Held in a hybrid format during the second year of the pandemic, the highly anticipated Singapore International Cyber Week 2021 (SICW, 4th – 8th October 2021) opened to a global audience that saw more than 2000 delegates and speakers participating globally, including government ministers, cyber principals and heads of agencies and leaders from industry and academia.
The 6th edition of SICW continued the momentum of conversations on emerging digital opportunities and threats, cybersecurity policies and norms, Internet of Things (IoT) and Operational Technology (OT) security, and unveiled the latest Singapore cybersecurity strategy to address new and emerging cyber threats.
Singapore Cybersecurity Strategy 2021 – Consensus building and deepening collaboration
First launched in October 2016 by the Prime Minister Lee Hsien Loong at SICW 2016, the Singapore Cybersecurity Strategy 2021 was released by Mr Teo Chee-Hean (Senior Minister and Coordinating Minister for National Security) at SICW 2021.
As global digital revolution and innovations accelerate, “connecting more people, bringing in new services, and rolling them out fast, bring added risks”, said Mr Teo, such as the exploitation of “vulnerabilities in what should be “high trust” components” in the recent high-profile SolarWinds supply chain attacks.
While the updated strategy “articulates Singapore’s approach to safeguarding our wider cyberspace in an increasingly complex environment,” he said, it also “acknowledges the need for consensus-building and deepening collaboration.”
The 2017 WannaCry attack encapsulated today’s era where the global nature of cyber threat means that no one can combat it alone.
Threat actor groups have also recognised the benefits of working together by sharing intelligence and tools to stage attacks of ever-increasing sophistication.
Cybercrime models such as ransomware-as-a-service or phishing-as-a-service point to a trend of increased collaboration between bad actors and coordination across specialities. Little if at all programming skills are required to launch an attack – a crucial factor behind the alarming rise of ransomware attacks.
Moreover, such collaborations extend beyond the cybercrime ecosystem.
The ease with which threat actor groups navigate between the Dark Web and surface web economy, commodity and customised malware, desktop, mobile and network attacks, have broken traditional attributions models. Targeted attacks are no longer the preserve of nation state actors – cybercriminals can just as easily disrupt a critical infrastructure with a ransomware attack.
Recent Altdos incidents that targeted South-East Asian businesses ranging from electronics to furniture stores, and DarkSide that compromised the U.S. Colonial pipelines leave no doubt that cyber threats are advancing to a mainstream consideration for organisations of all sizes and sectors across the world.
The good news is that there has been great progress on international cooperation to combat cybercrime and build cyber norms.
One example is the Interpol Global Complex for Innovation based in Singapore, where law enforcement and industry partners recent “Operation Night Fury” led to the arrest of three individuals running malicious credentials theft campaign. Another is the recent establishment of the United Nations “Open-ended working group on security and in the use of information and communications technologies”, to be chaired by Singapore from 2021 – 2025.
Ministerial Roundtable Sessions and the ASEAN Ministerial Conference on Cybersecurity (“AMCC”)
Mr David Koh, Chief Executive, Cyber Security Agency of Singapore (CSA) on stage, left.Ms Chong Shu Min (Assistant Manager, Strategy & Planning Division, CSA) on stage, right
Top left clockwise
The Honourable Dato Abdul Mutalib Yusof, Minister of Transport and Infocommunications, Brunei
Mr Roberto Viola, Director-General, Directorate-General for Communication, Networks, Content and Technology (DG CONNECT), European Union
Mr James Hatch, Director Cyber Security BAE Systems Applied Intelligence
Lieutenant General Hinsa Siburian, Head, National Cyber and Encryption Agency (BSSN), Indonesia
Mr Julian Cracknell, MD of BAE Systems AI
Mr Michal Pukaluk, Director of the Digital Policy Department, Prime Minister’s Office, Poland
Strong participation including ministers, cybersecurity coordinators, heads of cybersecurity agencies and top industry players from the United States, United Kingdom, Japan, European Union and Australia at the Ministerial Roundtables underscored the common ambitions to strengthen international collaborations in cybersecurity.
Regionally, since ASEAN’s (Association of South-East Asian Nations) subscription in principle to the UN’s 11 voluntary, non-binding norms of responsible state behaviour in cyberspace in 2018 – the first regional grouping to observe such norms – there had been further progress on ops-tech collaboration and capacity building.
Notably, announced at the 6th AMCC, these included:
- the establishment of the ASEAN CERT (computer emergency response team) and the ASEAN CERT Information Exchange Mechanism, and
- the official opening of the ASEAN-Singapore Cybersecurity Centre of Excellence (“ASCCE”, which was launched in 2019) to support cyber capacity building efforts in the region.
