CSA chief explains why some S’poreans get scammed so easily & why he cares about them

If David Koh could meet every Singaporean and explain this to them personally, he probably would. Here's some of what he might say.

Nigel Chua | August 26, 2021, 08:20 AM

Follow us on Telegram for the latest updates: https://t.me/mothershipsg

Singapore’s population is among the most literate and most highly-educated in the world, but some of us still fall prey to online scams.

One reason for this: We are “generally used to complying with instructions from authority figures,” mused David Koh, the Chief Executive of Singapore’s Cyber Security Agency (CSA), in a video call with Mothership.

This attitude towards compliance is not always bad thing, Koh was quick to clarify.

After all, compliance is important in one of CSA’s main focus areas: The protection of computer systems in essential sectors like energy, water, transport, emergency services, and more.

Owners of these computer systems (which are considered "Critical Information Infrastructure") have to comply with the Cybersecurity Act, as well as CSA's Cybersecurity Code of Practice.

But Singaporeans’ relatively high comfort level when it comes to complying with authority can be tricky when it comes to scams — where the relevant "authority" isn’t actually an authority at all.

To make matters worse, we lack the instincts to discern whether we are speaking to real authority. Koh said:

“If a policeman stops you on the road and says, ‘young man, can I see your IC?’, your instinct is not to challenge him: 'Who are you', 'what right do you have', 'I'm a sovereign', or whatever.

Your instinct is to just take out your wallet and show him your identity card.”

Because of this, Koh believes that some Singaporeans are uniquely poised to have their money and data stolen, or their privacy compromised.

Many Singaporeans are too trusting online

And, if CSA's Cybersecurity Public Awareness Survey 2020 is anything to go by, many Singaporeans are far too trusting when they go online.

For example, while 78 per cent of respondents said they were aware of the risks of not having cybersecurity apps, only 39 per cent had actually installed such apps on their phones.

More data from the survey suggests that Singaporeans show "high levels of concern" for cyber incidents such as having their financial or personal information stolen on one hand, while believing that such incidents will not happen to them, said CSA.

Screenshot via CSA's Cybersecurity Awareness Survey 2020 results.

We wrongly equate physical security with cybersecurity

There’s another uniquely-Singaporean reason why some of us are especially vulnerable: Complacency.

Our complacency is not completely misplaced, however, as we mostly do have good reason to be confident of our physical safety in Singapore.

But, Koh contends that “we have falsely equated our relatively good physical security with cybersecurity".

To Koh, this comes down to the idea of having instincts that protect us against danger in the physical world, while lacking the same instincts online.

Instincts against danger have not yet translated online

Most of us lock our doors when we leave the house, and don't leave our wallets or handphones lying around — habits that point to the fact that we do have an instinct against physical danger.

"How did you learn all of this?" asked Koh rhetorically.

"Did you attend some course by the [Singapore Police Force (SPF)]? You know, like, 'How to behave and manage security in the physical world'?

"No one attended any course like this!" Koh exclaimed with a chuckle.

Instead, he said, these habits were picked up from our parents, as we were growing up.

When it comes to cyberspace, however, this process of "imbibing of the correct culture" has yet to become part of society, Koh said.

This means that many embrace “all the cat videos of the world” without realising that the internet also opens us up to “all the criminals of the world”.

Why aren’t we able to make the link, and safeguard our digital assets the same way that we watch out for our physical safety?

Data can be stolen without getting "lost"

Koh made the observation that one knows immediately when they are a victim of crime in the physical domain, but may not realise right away that one's personal or even financial information has been stolen.

"We don't feel the impact directly to ourselves, because even when your data is, [in] inverted commas, 'lost', it's not lost, because you still have your data. The hacker has copied your data out."

In the physical domain, however, if you lose your wallet, you've lost it," Koh stated matter-of-factly.

Take stock of one's digital exposure

Koh suggested that we need to take stock of our exposure.

In other words, do an inventory of what we stand to lose in our online life, decide which data is more critical and sensitive, and take steps to safeguard that data.

This might include keeping banking and investment information encrypted, if such data is being stored in one's devices.

Koh shared that a helpful way to think about this is to think about how we might leave our slippers outside the house, while a brand new pair of shoes might not be treated the same way.

"I think the first level is awareness, said Koh.

"We need to recognise that we're not consistent. You do this in the physical world, why aren't you doing it in your digital world? Aren't your digital assets as important as your physical assets?"

He gives this advice to individuals and companies alike.

He shared that many companies' digital networks and systems are relatively "flat" — once you gain access, there is little differentiation between more valuable and less valuable data.

Reviewing my notes after the interview, I realised that my “main” credit card has been used on more local and international platforms than I can recall — all of which kindly offered to save my payment details for my convenience.

