Speech by Mr David Koh, Commissioner of Cybersecurity and Chief Executive of Cyber Security Agency of Singapore at the World Economic Forum's Davos Agenda 2021

"AVERTING A CYBER PANDEMIC"

Introduction

Thank you Samir, and the WEF, for inviting me to speak at this session on “Averting a Cyber Pandemic”, and for that great video.

The COVID-19 pandemic has accelerated digitalisation dramatically.

Technology has done wonders to keep us connected - this panel is a great example of that). It has also aided our work and how we entertain ourselves. Additionally, during the lock-down periods, the digital space is an enabler of all sorts of activities. For instance, we see remote working and e-commerce becoming a new way of life.

All these have increased our reliance on the digital infrastructure on an unprecedented scale and it has also expanded our view on what “essential services” should consist of. I don’t think many of us thought that supermarket delivery or food delivery services were essential until we had a lockdown.

The operating landscape has evolved – the digital domain and cyberspace have now become the lifeblood of our economic and social lives. The attack surface has also increased exponentially. Our policies have to change to keep in tandem with these developments.

The pandemic is an issue that plagues the physical world. But a cyber pandemic is a crisis of the digital world. I see some similarity in the approaches we can take to manage these two types of pandemics.

Need for Collective Responsibility

First, in both situations, there is a need for collective responsibility. In dealing with cyber threats, different segments of the community need to work together to engender an environment of security and trust in the digital domain, to optimise the full potential of the digital economy and society.

For instance, governments can contribute by putting in place national strategies and initiatives to increase the broad level of cyber hygiene for its internet users.

To this end, in Singapore, we have launched our Safer Cyberspace Masterplan last year with the aim of going beyond protecting critical information infrastructure and provide some basic level of cybersecurity for a wider segment of society.

Beyond governments doing their part, there is also a role for industry partners, as well as enterprise and individual end-users to play.

We encourage industry partners to prioritise their customers’ interests, For example, through secure-by-design practices in the provision of digital products and services.

Enterprise and individual end-users also need to have basic awareness of the types of cyber risks that are out there, and the measures that they need to take to better protect themselves. It is not just a technical issue; end-user awareness is also essential.

Close Cooperation between Various Stakeholders 

Second, hyper connectivity in the digital and physical realms pose challenges to dealing with cyber and public health pandemics respectively.

This requires close cooperation between various stakeholders to deal with the pandemic.

In the case of the cyber, the level of interdependence between organisations, and through the supply chains, means that the compromise of a single supplier can generate “ripple effects”,. The recent SolarWinds cyber breach is an example.

So even an organisation with good defenses, can still be vulnerable when threats come from trusted third-party vendors.

Given the challenges of hyper-connectivity, we need to work together, be it cross-boundary, international etc.

Forward-looking Mindsets

Third, the threat that we have to deal with in a cyber and public health pandemic is rapidly evolving, and hence our response needs to be agile to keep up with the changing nature of the threat.

We are hearing of new variants of the COVID virus. Likewise, in cyber, there are constantly-evolving threats and sophisticated threat actors.

So, we need to have mindset shifts. we need to engender a shift for example, from a compliance to a risk-assessment. If you just have a rigid compliance mindset, it will not work when threats are constantly evolving.

An enterprise’s cybersecurity posture needs to be constantly reviewed and updated as well. One example is to move to a mindset of a “zero-trust” cybersecurity model.

There are two key principles to this. First, don’t trust any activity in the network without verification. Secondly, we need to monitor for suspicious activities.

Conclusion

In sum, averting a cyber pandemic requires collective responsibility, close cooperation between stakeholders, and forward-looking mindsets.

Thank you.