SINGAPORE: Local cybersecurity companies will be able to cut down on time and costs involved in getting their products certified after Singapore achieved the status of a certificate authorising nation under the Common Criteria Recognition Arrangement (CCRA).
READ: Digital Defence pillar added to Singapore's Total Defence framework to strengthen cybersecurity
Speaking during the Committee of Supply debate on Monday (Mar 4), Senior Minister of State for Communications and Information Janil Puthucheary, said local companies looking to develop globally recognised IT security products within Singapore are expected to see more than 20 per cent savings in time and costs.
The Common Criteria (CC), also known as ISO/IEC 15408, is a technical standard applied to the evaluation ad certification of IT security products and is the de facto standard for product certification recognised by both governments and industry, MCI said in a separate factsheet.
There are 30 nations in the CCRA, and of these, 18 are certificate authorising nations. Singapore joins the ranks of United Kingdom, United States, India and South Korea in the latter group, while the only other Southeast Asian country to have this status is Malaysia.
The Cyber Security Agency of Singapore (CSA) told Channel NewsAsia it decided to pursue the status after “a majority of local developers” expressed support for the move and its review of Singapore’s membership in the CCRA.
“With Singapore attaining the status of a certificate authorising nation, local developers no longer need to send their product overseas for certification,” MCI said.
“Developers based in Singapore can enjoy lower costs and shorter time in attaining an internationally recognised certification mark (which) facilitates the exportability of IT security products produced (here).”
Former Communications and Information Minister Yaacob Ibrahim had said in March 2017 that the cybersecurity sector here is projected to grow around S$900 million by 2020.
The Cyber Security Agency of Singapore (CSA) has set up a CC certification body, which is responsible for ensuring that product evaluation undertaken conforms to the strict requirements of the technical standards, it added.
This body is also responsible for maintaining a pool of approved testing laboratories that perform the product evaluation. There are currently three such labs – An Security, Brightsight and T-Systems International – in its approved list, according to CSA’s website.
The ministry also said that with the CC certificate authorising nation status, Singapore can create more job opportunities for skilled cybersecurity professionals spanning from IT product evaluators and certifiers to product architects, designers and developers.
Dr Puthucheary said the total number of jobs for cybersecurity professionals tripled from 2012 to 2017 to 5,300, while the actual number of these professionals employed quadrupled to 4,900 during the same period.
“STEP IN RIGHT DIRECTION”
It will also be able to attract global evaluation and testing laboratories to set up base here. T-Systems, it said, is one who has set up an evaluation lab here and, with this, would bring expertise in niche cybersecurity segments that lead to skills transfer.
One local cybersecurity start-up, InsiderSecurity, lauded the move saying it is a “step in the right direction”. This is because the certification helps non-IT security experts and buyers answer questions on what a certain type of cybersecurity product looks to protect.
“Common Criteria adoption can help raise the overall level of cybersecurity in Singapore,” CEO Jonathan Phua told Channel NewsAsia.
He added that with Singapore being a certificate authorising nation, this will help lower certification costs. To his knowledge, the certification and testing fees are “relatively low” but the manpower and expertise needed to prepare the documentation needed for certification can be “fairly complex” and costly.
“If I need to have my product CC-certified, it would definitely be cheaper and faster to have it done locally than in USA or Europe,” Mr Phua said.
This was also validated by ST Electronics (Info-Security)’s Goh Eng Choon, who said that when it conducted security certification overseas, the schedule was “uncertain”.
“Even after the completion of product evaluation by the authorised lab, it took another six to nine months before the certification body issued the certificate,” Mr Goh said, adding it looks forward to work with CSA to speed up the certification process.
Additionally, MCI said the Info-communications Media Development Authority (IMDA) and CSA will launch a new SecureTech track under its Accreditation@SG Digital programme from this quarter.
Under this track, companies are required to obtain CC certification for their products and the two agencies are the approving authorities to award the accreditation status under the new track.
“Through this programme, IMDA and CSA will also encourage and ease the adoption and procurement of SecureTech products by Government agencies and enterprises,” the press release said.