SINGAPORE: The next World War can be waged through cyberattacks on computer systems and networks, in particular, critical national and global information infrastructure. Public transport systems can come to a standstill, cities cut off from communications with the outside world, and weapon systems turned on and aimed at dense population centres, with a flick of a switch.
Even cyber terrorism, which is the blatant attack on data or programmes in computers and smart devices, can lead to serious harm, including physical damage and impairment to key national utilities, as evident in the ransomware attack against the UK’s National Health System.
All these can take place under the radar, without a country knowing that it is under deliberate attack, until it is slowly undermined and brought to its knees, as such attacks weaken the very fabric of society and damage political trust over time.
There is already a chilling of international relations leading to a Cold War of sorts between countries, directly attributable to more insidious cyberattacks such as Internet-enabled espionage. These have led to embarrassing informational leaks, in particular, those of a politically sensitive nature, and the promulgation of fake news which have direct and indirect impact on political fortunes and relations.
On the socio-economic front, cyberattacks are a major impediment to further advances in electronic transactions, and can stunt the growth of e-commerce and fintech as well as affect personal data privacy. What this means is that segments of a country’s economy can be fractured, before they even get the chance to thrive and mature.
On the other hand, and ironically, each wave of cyberattacks has contributed to the growth of a cybersecurity industry that now has a rapidly developing market in the infocomm technology sector. So maybe it’s not all doom and gloom. But the challenge that remains is how countries can muster the political will to enact necessary legislative changes to protect citizens and companies, yet give space for businesses to thrive and seize these new opportunities in cybersecurity.
The most drastic measure to date among the slew of protection measures against cyberattacks is the separation of Government systems from the Internet. Some might ask if this shows that the Government has lost faith in encryption and other cybersecurity technology. Others wonder if such a harsh measure is really necessary.
DIGITAL CONNECTIVITY INTEGRAL TO SINGAPORE’S ECONOMIC SURVIVAL
When the WannaCry ransomware attack occurred in mid-May, the Singapore Government was largely spared. Some say it was because the Government is not an attractive target. Others believe that it might be due to its strong protection measures for Government data, such as the recent Internet separation exercise.
On the other hand, and around the same time, other organisations were not as fortunate. Various cyberattacks were revealed to have succeeded, such as the Advanced Persistent Threat attacks against National University of Singapore and Nanyang Technological University networks. Outside of such attacks, the breach of data protection obligations by organisations that collect, use and share personal data form the majority of complaints reportedly received by the Personal Data Protection Commission. These incidents show the persistency of cyberattacks and concomitantly the importance of cybersecurity on the national agenda.
In Singapore’s case, what is clear is that the Government is acknowledging that cybersecurity is a major issue and is willing to take extensive measures to tackle the problem. It is useful that the Government comes out to declare quickly when personal data is lost, and explains how it is taking active steps not just to rectify the situation but also put in place longer-term safeguards to build resilience against future attacks. After all, the national Smart Nation initiative and strong digital connectivity are important and integral to Singapore’s economic survival.
The Government must be aware that with a national strategy that includes Singapore as an infocomm hub, prevention and containment rather than eradication is the only pragmatic and realistic solution. Moreover, growing Singapore’s cybersecurity industry complements its data hub aspirations.
RANSOMWARE VALIDATES INTERNET SEPARATION OF SENSITIVE DATA
The national approach to cybersecurity, as a defence mechanism to cyberattacks, must be and has been holistic and multipronged. The Government leads the way in data security through a clearly set out Infocomm Security Masterplan overseen by the Info-communications Media Development Authority. Among its measures, it has set up cybersecurity agencies such as the Singapore Infocomm Technology Security Authority and the Cyber Security Agency.
It is also funding research and development initiatives under its National Cybersecurity R&D programme. Finally, it is constantly upgrading its laws to strengthen its investigative capabilities and legal measures to respond to attacks.
The plan is to harness new technology and build up its capabilities to prevent and pre-empt such attacks.
But one of the most effective measures that was taken was to “de-link” computer networks that handle sensitive data, including political and government information, from the Internet, which arguably protected government organisations from this and similar attacks. On hindsight, the ransomware attacks does seem to reaffirm and validate that approach despite some teething problems, public ridicule and complaints from some of those affected, especially complaints relating to work efficiency.
PRIVATE SECTOR NEEDS TRANSACTIONALLY EFFICIENT TACTICS
Although this drastic approach may be justified for sensitive information, it is not feasible or suitable for all or other types of information, particularly information required for transactions involving data flow between organisations through secured and non-secured networks.
For instance, business-to-consumer transactions such as fintech services including ibanking, online trading and e-commerce cannot adopt an Internet separation model, for business efficiency reasons.
Hence, the strategy going forward will require a re-think of current processes and the development of innovative tactics to deal with the problem. Both technology-based and non-technology measures are important. Hardware (including standard operating procedures and cable or remote disconnection) and software capabilities (antivirus protection, for instance) are both required.
One idea the Government can consider taking the lead on is to set minimum standards for all sectors, public and private, in Singapore as a whole. Perhaps we should consider a nationwide antivirus drive and free national software protection. It will not be the first or the last nationwide initiative. Consider it a "national vaccination" from computer viruses. Moreover, this approach may be particularly suitable for Singapore, as a geographically small city-state.
