SingHealth cyberattack: Govt to fully adopt COI recommendations, S Iswaran says
The Cyber Security Agency of Singapore has accelerated the implementation of the Cybersecurity Act, with all critical information infrastructures (CIIs) designated by end 2018.
SINGAPORE: The Government accepts and will “fully adopt" the recommendations made by the Committee of Inquiry (COI) that looked into the cyberattack on SingHealth’s database system, Communications and Information Minister S Iswaran said on Tuesday (Jan 15).
Delivering his ministerial statement in Parliament in response to the COI report, Mr Iswaran said the Government will “do (its) utmost” to ensure its IT and database systems are secure and that personal data collected by public sector systems are well protected.
READ: SingHealth COI report made public: System vulnerabilities, staff lapses, skilled hackers led to cyberattack
Elaborating on how it plans to do so, the minister said there are two key principles, which have also been highlighted by the COI.
The first is adopting a “defence-in-depth strategy, with multiple layers of cyber defences to impede an attacker.
“These layers of defence cascade from the perimeter to within our systems, as we recognise that a sophisticated and determined attacker, given enough time and resources, may find a way through,” he said.
“This is why we also have capabilities in our layered defence that enable swift detection of a breach, and decisive response.”
The second principle is to enhance system defences by “strengthening our people, processes and technology”. He said the aim is not only to monitor and respond robustly to an incident, but to ensure a quick recovery and resilience in these systems.
ACCELERATED CYBERSECURITY ACT
Mr Iswaran pointed to the follow-up actions by the Cyber Security Agency of Singapore (CSA) following the revelation of the cyberattack, saying it had instructed all critical information infrastructure (CII) sectors to strengthen network security with prescribed steps.
READ: COI for SingHealth cyberattack: IT gaps, staff missteps contributed to incident, says Solicitor-General
It also accelerated the implementation of the Cybersecurity Act, which came into force on Aug 31 last year. The agency designated all CIIs by the end of 2018, and all CII owners must now comply with their obligations under the Act such as reporting cyber incidents to CSA within prescribed timeframes, he said.
The agency also instructed all CII owners via their sector leads to conduct thorough internal reviews of their cybersecurity against the gaps identified during the COI hearings, and report on the progress of closing any identified gaps, he added.
Mr Iswaran said: “CSA will continue to actively work with the sector leads and CII owners to reinforce their cyber defences and cyber resilience, and safeguard the cybersecurity of our systems and networks.”
PUBLIC SECTOR MEASURES
As for the public sector’s efforts to strengthen cybersecurity, Mr Iswaran said the Smart Nation and Digital Government Group (SNDGG) had started bolstering cybersecurity before the SingHealth hack. After the cyberattack, it paused the rollout of new Government systems from Jul 20 to Aug 3 last year as it checked for other potential breaches in other systems and reviewed the public sector’s cybersecurity posture.
“The findings and recommendations of the COI give added impetus to our efforts to continuously review and enhance the cybersecurity of Government systems. In particular, the findings reaffirmed the ‘defence-in-depth’ approach that the public sector had adopted towards cybersecurity,” the minister said.
Going forward, SNDGG will use technology even more to support its IT staff and automate cybersecurity tasks such as patch management, so as to carry out such tasks more reliably, he said.
The agency will further tighten internal checks and enhance security audits, the minister added. It will also conduct more exercises to sharpen officers’ readiness and train all public servants in cybersecurity.
“Above all, we expect our officers at all levels to be aware of their responsibilities, to be accountable for their actions, and to perform their duties to the best of their ability,” he said.
That said, Mr Iswaran stressed that the Government cannot strengthen its cybersecurity alone and will enlist the expertise of the larger community such as ethical hackers. For instance, the Government Technology Agency (GovTech) and CSA launched a Government Bug Bounty programme last month to uncover vulnerabilities on five selected Internet-facing Government systems and websites.
He added that CSA will oversee the follow-up on the COI’s recommendations across all CII sectors, including the public sector. SNDGG, as the sector lead for the Government, will monitor implementation for public sector systems.
“We will then track overall progress via regular updates at the relevant ministerial committees,” the minister said.
He also noted how the Personal Data Protection Commission on Tuesday imposed its biggest fines to date against the Integrated Health Information Systems and SingHealth amounting to S$1 million in total.
SINGHEALTH CYBERATTACK “WILL NOT BE THE LAST”
Mr Iswaran said the measures recommended by the COI will help Singapore defend itself better against malicious cyber activities, including from international attackers.
“This was not the first instance where we were targeted and it will not be the last. Our networks are continually probed for weaknesses, and regularly attacked,” he said.
The Government, the minister reiterated, takes very seriously its responsibility of ensuring the cybersecurity of the country’s systems that are vital to the provision of essential services. The COI’s findings and recommendations have “sharpened focus” and given “further impetus” to secure its IT systems and databases.
He did warn that a cyberattack of the scale and sophistication seen in the SingHealth incident could also be mounted on any one of Singapore’s major IT systems, threatening the safety and security of the country and its citizens.
Likening it to a constant battle against “cunning adversaries with capabilities”, Mr Iswaran said Singapore cannot allow such incidents to derail its Smart Nation initiatives that can enhance the country’s economic competitiveness and deliver better public services.
“We will do our utmost to strengthen Singapore’s cyber defence capabilities and prevent cybersecurity breaches,” he said.
“However, if a breach occurs despite our best efforts, we must have the capability to detect it quickly and respond robustly to minimise the damage. Our people must stay resilient in the face of such a continuing threat while doing their part for our cyber defence.”
NAMING PERPETRATOR "NOT IN OUR INTERESTS"
During the question-and-answer session, two MPs - Mr Vikram Nair and Mr Cedric Foo - asked the minister why the identity of the perpetrator will not be revealed.
"There seems to be a vacuum, as far as the sense of justice (is concerned)," Mr Foo said.
In response, Mr Iswaran reiterated that the Government knows the identity of the perpetrator and has taken appropriate action, but "it is not in our interest to make a public attribution".
He added: "I don't think we should reduce whether we have confidence and a sense of justice to just one specific point that there's no public attribution of the perpetrator.
"I can understand that members have a desire, and on behalf of constituents, to know this. But I think we have to exercise judgment: What is in our national interest, and whether a public attribution serves our best interest," he said.
The minister had fielded similar questions last August, during which he said the evidence needed to specifically assign responsibility may not stand up in the court of law.