Yes, those platforms offer encryption and security, but I figure that it can't hurt to revise my credit limit from a five-figure sum down to a much more conservative number that's — to me — an acceptable fraction of my humble monthly salary.

Millennials are not "true digital natives"

Another reason why Singaporeans may not take cybersecurity as seriously as physical security, according to Koh: Most of us are not "true digital natives".

In his opinion, this includes millennials, and not just those from previous generations.

To prove his point, Koh recalled an anecdote relayed to him by a friend, in which a young girl on holiday with her family went up to a window to look at some scenery, and proceeded to pinch the glass as if she was controlling a smartphone or tablet.

"I think that is [an] indication of a digital native," Koh said with a laugh.

Koh's anecdote immediately made me feel better about the fact that I'm not "truly" in that category of digital natives.

But it also made me realise that my generation's adoption of various technologies may have been quicker than previous generations, but the fact remains that we simply didn’t grow up with that, or in that environment.

After all, the multi-input touchscreen interface is something that came along relatively late in my life,  as is the case with many other technologies that are commonplace today.

And as Koh reminded me elsewhere in the interview, the iPhone didn't reach Singapore till 2008 — around 13 years ago.

Screenshot of Oct 2008 issue of HWM via Google Books.

While one can't turn back time to grow up again with the benefit of technology-savviness from a young age, it is helpful to bear in mind that we may not be as savvy as we think — and take steps to protect ourselves accordingly.

Why is CSA concerned with individuals' cybersecurity practices?

To that end, in June this year,  CSA launched a public awareness campaign, “Better Cyber Safe than Sorry”.

The campaign seeks to highlight four "Cyber Tips":

  • Set strong passwords and enable 2FA
  • Learn to spot signs of phishing
  • Install anti-virus software in your devices
  • Keep your software updated

"Yet another cybersecurity campaign," you might be thinking by this point, as you roll your eyes.

Understandable. We’ve already heard countless PSA-type messages from various entities: SPF, Gov.sg, NCPC, GovTech, not to mention private sector organisations such as banks and payment service providers, who also have their fingers in the cybersecurity pie.

Should CSA’s proverbial nose be stuck somewhere higher, then?

After all, its various other responsibilities include monitoring cyberspace for threats, protecting critical information infrastructure, advising government agencies on security, and so on, and some might think these should be given higher priority than public education.

Well, not if it’s up to Koh.

CSA's work that targets the general population is important because it contributes to a healthier cybersecurity ecosystem overall.

Koh said that his "stretch goal" is that people in Singapore can go beyond seeing cybersecurity as a costly inconvenience.

Instead, he believes that it can one day be seen as something that differentiates businesses and their offerings.

This will pave the way for companies to work on guaranteeing cybersecurity as "a value proposition", something that can be used to attract customers.

And this change in mindset could also take place on an international level.

"Singapore is seen as a trustworthy country. You know, we do things in a trustworthy manner.

'Trust us, you can bank with us because we are safe.' Actually, one additional dimension of this can become cybersecurity."

Thus, empowering the population is actually one of CSA's three strategic thrusts, alongside its two other objectives of securing core digital infrastructure, and safeguarding cyberspace.

Empowering the population

And this is a role that Koh appears to take quite seriously — and perhaps even personally.

As the interview went on, I got the feeling that if Koh could somehow find the time and energy to meet every Singaporean and explain this to them personally, he probably would.

"I tell my young colleagues that we have to find a way to communicate cybersecurity, and make it real to your grandmothers," Koh said.

"A lot of my effort goes into thinking about real life examples which people can connect with, so that it becomes relevant to them. I think that that is what makes it real.

I think that cybersecurity will not work if we think about it as something that's technical, we think about it as something that I only do when I'm in the office."

Communicating to the layman is an area where he’s evidently had a fair bit of practice, and I imagine Koh would do a good job of cajoling my grandmother into setting up 2FA for her Instagram account.

I suspect that it also has something to do with the fact that, Koh confessed later in the interview, he loves his job.

Future generations may one day find us "unbelievable"

But Koh is already looking ahead to a future where this persistent public messaging will no longer be necessary, as it will become part of the culture.

He cited the example of how generations of schoolchildren had supervised tooth-brushing, before it was eventually phased out as overall standards of oral hygiene got to an accepted level.

Source: Ho Chin Geok Collection, Courtesy of National Archives of Singapore, via MOE on Facebook.

"Maybe in 20, 30 years time, subsequent generations will look back at this time and maybe talk about the phishing scams that we fell to lah.

And [they'll] say, 'can you imagine, in the year 2021, people were falling for scams like this. How unbelievable...'"

If and when that day comes, Koh will know that his job was a job well done.

Follow and listen to our podcast here