Even if the cost is high, the avoidance of attacks and its effects may justify such a drastic and comprehensive preventive measure. The cost may be reduced if the software is developed through Government-funded R&D programmes and can be monetised outside of Singapore; as this model, if successful, may be exported to other cities.
In the meantime, private sector industries can take the lead in mandating minimal security measures and in regularly upgrading them as new and improved technologies are developed. Information sharing, training and education in this field are also essential ingredients for such a strategy to work.
STRENGTHENING CYBERSECURITY LAWS AND INVESTIGATIVE MEASURES
Meanwhile, since 2016, Minister for Communications and Information Yaacob Ibrahim has spoken of a new standalone Cybersecurity Act that is likely to be tabled in Parliament sometime this year. In the interim, there was an amendment to the existing Computer Misuse and Cybersecurity Act (CMCA) in April that only included new offences for dealing in personal information obtained through an existing computer crime provision under the Act, and dealing with hacking tools to commit computer crimes.
These new criminal provisions increase and update the suite of computer crime provisions under the CMCA, but they only have a limited effect; that is, to deter and punish such offences.
They are also of limited use for cyber offences that originate overseas despite the amendment to extend Singapore’s territorial reach to cyber offences that cause or create a significant risk of serious harm to Singapore. The jurisdictional limitations of the provision is such that enforcement still requires stronger and more coordinated international cooperation through mutual legal assistance and extradition agreements. Regional and international cooperation will have to be improved as cyberattacks respect no borders.
Another problem has to do with limitations in investigation. Cyberattackers tend to be experts in operating incognito or anonymously, and from secret locations, often in countries that lack the resources and political will, or have less sophisticated methods to combat cyberattacks. Some culprits act alone while others operate in powerful syndicates.
Even if these culprits can be found, what is the incentive for foreign governments to commit already limited cybersecurity resources to such investigations, or turn over their own citizens to another country?
Hence, in-country preemptive and protective measures are still more important and should be the main focus of new legal solutions moving forward. The incapacitation of would-be cyberattackers should also be a priority in new and additional cybersecurity laws.
CHINA’S NEW CYBERSECURITY LAW AND SINGAPORE’S ANTICIPATED ACT
China’s new cybersecurity law, which entered into effect on Thursday (Jun 1), can provide some guidance and insight into the possible developments in Singapore’s own laws in the near future.
Some of these measures include: Subjecting network operators to more stringent security requirements; greater protective measures for key information infrastructure; greater restrictions on the transfer of personal and business data out of the country, and mandating that “sensitive data” be stored domestically.
In my opinion, what the new cybersecurity law should also contain are stronger measures to ensure that organisations that handle information manage them in an accountable manner. What our laws need is a mandatory requirement for data breach reporting and mitigation measures.
We also need provisions for stronger and mandated internal checks for organisations and public agencies to test the robustness of data handling processes (such as through the use of penetration tests). We should also have regular audit processing and reporting requirements.
Perhaps there can also be a system for certifying approved security arrangements and technologies as well as regularly updated recommended or approved security measures.
These recommendations may seem exacting or even onerous. But if we do not take our information and intellectual property seriously, then we risk opening ourselves to data theft and all sorts of other cyberthreats that can follow.
To be fair and proportionate, we could go with a layered approach. Current laws do not distinguish sensitive data from non-sensitive information, meaning that we make no effort to categorise data and differentiate how we protect each dataset.
Finally, other preventive measures include enhancing investigative capabilities such as that of the Cybercrime command unit in the Criminal Investigation Department and the investigative powers of the Ministry of Home Affairs, which can be expected from time to time, judging from the history of changes to the CMCA.
And if we expect the police to deal with these complex security challenges, then we should also provide them the necessary resources and powers to do so.
CYBERATTACKERS HAVE AN ADVANTAGE BUT CYBERSECURITY CAN REVERSE IT
Regardless of how much we try, we must remember that the nature of information security and widespread connection to the Internet, as well as the limitations of information security and lack of user sophistication, mean that offensive cyberattacks have the upper hand against existing legal and technical measures.
It is generally true that security and encryption technology is finding it hard to keep pace with cyberattack tools and methodologies, which is why attacks continue to occur, many of which are in unexpected ways and that catch their victims unaware. Moreover, computer users are not knowledgeable enough to use existing tools or leverage new developments in protection technology.
And it does not help that such technology can be cost prohibitive. Cyberattackers also tend to have stronger skillsets and financial or political incentives to develop new forms of attack. Also, protection technology is largely reactive, often developed in response to new forms of cyberattacks, and hence is often one step behind.
So it appears that predictive and preventive measures are the most important component in any national (or global) strategy against cyberattacks in the long run.
It is a constant game of cat and mouse between governments, private organisations and cyberattackers; and a game of one-upmanship between governments and organisations in the race to improve their cybersecurity suite of measures. But it is one that Singapore cannot afford to lose.
Warren Chik is Associate Professor and Associate Dean (External Relations) at the Singapore Management University's School of Law.