Within Singapore, collaborations between the government – through CSA – and the industry were stepped up.
Initiatives announced at SICW2021 included the SG Cyber Safe Partnership Programme (where government and industry aim to encourage adoption of good cybersecurity practices by businesses and public) and the first national standard on Cybersecurity Labelling for consumer IoT (which aims to serve as a standard that can be adopted by manufacturers, developers, testing bodies and suppliers of consumer IoT devices globally).
Governments & Tech MNCs: Regulate or Collaborate for Cybersecurity?
Ms Chong Shu Min (Assistant Manager, Strategy & Planning Division, CSA)
Mrs Josephine Teo ( Minister for Communications and Information and Minister-in-charge of Smart Nation and Cybersecurity, announced the official opening of the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE)
Mr David Koh (Chief Executive, Cyber Security Agency of Singapore (CSA))
Besides the building of international bilateral and multilateral ties and domestic initiatives, the recent supply chain attacks like the SolarWinds incident also put a renewed urgency to do more.
Malicious actors by targeting a supplier integral to our digital infrastructure – whether it is a piece of software in a networking tool or in a cloud service or in a third-party application – can trigger a chain reaction that compromise multiple organisations and thus cause wide-spread disruption.
This multiplier effect means that larger global technology suppliers are highly tempting targets for attackers.
With “big tech” – which some refer Tech MNCs as – in the spotlight as the number of supply chain attacks is expected to grow, combined with recent anti-trust actions making headlines, the SICW Conversation on “Governments & Tech MNCs: Regulate or Collaborate for Cybersecurity?” is timely.
While trust in the supplier ecosystem is being further tested as the fully taxonomy of such attacks remains unknown, dialogues between government and suppliers are tangible steps towards finding common goals to combat such threats.
Engagement models such as the recent US White House meeting with large technology companies were examples explored with Anne Marie Engtoft Larsen (Tech Ambassador, Ministry of Foreign Affairs Denmark); Brandon Wales (first Executive Director, Cybersecurity and Infrastructure Security Agency, United States); Peter Moore (Regional Managing Director, Asia Pacific Public Sector, Amazon Web Services) and Lu Chuanying (Research Fellow, Centre for American Studies, Institute for Global Governance Studies).
Clockwise from Top:
Anne Marie Engtoft Larsen (Tech Ambassador, Ministry of Foreign Affairs Denmark);
Brandon Wales (first Executive Director, Cybersecurity and Infrastructure Security Agency, United States);
Lu Chuanying (Research Fellow, Centre for American Studies, Institute for Global Governance Studies).
Peter Moore (Regional Managing Director, Asia Pacific Public Sector, Amazon Web Services)
Jane Lo (Singapore Correspondent, Mysecurity media)
Moderated by Jane Lo (Correspondent, MySecurity Media), the panel also discussed the trade-offs and gaps in governance in the areas of secure software development and information sharing.
While there are regulations, namely, to protect personal data and critical infrastructure, the panel consensus (and a live audience poll) pointed to strong support for collaboration as key to meeting the real threat of cyber incidents.
For examples, Ambassador Larsen noted the need for democratic countries to join forces to shape a responsible, democratic and secure digital future and “to forge a closer and trusted partnership with the private sector”. Executive Director Wales emphasised the need to turn the discussion around information sharing into a discussion around operational collaboration: “how do we collaborate with the key stakeholders inside of the industry, who not only have the level of visibility to understand the modern threats we are facing, but also have the ability to take action at scale.”
“Cybersecurity is a team sport” – Mr David Koh (Chief Executive, Cyber Security Agency of Singapore).
In less than 2 years, ransomware attacks have escalated into a massive, systemic threat, and supply chain attacks have manifested the full extent of its disruptive power. They are but stark reminders of the global interconnectedness of our digital infrastructure.
“These shifts in our threat landscape over the past year underscore the diverse challenges in cybersecurity, which must be met by a whole-of-society effort and collective responsibility between stakeholders in the public and private sectors, “said Mr David Koh (Chief Executive, Cyber Security Agency of Singapore).
To this, he added: “cybersecurity is a team Sport. In fact, it is an international sport.”
Indeed, while nations and organisations will continue to chart their own journeys to meet these challenges, a collective response is needed where actors across geographies, sectors, industries, backgrounds and experiences come together to share and act, and to defend against an ever-evolving threat landscape
With time and productive dialogues involving high levels of regional and international participation, common grounds on effective cybersecurity programs can undoubtedly be reached.