SM Teo Chee Hean at the Singapore International Cyber Week 2022

Comprehensive Defence of our Cyberspace

Your Excellencies,
Ministers,
Secretaries,
Distinguished Delegates,
Ladies and Gentlemen,

Introduction

Good morning to all of you. Welcome to the Singapore International Cyber Week (“SICW”). I am happy to see the very large turn-out and many familiar faces with us today, especially those who have travelled from all over the world to join us. A warm welcome also to those who are joining us virtually, and we hope to see you soon in person as well.

Growing Importance of Cyberspace

The digital and cyber space has become ubiquitous, indispensable and so much a part of our lives today. COVID-19 has accelerated the adoption of digital technologies, making them a part of everything that we do, be it digital payments, shopping, chatting with friends, travelling or business. The emergence of the “metaverse”, heralds the merging of the virtual and the physical world.

Securing the digital domain and ensuring a trusted cyberspace will enable all of us to enjoy the fruits of the digital revolution, and its promise of economic progress and a better life. Because ultimately that’s the objective that all of us are pursuing.

However, precisely because the digital domain has become a more important and indispensable part of our everyday lives, threats in the digital domain have become much more serious and more challenging. Threats which start out in the digital domain can also quickly impact events in the physical world. The digital domain does not operate in a vacuum or in a separate reality. If a critical system is brought down by an attack, there could be severe effects on countries and the international system, organisations and businesses; financial losses; and threats to lives and livelihoods. Earlier this year, a ransomware attack on Costa Rica crippled essential services in the country, forcing the Costa Rican government to declare a state of national emergency. In February, a cyber-attack on the satellite communications provider Viasat caused disruptions across several countries in Europe.

International Cooperation

There are no borders in the digital domain. This is why at the global level, we need international cooperation to build a robust framework that can safeguard cybersecurity and promote confidence and trust in cyberspace. This is key is to establish norms of responsible state behaviour, build consensus around the application of existing international law in cyberspace, and facilitate confidence-building measures, capacity-building and standards. These are the basic building blocks to a cyber stability framework, which will guide states and other stakeholders to better trust each other and work together on cyber issues in a meaningful manner.

Supranational systems – systems that transcend national borders – pose a special challenge in international cooperation. These are systems such as the SWIFT international payment network, booking systems for air travel, and the interconnected systems providing safety and routing information for aviation and maritime traffic. These systems serve many countries. A failure of any such system would result in chaos at the global level. However, while many states depend critically on them, their protection and supervision sometimes do not come under any international process. We need to have greater emphasis on ensuring clearer collective responsibility, and strengthen international cooperation to protect these systems and make sure that they work properly and securely.

One important platform for cooperation in cybersecurity is the UN, where countries large and small have a voice and can work together. The OEWG, or Open-ended Working Group on Security of and in the Use of ICTs 2021-2025, has made some progress in achieving a common understanding of the elements that make up the cyber stability framework. The current chair of the OEWG is Singapore’s Permanent Representative to the UN, and we hope to help advance the work in this important forum. There is also the UNGGE or Group of Governmental Experts. The sixth UNGGE and inaugural OEWG submitted their consensus reports last year. Both have done important work in reaffirming our global commitment to the cyber stability framework.

Singapore is committed to contributing to these international efforts in practical ways through capacity-building and confidence-building measures. In August this year, we worked with the UN Office of Disarmament Affairs (UNODA) to organise the inaugural UN-Singapore Cyber Fellowship for cyber ambassadors and heads of agencies from across the world. In the ASEAN region, close to 1,500 senior officials have been trained through the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE). They have capacity-building programmes that have been running for the last 6 years. To expand on these efforts, Singapore will partner the Global Forum on Cyber Expertise (“GFCE”) to appoint a South-East Asia Liaison at the ASCCE. This is a whole bunch of names and organisations. So how do we get them to work together? This Liaison will be the focal point to connect the region more closely with the international capacity building community, to better match supply and demand in capacity-building, and to gradually align the work that all of us are doing.

Total Defence

At the national level, countries need to develop comprehensive strategies to protect themselves from threats across all domains.

In Singapore, we think of this as Total Defence. This is our national defence strategy introduced in 1984, that we adapted from Sweden and Switzerland. The crux of Total Defence is our belief that every Singaporean has a part to play, individually and collectively, to build a strong, secure and cohesive nation, covering every aspect of society.

