory national service. The SAF recently created a new Cyber Defence Vocation to train selected conscripts for cyber defence. This will give them a head-start in skills and experience that will be valuable to the national cybersecurity ecosystem.

      4. In the area of Research and development (R&D), we work with the National Research Foundation to set up and manage a S$190 million National Cybersecurity R&D programme. This programme serves the development of R&D capabilities to meet the cybersecurity needs of Singapore, through projects in areas such as cyber-physical systems and blockchain technology. 

  17. Our fourth and last pillar emphasises strengthening our international partnerships.
      1. Cybersecurity is a team sport, but one in which we face borderless and asymmetrical threats. Combating these threats requires international collaboration, to achieve collective action and mutual understanding. As a small, connected city-state, Singapore firmly believes in the importance of a “rules-based” international order for cyberspace, based on applicable international law and the adoption of voluntary operational norms. But developing practical and implementable norms should be complemented by other efforts to drive international cooperation in cyber. 

      2. To this end, Singapore leans forward through a mix of regional and international platforms to promote international collaboration. We do so in three ways:  

        1. First, we promote dialogue to focus the attention of the international community on key cyber issues. Singapore hosts Singapore International Cyber Week, or SICW, a key platform for regional and global cyber leaders to forge partnerships and engage in critical dialogue on cybersecurity.  Last year’s edition of SICW attracted more than 7,000 stakeholders, including policy-makers, industry experts and non-governmental organisations from close to 50 countries. One event at SICW is the International Cyber Leaders’ Symposium, which featured a robust panel discussion between cyber thought leaders on the challenges of implementing norms of responsible cyber behaviour.  

        2. Secondly, we work closely with our regional partners. The Association of Southeast Asian Nations, or ASEAN, consists of ten member states at differing levels of digital maturity and geopolitical considerations. Nonetheless, our 50-year history of mutual cooperation has cultivated an environment of mutual trust that enables us to make progress. For example, at the 2nd ASEAN Ministerial Conference on Cybersecurity (AMCC) held in conjunction with SICW, ASEAN Member States agreed on the importance of international voluntary cyber norms of responsible State behaviour as the foundation for a rules-based cyberspace. As Chairman of ASEAN in 2018, Singapore will continue to focus on forging a trusted and open cyberspace through platforms such as SICW and AMCC.  

        3. Lastly, we catalyse practical cooperation by facilitating regional cyber-capacity building efforts and confidence building measures. Singapore’s efforts on this front include CERT-to-CERT information sharing, memoranda of understanding with international partners, and various initiatives sponsored through Singapore’s S$10 million ASEAN Cyber Capacity Programme, which seeks to build technical, policy and strategy-building capabilities within ASEAN Member States.

    Singapore's Cybersecurity Legislation
  18. I have outlined the main pillars of Singapore’s cybersecurity strategy. This was launched in Oct 2016, almost historical in the context of cyber. We have to keep updating and evolving the strategy.  
  19. One new initiative is Singapore’s Cybersecurity Act (2018), which was passed into law by Parliament in February, and received the President’s Assent earlier this month. The Act provides a framework for the oversight and maintenance of national cybersecurity in Singapore. It has three key objectives:
      1. First, to strengthen the protection of CII against cyber-attacks. The Act provides a framework for the designation of CII, and provides CII owners with clarity on their obligations to protect CII from cyber-attacks.

      2. Second, to authorise CSA to prevent and respond to cybersecurity threats and incidents. The Act empowers the Commissioner of Cybersecurity to investigate cyber threats and incidents to determine their impact and prevent further harm or cybersecurity incidents from arising.  

      3. Third, to establish a light-touch licensing framework for cybersecurity service providers. Cybersecurity service providers often have significant access into their clients’ sensitive computer systems and networks.  Such services, if abused, can compromise and disrupt the clients’ operations. A licensing framework will give businesses and clients more assurance, and is part of our strategy to raise the quality of cybersecurity services in the long run.

