Critical Information Infrastructure owners to be strengthened to avoid 'knife to a gun fight' scenario: Tan Kiat How

At the Mar. 2 Ministry of Digital Development and Information (MDDI) Committee of Supply debate, Senior Minister of State for Digital Development and Information Tan Kiat How spoke about Singapore’s efforts to shore up its cybersecurity, particularly by strengthening the protection of Critical Information Infrastructure (CII) owners.

Tan was responding to questions from Member of Parliament (MP) Sharael Taha, who had asked about the Government’s plans to protect Singapore’s CII.

Tan responded by saying that cybersecurity is a collective effort, and that CII owners needed to take responsibility for the systems they own and operate, but that the Government will also do their part.

But what is CII?

The Cyber Security Agency of Singapore (CSA) labels CII as a “computer or computer system located wholly or partly in Singapore, necessary for the continuous delivery of an essential service”.

It further adds that the “loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore”.

By way of example, it lists 11 critical sectors: energy, water, banking and finance, healthcare, transport (on land, sea, and air), Government, infocomm, media, as well as security and emergency services.

These CII and their sectors are defined in the Cybersecurity Act, where they are specifically classified as the computers and computer systems, not the firms or the sectors themselves.

Tan said that MDDI planned to update the cybersecurity standards and obligations, level up Singapore’s CII owners, and strengthen capabilities in Singapore’s cybersecurity workforce.

Higher standards

Tan said that Singapore’s CII owners are held to higher standards and subject to stringent obligations imposed on their critical systems or CII systems, a calibrated approach to allow them to balance national security needs with business costs.

In recent years, Singapore’s CII have seen an increasing number of attacks, as shown by the recently revealed spate of attacks by state-backed actor UNC3886.

While Tan did not mention any specific actor, he said that Singapore has seen more threat actors begin to target non-CII systems in the hope that the less secure systems might give them an entry point to other CII systems.

As a result, the CSA will review the scope of current cybersecurity standards and obligations, which might include non-CII systems where they interconnect with CII systems.

One such result of the review is that IMDA will enhance its cybersecurity regulations for telecommunications operators, especially in light of the recent attacks.

IMDA will provide guidance in areas such as managing virtualisation of infrastructure and credential management, and Tan said that CII owners were expected to comply with new requirements.

Knife to a gun fight

Tan shared his observations after having numerous candid, closed-door discussions, where sector leads and CII owners told him they understood that “the threat landscape has evolved,” and that they appreciated what was at stake.

However, they worried that CII owners were usually private companies focused on the delivery of social services, not cybersecurity experts.

This put them at a disadvantage when facing up against “the best-in-class, state-backed cyber threat actors.”

“One of the CISOs told me that it is like he is bringing a knife to a gun fight. I empathise with his point of view.”

Tan emphasised that cybersecurity was a “collective effort,” and that the Government would “lean in” to help CII owners strengthen defences and better respond to efforts.

Top image via MDDI/YouTube & Facebook