The five pillars of our Total Defence were Military, Civil, Economic, Social and Psychological Defence. But with the increasing importance of the cyber and digital space, we decided to add a new dimension, Digital Defence, as the sixth pillar in 2019. In line with this, we have also announced that the Singapore Armed Forces will set up a fourth service, the Digital and Intelligence Service, in addition to the traditional Army, Navy and Air Force. This recognises that the new digital defence domain is a domain in its own right, with strategic impact.

We can look at cyber defence in the digital domain at 5 levels or layers.

First, we need to protect our digital information infrastructure. This includes the hardware and systems operated by our telcos, internet service and cloud service providers, and the physical cables and other digital connections with the world.

Second, apart from our physical infrastructure, we also need to protect our soft national infrastructure. This includes for Singapore, our National Digital Identity system, which we call Singpass, that provides trusted credentials for digital identity verification; and our National Digital Payment system, or PayNOW, that provides the backbone for making and clearing digital payments nationally. The integrity and resilience of our soft infrastructure enables citizens and businesses to transact securely, confidently and conveniently online with one another and with Government.

Third, we need to protect our Critical Information Infrastructure (CII). These are digital systems that are critical to our essential services, such as the supply of water, electricity and transport. As part of our Total Defence philosophy, the Cybersecurity Agency of Singapore, or CSA, works closely with our CII owners and Sector Leads to anticipate, identify, prevent, detect, respond, and recover rapidly from cyber threats. One such example was during the disclosure of Log4J’s critical vulnerabilities last December, where CSA worked speedily and closely with our CII Sector Leads and businesses to track and ascertain the extent and impact of any attack, and patch their systems to the latest versions immediately. To improve coordination with the CII sectors, CSA is developing a next-generation National Cyber Security Centre (“NCSC”), which will feature tighter integration with our CII owners and Sector Leads.

Fourth, beyond the CII sectors, all organisations – including businesses and research and educational institutions, will need to strengthen their own defences against cyber threats. One example of a threat affecting all organisations is that of ransomware. Ransomware criminals can be opportunistic and highly sophisticated. They take advantage of poor cybersecurity practices to gain access to their victims’ systems and data, bet on victimized organisations being more willing to pay the ransom and hide the attack than to report the crime, and take advantage of gaps between jurisdictions to evade law enforcement. To help companies and organisations deal with ransomware, Singapore set up an interagency Counter Ransomware Task Force (CRTF) earlier this year. The CRTF will bring businesses, Government, and international partners together to more effectively counter ransomware attacks. The Government also helps enterprises strengthen their cybersecurity. For example, CSA launched the SG Cyber Safe Programme in 2021 with a cybersecurity certification programme, comprising the Cyber Essentials and Cyber Trust marks, to set standards and recognise enterprises that have good cyber practices.

Fifth, individuals, each of us, have a responsibility to adopt good cybersecurity practices and protect the systems and devices that they use. Personal devices, including the multitude of IoT devices, do not exist on their own. They are connected to other devices, systems and networks. With the introduction of 5G technology, we can expect a step jump in the number and types of devices to be connected in ever-larger networks. If individuals or these multitude of devices are compromised, they will not only bring harm to themselves, but could be exploited to penetrate and weaken the whole system or network. Individuals need to be aware of cyber risks, be capable of protecting themselves, and be responsible for their own safety and security online. It was in this spirit that CSA launched the Cybersecurity Labelling Scheme (CLS) to help consumers identify smart devices that meet their cybersecurity needs. CSA intends to extend this labelling scheme to include medical devices. CSA will also be launching the Internet Hygiene Portal, which allows users to do “health-checks” to ascertain whether the websites that they visit have the necessary security protocols.

Finally, underpinning all our efforts in our digital defence is the need to build a sufficiently large and skilled cybersecurity workforce to defend against and tackle new threats in cyberspace. And I know that this is a challenge that all of us face.

Conclusion

The digital commons and our digital systems and networks are interconnected. We are only as strong as our weakest link. That is why we need individuals, businesses and countries to work together, so that we can strengthen our collective defence and protect our cyberspace and digital systems more comprehensively.

A comprehensive approach to cybersecurity helps us to build greater confidence and trust in our systems.

And for building trust and confidence, few things are better than being able to actually meet each other, talk and discuss things.

This is why we host the Singapore International Cyber Week. We are grateful for the presence of each and every one of you this year, to gather and meet in person. Do make the most of this opportunity to interact, make friends and exchange new ideas, and find ways to work together with each other. Whether you are here as a government official, business leader or cybersecurity professional, all of you play a vital role in strengthening the collective defence of our shared cyberspace.

Thank you for joining us today, and for your continued support for the SICW. I wish you an invigorating and productive conference. Thank you.