STATE-SPONSORED CYBER ATTACKS ON SINGAPORE GOVERNMENT SYSTEMS
1 Mr Yip Hon Weng asked the Minister for Communications and Information given the recent security breaches of several foreign government computer systems (a) whether the Ministry has detected similar attacks on our Government computer systems over the past three years; and (b) how does the Ministry respond to cyber acts by state-sponsored actors.
The Senior Minister of State for Communications and Information (Dr Janil Puthucheary) (for the Minister for Communications and Information): Sir, there were recent reports that a Chinese cybersecurity firm, I-Soon, had allegedly compromised nearly 20 foreign governments. Singapore was not listed as an affected country.
The Cyber Security Agency (CSA) and GovTech work with our security agencies to monitor threats and respond to any cyberattack on our critical computer systems. Given their sensitive nature, we are unable to publicly discuss such operations and responses.
Mr Speaker: Mr Yip.
Mr Yip Hon Weng (Yio Chu Kang): Thank you, Mr Speaker. I thank the Senior Minister of State for the reply. I have a very short supplementary question. In light of this incident, how are our civil servants trained to be more aware of such cyber attacks by state-sponsored actors?
Dr Janil Puthucheary: Sir, I thank Mr Yip for his question. When it comes to the safeguards for the cybersecurity of our Critical Information Infrastructure, there are various layers and various issues that we have to think about. It is not just about the training of our civil servants. That is certainly an important component of it, but we have a multi-layer defence in-depth approach in securing our Government’s infocomm technology (ICT) systems. There are preventive, proactive, detective and reactive measures that we put in place to defend against cyber threats.
One example of a preventive measure would be the Secure Internet Surfing, blocking Government workstations from malicious content. An example of a proactive measure is putting Government digital services through security testing to discover and remediate any potential vulnerabilities that may be there. For the systems that are online, our Security Operation Centre monitors the devices and networks 24/7 to detect attacks. Should suspicious or malicious activities or payloads be detected, our Incident Response Teams are prepared to contain quickly any attack, investigate the incident, carry out the necessary remediation and follow-up actions for recovery.
Other than depending on a central system to defend everywhere – that is not going to be sufficient – we also conduct regular cybersecurity awareness training for our public officers, raising their cybersecurity posture in terms of their behaviour and how they interact with systems. It is this layered, defence-in-depth landscape that will protect our systems from cyber threats.
Mr Speaker: Dr Tan Wu Meng.
Dr Tan Wu Meng (Jurong): I thank the Senior Minister of State for the answer. I have got two supplementary questions. The first is, can the Senior Minister of State reassure us that the Government is looking at the broader potential attack surface for cyber attacks, including beyond the gov.sg domain? This is because power and utilities companies, even if not under gov.sg, may supply a critical server and thereby be a potential attack surface by troublemakers.
My second question is, can the Senior Minister of State assure us that there is ongoing attention to looking for potential convergence points of risk, your acupressure points or your shatter points, whereby those points of failure can have disproportionate risk? Is there ongoing attention to such convergences of risk as well?
Dr Janil Puthucheary: Sir, the answer to both questions is yes. That sense of looking at the systems, systems of systems and the interactions between the various components of the systems is indeed the very framework that our Cyber Security Agency takes and the Cybersecurity Act is applied to, and it is how we then derive the designation of Critical Information Infrastructure and Significant Information Infrastructure. These considerations are not only for the gov.sg domains.