It is better to work together and understand problems with regard to critical information infrastructure (CII) rather than go against each other, Minister for Communications and Information Josephine Teo said on Tuesday (Jan. 17), noting that “cybersecurity is really like a team sport”.
In a World Economic Forum (WEF) panel discussion titled, “Securing Critical Infrastructure”, Teo talked about cyber resilience, thinking beyond CII, as well as the transnational nature of cybersecurity.
What is critical infrastructure?
Critical infrastructure are defined as assets that are essential for the functioning of a society and economy.
In the session, Teo laid out what she defined as critical infrastructure that needs to be protected:
“One is the amount of risk that, you know, could be inflicted, and second is the kind of impact it would have on delivery of essential services. So essential services in a modern economy, modern society - power systems, energy related, anything to do with money - these are all going to be quite essential.”
Crisis sparking action
Teo was asked about her thoughts on the problem of cyberattacks, as well as the relevant resources and capabilities needed to thrive not just in Singapore but also globally.
She mentioned the 2018 SingHealth data breach in which the health records of more than a million patients, including that of Singapore's Prime Minister Lee Hsien Loong, were stolen by unidentified state actors.
She also noted how the Cybersecurity Act was passed after the incident to strengthen Singapore's cyber defences.
The Act came into force in August 2018.
It is currently under review.
It defines who is responsible for the cybersecurity of critical information infrastructure in crucial sectors, such as water, energy and healthcare.
It also includes a code of practice for operators of critical infrastructure to improve their cyber defences.
Pillar 1: Resilience
Firstly, Teo said one needs to move beyond the protection of CII and think in terms of resilience.
“You know, the problem with us investing a lot in CII protection is that it's like a house.
You think that you've locked the doors, you think that you've locked windows, but today's cyber criminals are more sophisticated than that. They have intruded into your home without you realising.
And so, whereas one might think that no news is good news, because you haven't identified or detected any incidents, they haven't surfaced. So you assume that they're not already present."
She said the Singapore government decided it was not wise to ignore unknown threats and assumed that its systems "have already been infiltrated".
Teo emphasised that one should do proactive threat hunting, and have a recovery plan in place which has been tested.
Pillar 2: Beyond CII and into the cyberspace
Secondly, Teo said it is vital to visualise what the entire cyberspace looks like due to the various entry points that cyber criminals can exploit.
She said that we had to go beyond CIIs and consider the broader supply chain because the threats and risks were no longer confined to the critical info infrastructure.
"And you've also got to then say, where are all the possible surfaces of attack? You and I have devices that are connected to larger systems, we are the endpoints. And if our own cyber hygiene is very weak, we are where the entry can take place."
The second part of Singapore's strategy was to get many stakeholders involved and make them aware of cyber risks, as well as levelling up their digital defence capabilities.
Pillar 3: International Cooperation
Teo said the third pillar of Singapore's strategy was to recognise the transnational nature of cyberattacks.
Teo said we have “to recognise that cyber criminals do not respect geographical boundaries".
She added that we need to collaborate across countries on supply chain issues, which if left unaddressed will affect all of us. This is in addition to exchanging information on cyber incidents.
Ransomware perpetrators are taking advantage of these gaps if "we're not thinking of how ransomware is being implemented because the rules are different in each state".
She highlighted that without international cooperation, it would be difficult to be "on top of the game" against cyber criminals.
High dependency on technology
Teo also pointed out that the threat of cyber incidents should not be downplayed, especially when many essential services require digital infrastructure to operate.
This requires thinking about cyber threats as not just a "matter of embarrassment" or "inconveniences" as they have real life consequences.
"If you think about a cyber incident in the hospital and the patients is lying down there, and records cannot be retrieved, you cannot get the right medication, you don't know what next to do, life’s at stake.
You and I flew long distances, maybe some of us longer than others, to come to Davos for this meeting. The air traffic management system, you know, if, touch wood, a cyber incident were to interfere with it, the consequences are horrific.
So much of modern life is about how we are connected. We are so dependent on IT systems, we are so dependent on OT (operational technology) systems."
She added that due to the lucrative returns from conducting cyber attacks, cyber criminals would always be present no matter how hard one attempts to stem their operations.
Consider it a "team sport"
Teo reiterated that the cyber world is fluid and it is challenging to just rely on regulations to protect critical infrastructure, noting that they are not "a silver bullet".
"I would say that capabilities are equally important, because cybersecurity is a wicked problem. It keeps changing.
And so you know how strongly your ecosystem supports the fixing of problems. You may have the intent to fix but you can't find the right people to fix.
Then, obviously, it's not gonna solve your problem and that's where I think it's very important to recognise that -- I don't mean to trivialise it, but cybersecurity is really like a team sport. And whether it is the state, you know, trying to help build up the ecosystem with the right capabilities, or also working together with businesses.
I think we are better off working together and understanding the problem and trying to get to a solution as soon as possible, rather than against each other.”
The World Economic Forum (WEF) is being held in person for the first time in three years, with an overarching theme of “Cooperation in a Fragmented World”.
The meeting brings together thousands of leaders around the world from the public and private sectors, and would be taking place over a five-day period from Jan. 16 to 20.
Teo was one of the three ministers representing Singapore at the WEF held in Davos, Switzerland. The other ministers are Senior Minister Tharman Shanmugaratnam and Minister for National Development Desmond Lee.
Top images via World Economic Forum