In this Explainer, find out...
What are the emerging cyber threats faced by Singapore?
How are Singapore's cybersecurity strategies evolving?
What can Singapore learn from cybersecurity strategies abroad?
Introduction
In July 2024, a faulty software update by service provider CrowdStrike disrupted services worldwide, affecting businesses in Singapore. Less than a month later, unauthorised access to the Mobile Guardian Device Management Application – which was installed in the Personal Learning Devices of many Singaporean students – remotely wiped the data of around 13,000 devices.
Serving as reminders of the importance of cybersecurity, these incidents have placed fresh pressure on the Government to tighten cybersecurity efforts. In this vein, this Policy Explainer will unpack Singapore’s cybersecurity strategies and outline lessons Singapore can draw from abroad.
Key Cyber Threats Faced by Singapore
Singapore’s vulnerability to cyber threats is amplified by factors like our increasing reliance on technology, existing gaps in cybersecurity models and the changing operational context of cyberattacks.
Firstly, Singapore’s push towards Smart Nation goals has engendered increased reliance on Infocomm Technology (ICT). As of May 2024, over 90 percent of Singaporean residents communicate online. Further, the technology adoption rate of firms has grown to 94 percent as of 2022. As a result, Singapore’s attack surface has increased with more potential vulnerabilities.
Secondly, gaps remain in Singapore’s cybersecurity approach. 70 percent of local organisations continue to have poor cybersecurity standards. This can be attributed to a lack of expertise and knowledge.
Thirdly, cyberattacks are becoming more sophisticated in a changing operational context. For example, malicious actors can execute supply chain attacks or start with adjacent systems, making defending cyber systems harder. More attention must hence be placed on contingency measures.
Given our precarious digital landscape, strong detection, defence and resilience mechanisms are crucial for Singapore.
Singapore's Cybersecurity Strategy
Strategy 2016 and the Cybersecurity Act 2018
Singapore’s cybersecurity journey began in 2005 with the first Infocomm Security Masterplan which sought to build new capabilities within the public sector to manage internal and external cyber threats.
While a suite of initiatives followed after the 2005 Masterplan, 2015 – the year the Cyber Security Agency of Singapore (CSA) was established – became a key turning point. Within a year after its establishment, the CSA articulated Singapore’s first Cyber Security Strategy in 2016 (Strategy 2016).
Strategy 2016 had four aims:
Harden security;
Educate people;
Create a cybersecurity talent pool by creating professional cybersecurity jobs; and
Enhance relations with international partners to fight cyber threats.
The Cybersecurity Act 2018 (CS Act) was subsequently introduced to achieve three objectives. Firstly, it sought to strengthen the protection of Singapore’s Critical Information Infrastructure (CII), providing essential services (ES) in the 11 areas of energy, water, banking and finance, healthcare, transport, infocomm, media, security and emergency services, and government. Secondly, it authorised the CSA to respond to cybersecurity incidents. Thirdly, it established a licensing framework to regulate cybersecurity service providers, for example by mandating CII operators (CIIOs) to put up robust contingency plans in the case of attacks.
Strengthening the Cybersecurity Architecture
By 2021, however, the operating context had changed. In a post-Covid-19 world where new technologies like the Internet of Things (IoT) had become more mainstream, an updated Cyber Security Strategy 2021 (Strategy 2021) became essential.
Strategy 2021 outlined three strategic pillars:
Building resilient infrastructure;
Enabling a safer cyberspace; and
Enhancing international cyber cooperation.
Additionally, Strategy 2021 identified another two foundational enablers:
Developing a vibrant cybersecurity ecosystem; and
Growing a robust cyber talent pipeline.
In 2024, the CS Act was also amended to tighten the CSA’s regulatory oversight over CIIs. Among others, it mandated CIIOs to report a wider range of incidents, while ensuring that CII owners remained responsible for the cybersecurity of the CII, even if parts of its operations were offshored or outsourced.
Looking ahead, Singapore is looking to establish the Digital Infrastructure Act (DIA), which will complement the CS Act by fostering resilience beyond cyberattacks. This includes guarding against other cyber-related risks like misconfigurations in technical architecture and physical hazards such as fires.
Variables and Constants: Key Eleements of an Evolving Strategy
While Singapore’s cybersecurity strategy has adapted to new trends, key themes continue to anchor this approach.
Variables
Extensiveness of Cybersecurity Measures
Firstly, Singapore has expanded the scope of our domestic cybersecurity strategy in response to our reliance on a broader range of digital products. This can be seen in the broadening of definitions in the 2024 Amendments to the CS Act to target virtual CIIs, which is essential today considering technologies like cloud computing.
At the same time, Strategy 2021 also mooted the idea to go beyond CIIs to ensure the security and resilience of systems which may not necessarily deliver ES.
Proactiveness of Strategies
Secondly, Singapore’s approach towards cyber threats has been increasingly proactive. While earlier strategies sought to craft response mechanisms, current strategies emphasise prevention. This is seen most prominently in the DIA, under which guidance materials will be developed to advise digital infrastructure and service providers on best practices for resilience and business continuity.