  20. It took us some time, and many sleepless nights, to arrive at this particular formulation of the Act. When CSA first started out, we did not have our own powers per se. Instead, we relied on the implicit authority as a national agency to forge close partnerships with CII owners, government agencies and other industry partners, and borrowed our powers from existing legislation. But we realised that we would need to take a more proactive approach to the protection of critical information infrastructure, and for the robust mitigation, detection and response to cyber threats.
  21. In developing the Act, we looked to what was being done in other countries, and realised that there was no standard “blueprint” for cybersecurity law internationally. Some countries, like Germany, have enacted a single comprehensive cybersecurity law. Others, like the US, have introduced cybersecurity regulation through various pieces of legislation. We studied these frameworks carefully, and consulted stakeholders to arrive at a framework which best met Singapore’s priorities and operating context.
      1. One such aspect is the introduction of a licensing framework for cybersecurity service providers – we are among the first in the world to so. We decided to take a light-touch approach, to strike a balance between security needs, and the development of a vibrant cybersecurity ecosystem. For a start, only penetration testers and managed security operations centre (SOC) monitoring will be licensed. These providers have access to sensitive information from their clients, and provide mainstream services that leave a significant footprint on our cyber landscape.

      2. The Act will operate in tandem with other laws and regulations in Singapore. For example, the Computer Misuse Act and other relevant legislation will continue to govern the investigation and prosecution of cybercrime perpetrators.

  22. CSA’s experience in “running in show” for over two years also gave us time and experience to distil our thinking.  When CSA first started out, we had certain ideas on what kind of oversight was needed in Singapore. But working closely with our stakeholders – not to mention keeping pace with the evolving threat landscape  – gave us additional clarity on the powers needed to safeguard our essential services from cyber-attacks.
  23. Yes, as you gathered, I’ve gained another title in the past month. As Commissioner of Cybersecurity, I will be conferred the authority to execute the powers stipulated in the Act. Some in the local media have given me the moniker of the “Cyber Czar”. This term gives me some anxiety – a good friend of mine reminded me that the root word for Czar actually comes from Caesar, and we all know what happened to many of the Caesars…
  24. I should also mention that Singapore’s political culture played a part in the strong support for the Act. In general, our public has strong confidence in the Government. Our status as a “little red dot” on the map, surrounded by much larger neighbouring countries in Southeast Asia, also underscores a collective mindset that security is a necessary precondition for our independence and continued prosperity. During a six-week public consultation exercise, we found that respondents generally shared the Government’s concerns on cybersecurity threats to Singapore. When the Act was debated in Parliament, many Members of Parliament rose to speak. All said they supported, or strongly supported the need for a Cybersecurity Act. The debate was on the implementation and clarification of issues such as privacy and the cost of compliance. This allowed us to refine the Act, and reassure stakeholders that the Government would work with them to ensure that the implementation would be handled sensitively.
  25. Conclusion
  26. From Singapore’s perspective, a resilient and secure cyberspace depends on the successful implementation and execution of a holistic cybersecurity strategy, including the development of a vibrant ecosystem, strong international collaboration, and a legislative framework that gives us oversight over our critical infrastructure.
      1. We have been recognised globally for our commitment to cybersecurity, but that does not mean we are resting on our laurels. In fact, the more important comparison is not how we measure up against other jurisdictions, but against the threat actors which are targeting us. There is little use in having the highest walls, or the widest moats, if the enemy can fly.

      2. We are cognizant that attackers also recognise Singapore’s value as a global connectivity hub. In September 2017, we attained the dubious honour from one cybersecurity company of being the top “launchpad" for cyber-attacks. The company subsequently acknowledged that these attacks may not have originated from Singapore, but had leveraged our connectivity to do so. Nonetheless, it is an apt reminder that our connectivity can be both a boon and bane.

  27. This is not a race that we can win alone. A rising tide raises all boats, and collaboration between governments, businesses, academia and individuals across multiple fronts will be a crucial component to our success. Moving forward, it is important not just to build defences for the cyber-threats of today, but also to promulgate the infrastructure, capabilities, mindsets and friendships that will enable us, as an international community, to tackle the cyber threats of tomorrow. 
  28. I hope that my sharing on Singapore’s approach to cybersecurity as a small, connected nation-state has provided some food for thought. I would also like to take this opportunity to congratulate Tom for successfully organising this third run of the Billington International Summit. Gatherings such as these are important in bringing together a diverse range of thought leaders from the cybersecurity front, and facilitating the candid exchange of views. Singapore’s third edition of Singapore International Cyber Week will be held in September this year. I warmly invite you to join me at SICW 2018, and look forward to having many fruitful discussions with you there. 
  29. Thank you.