CSA looking into Singapore cybersecurity firm blacklisted by US for trafficking hacking tools
SINGAPORE: The Cyber Security Agency of Singapore (CSA) said on Wednesday (Nov 10) it is aware that a Singapore cybersecurity firm has been blacklisted by the US for allegedly trafficking hacking tools and is "looking into the matter".
Singapore's Computer Security Initiative Consultancy (COSEINC) was added to an entity list by the US Department of Commerce last week "based on a determination that they traffic in cyber tools used to gain unauthorised access to information systems, threatening the privacy and security of individuals and organisations worldwide".
The entity list is used to restrict the export, re-export, and in-country transfer of items to persons or entities reasonably believed to be involved in activities contrary to the national security or foreign policy interests of the US.
These sanctions will curtail COSEINC's ability to do business with entities in the US.
In response to queries from CNA, CSA said on Wednesday that companies should comply with laws and regulations in the provision of cybersecurity services.
"The Singapore Government will not hesitate to take firm action against individuals or organisations that violate the provisions," said CSA.
COSEINC describes itself on its website as a "privately funded company dedicated to providing highly specialised information security services to our clients". It was founded in 2004 and is based at the Citilink Warehouse Complex on 102F Pasir Panjang Road.
According to its website, the company's services include research, consulting and education, in areas such as computer security, malware analysis and penetration testing. Accounting and Corporate Regulatory Authority records show that it is a live company.
COSEINC's chief executive officer is Mr Thomas Lim, according to his LinkedIn page. His most recent post, about a month ago, said he could help anyone looking to hire "trained and certified" cybersecurity professionals.
Reuters reported on Nov 4 that Mr Lim is known for organising a security conference, named SyScan, which was sold to Chinese technology firm Qihoo 360, a sanctioned entity.
An email published by WikiLeaks in 2015 suggested that Mr Lim had also previously offered to sell hacking tools to Italian spyware vendor HackingTeam, the report said.
COSEINC did not respond to CNA's request for comments. The telephone number listed on the company's website could not be reached.
THREE OTHER COMPANIES BLACKLISTED
COSEINC was one of four companies added to the trade blacklist by the US last week, with the other three being Russia's Positive Technologies as well as Israel's Candiru and NSO Group.
NSO Group and Candiru were added to the list based on evidence that they "developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics and embassy workers", said the US Department of Commerce on Nov 3.
NSO Group is the developer of Pegasus, a type of malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones.
Investigations have shown that some governments have used Pegasus to target rights activists, journalists and politicians around the world, with possible targets in Singapore. NSO Group has denied these reports.
The US Department of Commerce said in its news release that such tools have enabled foreign governments to conduct "transnational repression" outside of their sovereign borders to silence dissent, adding that these practices threaten the rules-based international order.
US Secretary of Commerce Gina M Raimondo said the United States is committed to aggressively using export controls to hold companies that use such technologies to "conduct malicious activities" accountable.
These activities "threaten the cybersecurity of members of civil society, dissidents, government officials and organisations here and abroad", she said.
CSA told CNA it is important for companies to choose a trusted cybersecurity service provider as these providers would have significant access to their computer systems and sensitive information.
The agency has recently introduced a licensing framework for cybersecurity service providers so consumers can get better standards, information and be reassured about safety and security.
For a start, CSA will license two types of service providers, namely those providing penetration testing and security operations centre monitoring services.
"CSA has just concluded the industry consultation for the framework in late October, and the framework will be introduced in early 2022," it said.