It is a matter of time before Singapore sees a major cyberattack, and the onus is on the Government to make sure the networks are resilient and ensure information on the attack is disseminated as quickly as possible, says CSA chief executive David Koh.
SINGAPORE: As chief executive (CE) of the Singapore’s Cyber Security Agency, Mr David Koh is well-versed in the intricacies of online security. However, this does not mean his family is on the same page, he told Channel NewsAsia during an interview on Tuesday (Aug 4).
In fact, Mr Koh shared that the level of awareness to having safe online habits is “not very high”. For instance, the father-of-three recounted that his daughter would leave her computer in “sleep” mode, rather than shut it down. This is not safe, because hackers can technically still remotely access the computer even if she is not on it, he said in his first media interview since taking the reins of CSA.
His son, too, learnt that cybersecurity is a real issue when one of his game’s online characters was hacked and he lost “gold and other special items” because of it. “I guess this is a cheap way of educating them,” the 50-year-old said.
PHYSICAL SAFETY DOES NOT EQUATE TO DIGITAL SAFETY
His family’s experience with cybersecurity is reflective of the current state of awareness in Singapore: People do not think much about online safety until something bad happens to them, he said.
“Everyone associates their physical safety in Singapore, that of being able to walk on the streets at night or keeping their home doors unlocked, to that of Internet safety,” Mr Koh said. “This is not true.”
Couple that with the fact that Singapore has one of the highest percentage of internet users globally, and this is “a dangerous mix”, he noted. He did add the awareness of cybersecurity issues is “high” among Singaporeans, but that does not translate to action, as many do not even use tools such as firewalls.
This is an impediment the CSA has to overcome, given that the internet is inherently vulnerable to attacks. “The internet was not designed for safety; it was designed for the quick sharing of information,” the CE said. “We’re now trying to bolt on a layer of security, given the increase in internet usage.”
CSA STILL FINDING ITS FEET
On the agency itself, Mr Koh said his main task when assuming the post in Apr 1 was to establish CSA and “forge an identity” among the staff. There are currently about 100 staff, pulled together from various ministries and bodies such as the Ministry of Home Affairs (MHA), the Infocomm Development Authority of Singapore (IDA) and Ministry of Communications and Information as well as new hires.
“This is reasonably good progress,” he said, adding that the roadmap for the agency was to achieve initial operating capacity by 2016 and full capacity a year later. There are plans to double the size of their current staff, and they are looking to fill a “broad range of skillsets” ranging from operations management and outreach to IT and cybersecurity professionals with expertise in, for instance, digital forensics, he shared.
Given that the nature of the job relates to national security, Mr Koh said CSA is, in general, looking for Singaporeans to fill the positions although there is scope to hire those of other nationalities. Some of the areas include staff for international engagement and communications, he elaborated.
POSSIBLE LEGISLATURE CHANGES BEING CONSIDERED
Asked if there is a need to introduce new cybersecurity laws, the Chief Executive confirmed that the agency was charged with reviewing the existing legislature to see if they are sufficient for the evolving landscape.
“Cybercrime is moving at a rapid rate, and there is the possibility that some laws need to be changed,” Mr Koh said. “The question is how to balance usability with security.”
One aspect that is high on his priority list is ensuring organisations report system breaches in a timely fashion, something that most are reluctant to do as it may affect their reputation and possibly divulge sensitive information to their competitors.
As such, the CSA is working with different sector’s lead agencies and the industry players to convince them it is to their benefit that there is a “trusted platform” for them to share information when an attack hits their organisations.
For example, in the financial sector, the CSA conducted a tabletop exercise in collaboration with the Monetary Authority of Singapore (MAS) and various financial institutions. The exercise involved financial institutions coming together, who were then "thrown a cyberattack scenario and discussed their plans and responses to such incidents", said Minister-in-charge of Cyber Security Yaacob Ibrahim in May this year.
Through the exercise, one participant saw the benefits of sharing information, and viewing other companies in the industry as collaborators, instead of competitors, he said.
Mr Koh acknowledged that the financial sector, being at the forefront of internet threats is likely more mature in preparing for potential attacks, but other critical information infrastructure (CII) sectors may not be as mature. Some of the CII sectors CSA is engaging currently are the energy, medical and transportation sectors, he revealed.
He recognises the fact that any possible regulation on cybersecurity may result in additional costs, so the CE is keen to get companies to buy in to the idea. However, given that the issue is pressing, the last resort would be enacting laws to make companies comply, he said.
The goal, he said, is a 12-month timeframe, and any possible developments regarding legislature changes would be “more concrete” then.
CYBERSECURITY-BY-DESIGN FOR SMART NATION
As for how the CSA is working with the Smart Nation Programme Office (SNPO) to realise Singapore’s Smart Nation vision, Mr Koh said he is “working very closely” with them. For instance, he co-chairs the cybersecurity unit in SNPO with the Managing Director of IDA, he added.
“Cybersecurity should be seen as an enabler, and is the key plank on which the Smart Nation will be built on,” he said.
In practical terms, the CSA adopts a “light touch’” when the SNPO is experimenting. Once it is decided that the pilot will be deployed extensively, then CSA will come in and ensure online security is built into the design. The fine balance is not to interfere with the ideas, while ensuring that systems are secure, he said.
Mr Koh’s military background lends itself to the Smart Nation project. The career military man, who only recently retired from active service after about 30 years. His other portfolio, besides CSA CE, is as Deputy Secretary of Technology for the Ministry of Defence. During his active service, he was the Chief Signal Officer of the Singapore Armed Forces (SAF) and Head of Joint Communications and Information Systems Department in the Joint Staff.
In these positions, he helped to implement the SAF’s version of the Smart Nation, in that communications within the organisation was connected using technology which led to better sharing of information. He was also responsible for protecting the SAF in the area of cybersecurity.
The only difference, he noted, was that in army, people “were more obedient and there was no need for legislation”.
PEOPLE, SYSTEMS MUST BE RESILIENT
But if the internet is not designed for security, yet the nation is committed to the Smart Nation vision which entails connecting almost everything to the internet, how does the CSA hope to achieve its goals?
Mr Koh acknowledged the conundrum, saying it is “close to impossible to secure everything, 100 per cent, all of the time”. He added that it is a question of when, not if, a major cyberattack hits Singapore.
The onus is on the Government and CSA to ensure that they are able to detect the breach and the networks are resilient and recover as quickly as possible when an attack takes place. This would entail working with other Government agencies and the private sector, which owns much of the IT infrastructure.
The other aspect is for the Government to keep the populace well-informed, and clarify what is happening as quickly as possible. This would help ensure people do not feel that they are helpless when, say, their financial or personal details have been compromised, he said.
“The Government can and should do more in closing the loop” with regard to keeping people informed, Mr Koh said. Citing the K Box breach last year as an example, he said he does not know the outcome of the case and if the company was taken to task for the incident as the investigation is still ongoing.
Details such as the mobile numbers, identification card numbers and addresses of more than 317,000 K Box members were leaked last September. The company said then it was working with the police and the Personal Data Protection Commission on the attack.
He said people’s mentality will need to be ready for such incidents, going forward.
“Our people need to be resilient. When something goes wrong, and in my professional opinion something will go wrong, then the issue is how we react to the incident,” Mr Koh said. “If people react as if the world has stopped turning, then the problem becomes unnecessarily amplified.
“If our people are resilient enough and find manual systems to deal with the disruption, then I think that the society as a whole will continue to operate, and the impact in physical world will not be as great,” he added.
"The assurance that I will give is that we will put out information as quickly and as accurately as we can."