Constants
Maturing the Domestic Cybersecurity Ecosystem
Given the importance of strong research capabilities and a vibrant talent pool, Singapore has consistently invested in the domestic cybersecurity ecosystem. Strategies 2016 and 2021 sought to professionalise the cybersecurity industry to attract fresh talent. Both Strategies also set in place mechanisms for the creation of Made-in-Singapore cybersecurity products to grow Singapore as a cybersecurity hub.
Collaboration at the Industry and International Levels
Equally critical is collaboration at both the industry and international levels. At the industry level, Strategy 2021 emphasised the importance of a mode of systems thinking that goes beyond individual CIIs to tap on synergies between different CIIOs. Internationally, Singapore has sought to launch regional Association of Southeast Asian Nations (ASEAN) initiatives targeting cybersecurity woes.
Moreover, Singapore continues to draw lessons from its foreign counterparts, whose strategies we will now explore.
Cybersecurity Lessons and Insights from Abroad
The European Union (EU) Cybersecurity Strategy
Established in 2013, the EU Cybersecurity Strategy laid the overall groundwork for cyber resilience. The strategy encompasses several key tenets.
1. Legislation
The EU Cybersecurity Act grants a permanent mandate to the EU Agency for Cybersecurity (ENISA) to take charge of cooperation efforts. Additionally, the Cyber Diplomacy Toolbox enables sanctions as a diplomatic response to cyber attacks.
2. Information Sharing
The NIS Cooperation Group was established by the EU to facilitate information exchange on cyber threats among its members. With the establishment of Computer Security Incident Response Teams (CSIRTs), significant vulnerabilities can be quickly relayed to the country’s team coordinator. This quick disclosure timeline enables the team to deal with threats efficiently.
Moreover, the group has constantly updated guidelines such as the Compendium on Election Cybersecurity and Resilience, which recommends the best cybersecurity practices for elections and e-voting technology.
3. Crisis Preparedness
Cyber Europe is a large-scale, biennial simulation exercise designed to build crisis readiness among EU states. In the 2024 edition, participants tackled malicious cyberattacks on the EU’s energy sector.
Key Insights for Singapore
Given that the EU and ASEAN are both regional organisations, ASEAN and Singapore can take reference from the strengths and weaknesses of the EU's current response model. While the CSA does organise Exercise Cyber Star, a simulation-based exercise focused on local cybersecurity threats, Singapore may consider expanding our national exercises to a broader, coordinated regional framework to tackle globalised threats. Steps in this direction may also complement the goals of the ASEAN Cybersecurity Cooperation Strategy (2021-2025).
Additionally, the EU’s NIS Cooperation Group is an interesting model to reference. For example, insights may be drawn for the operationalisation of a similar ASEAN Regional Computer Emergency Response Team (CERT) to enhance response efficiency.
The United States of America (U.S.) National Cybersecurity Strategy
Another prominent cybersecurity strategy is the U.S. National Cybersecurity Strategy, which aims to encourage a preemptive approach among various stakeholders. Two key tenets of this strategy merit discussion.
1. Proactiveness
One initiative launched by the Cybersecurity and Infrastructure Security Agency is the Software Bill of Materials (SBOM). In gist, SBOMs contain comprehensive inventories of software components (see Figure 1), aiding suppliers and operators in detecting suspicious or counterfeit parts.
On top of facilitating quick identification and remediation of affected software, SBOMs also encourage wise purchasing decisions, reducing the risk of potential vulnerabilities.
Figure 1: List of Software Characteristics Listed in an SBOM
2. Scaling Up Public-Private Partnerships
By encouraging industry-led innovations, the U.S. has also advanced projects like IoT security labels, as exemplified by efforts of the Consumer Technology Association. With these user-friendly labels, consumers can easily compare the quality of cybersecurity protections among IoT products, aiding informed decision-making.
Simultaneously, the U.S. leverages the private sector’s threat-hunting capabilities to launch disruption campaigns against cyber adversaries. The 2021 Emotet takedown, for example, involved private firms sharing intelligence with government agencies to dismantle malware servers. Moreover, the U.S. is also exploring declassification policies to enhance the speed and scale of intelligence sharing from the private sector.
Key Insights for Singapore
As underscored by Strategy 2021, a solely responsive strategy may be less effective in a rapidly evolving threat environment. As part of proactive efforts to ensure the reliability of Singapore’s globally procured software components, the SBOM may be an interesting reference point. Further, the scale of public-private partnerships in the U.S. could also serve as a reference point for Singapore as Singapore works towards greater public-private collaboration in tackling cyber threats.
Conclusion
Singapore has taken a range of steps to position the country against cyber threats. However, it does not stop here. As our lives become more intertwined with an increasingly troubled cyber landscape, Singapore must continue to do more to stay ahead of the curve. To this end, the continued collaboration between government, academia and industry will be essential to accelerate impact in the cybersecurity sector and maximise the benefits of digitalisation.
This Policy Explainer was written by members of MAJU. MAJU is an independent, youth-led organisation that focuses on engaging Singaporean youths in a long-term research process to guide them in jointly formulating policy ideas of their own.
By sharing our unique youth perspectives, MAJU hopes to contribute to the policymaking discourse and future of Singapore.
The citations to our Policy Explainers can be found in the PDF appended to this webpage.
Comments