Speech by Mr David Koh, Chief Executive, Cyber Security Agency Of Singapore, at Panel Session 2 of the inaugural Cyber Defence & Security Exhibition And Conference (CYDES) 2021

I would like to thank Ir. Md Shah Nuri bin Md Zain, Chief Executive, National Cyber Security Agency Malaysia, and his team for inviting me to speak at this inaugural Malaysian Cyber Defence and Security Exhibition and Conference or CYDES.

Sitting on this panel together with Shah and Tobias feels like a reunion of sorts. The three of us have been together on many events including last year’s Singapore International Cyber Week, where both Shah and Toby were distinguished speakers. Just last week, I participated in a webinar on cyber and critical emerging technologies with Toby.

On one hand, the increasing momentum of such discussions shows the keen interest in the international and regional community to engage in meaningful and action-oriented dialogue to address the increasingly sophisticated cybersecurity challenges facing us today.

The successful conclusion of the recent UN discussions at the Open-Ended Working Group (OEWG) and the UN Group of Governmental Experts (UNGGE) with the delivery of substantial consensus reports has added to this momentum. Singapore actively participated in both processes. We believe that the additional layer of understanding that such discussions bring is critical for the international community to move forward and develop the norms, rules, and principles toward an open, secure, stable, accessible, interoperable, and peaceful cyberspace. Conferences like CYDES are an ideal opportunity for us to further develop this understanding and work towards practical and action-oriented exchanges.

Key considerations in Effective Policy Formulation and Strategy

Today’s panel discussion on the development of effective National Cybersecurity Strategies is timely in this regard.

Cybersecurity is a key enabler of the economic progress and betterment of living standards in the digital economy. This has become even more evident during the Covid-19 pandemic where we have been forced to adopt rapid digitalisation and the migration of government, business, and social activities online. This has opened up the attack surface.

Apart from traditional modes of attack, threat actors are now compromising systems and networks leveraging trusted supply chain vendors, as seen in the SolarWinds breach late last year. In recent months, we have also seen a resurgence of ransomware attacks that affected essential services in the energy, healthcare, and transport sectors. For example, in early May, it was reported that the Colonial Pipeline Company operating the largest fuel pipeline in the US East Coast suffered a ransomware attack, prompting the company to shut down the pipeline’s operations for close to a week.

Cyber-attacks are evolving to increasingly have real-world, physical impact. In such a situation, having a robust national cybersecurity strategy is essential for the State to ensure the  security and resilience of its cyberspace as a trusted enabler that will allow the delivery of essential services to the public.

Singapore’s Cybersecurity Strategy

Singapore’s cybersecurity strategy was launched by Prime Minister Lee Hsien Loong during the Singapore International Cyber Week in 2016.  Our strategy consists of four pillars – building a resilient infrastructure, creating a safer cyberspace, developing a vibrant cybersecurity ecosystem, and strengthening international partnerships.

The pillars themselves underline one of our key considerations in designing a strategy, namely, effective national cybersecurity strategy formulation is a multi-disciplinary and multi-dimensional effort. To this end, we have been working to encourage industry engagement, workforce development, development of technical standards, as well as pursue international and regional cooperation both bilaterally as well as through regional and international multilateral platforms.

International engagement and cooperation are just as vitally important to securing national cyberspace as other more domestic efforts. Given the transboundary nature of cyber threats, it is vitally important for countries to forge close working relationships for CERT-CERT exchanges of information, as well as work together to establish a rules-based cyberspace. This will ensure a trusted and secure cyberspace for all.

Singapore is glad to be working with Malaysia to develop a long-term Implementation Roadmap for Norms of Responsible State Behaviour in Cyberspace for AMS, and we are also supportive of Australia’s partnership with Indonesia under the ASEAN Regional Forum Inter-Sessional Meeting on Security of and in the Use of Information and Communication Technologies (ARF ISM on ICTs Security) to organise a workshop on Norms Implementation for AMS.

Capacity building is also important because we are only as strong as the weakest link. Singapore has established the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE) to further capacity building initiatives in ASEAN, and we work with partners such as our counterparts in Malaysia and Australia to deliver capacity building programmes.

A second consideration is to follow up with effective levers to implement the strategy. Since 2016, CSA has followed up with our:

- Cybersecurity Act, which establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore.

- Operational Technology (OT) Cybersecurity Masterplan, which was developed as part of CSA’s efforts to enhance the security and resilience of Singapore’s essential service sectors, improve cross-sector response to mitigate cyber threats in the OT environment, and strengthen partnerships with industry and stakeholders.

- Safer Cyberspace Masterplan, which outlines our plan towards the creation of a safer and more secure cyberspace in Singapore, through securing our core digital infrastructures, safeguarding our cyberspace activities, and empowering our cyber-savvy population.

A third consideration is the need to have continued coordinated engagement with multiple stakeholders. CSA works closely with our partners in government on various aspects of the strategy – CII sector leads on CII protection, economic agencies on ecosystem development, and our Ministry of Foreign Affairs on international policy matters. At the same time, we also work closely with a range of industry partners, academics, and other thought leaders.

Conclusion

I have often referred to cybersecurity as a team sport. The development of a robust and effective cybersecurity strategy also requires close coordination with many different partners, especially as the cyber domain expands to take in critical and emerging technologies and other adjacencies like AI and quantum computing. In a world where technologically is ever evolving and becoming increasingly sophisticated, developing an effective cybersecurity strategy will often require us to work with multi-stakeholder partners from many different disciplines and domains.