Call to rethink cyber security policies

Experts urge stronger online defence, sharing data on breaches, better planning

The need for government policies to keep up with the fast pace of technological change was a key theme of discussions on the first day of the inaugural Singapore International Cyber Week.

This becomes more urgent as people all over the world become more dependent on connected devices, giving those with bad motives more opportunities and reasons to do harm, said information technology experts.

"There is money in malware," said Mr John Suffolk, global cyber security officer for Chinese tech giant Huawei. "Where there is technology, there will be someone trying to do something that you don't want them to do, such as stealing your banking details."

Over several presentations that followed Prime Minister Lee Hsien Loong's launch of Singapore's national cyber security strategy, global experts identified three broad ways that governments need to rethink cyber security.

One, the very definition of cyber security and warfare has to change, said Professor Isaac Ben-Israel, a retired Israeli major-general who led a task force that formulated his country's national cyber policy.

Computer systems that are vulnerable to attack today include those on smartphones. There is no such thing as an isolated computer anymore, and modern malware is capable of causing damage in cyberspace and in the real world, he said.

This was the case with the Stuxnet computer worm, which in 2010 damaged an Iranian nuclear plant, he noted. Countries may yet weaponise more malware to commit cyber warfare. "Certain infrastructure are crucial in the case of war. It's very difficult to fight if you don't have electricity, or water supply," he said.

Two, governments need to rethink the importance of information sharing and collaboration across organisations, said Mr John Davis, federal chief security officer for IT firm Palo Alto Networks.

"When 9/11 happened, one of the reasons we were unable to see that coming and respond was because we couldn't connect the dots," said Mr Davis, a retired United States Army major-general with over a decade's experience in cyber policy.

After the Sept 11, 2001 terror attacks, the US government changed its policy on information from "need-to-know" to "need-toshare", a shift that started showing success on the battlefields in Afghanistan and Iraq, he said.

One aspect of Singapore's cyber security strategy will see a new Bill introduced next year that makes it a requirement for critical infrastructure operators such as banks and utility companies to not only meet cyber security requirements, but also share information on breaches expeditiously.

Even private companies have come to see the virtues of collaborating with the competition, said Mr Davis. Palo Alto and seven other cyber security firms came together in 2014 to form the Cyber Threat Alliance, pooling resources to raise the industry's overall awareness of advanced threats.

Three, the growing complexity and interdependence of IT products and services also requires governments to get policies right while anticipating future challenges, said Mr Suffolk, who was chief information officer for the British government.

Today's global supply chain has already made it impossible to trace the provenance of every component of an IT vendor's product; for example, 70 per cent of what is in Huawei's equipment "is not Huawei's", said Mr Suffolk.

But such relentless technological change also represents an opportunity for countries to develop a new competitive edge, said Dr Ben-Israel. He cited how Israel's investments in cyber security have already paid off handsomely since the country made it a priority sector in 2010. Its cyber security industry has seen a 400 per cent growth in five years, and Israel today commands a 10 per cent share of the US$60 billion (S$82.45 billion) global cyber market.

"Computers are not going to disappear from our lives - on the contrary, they're going to (be) a bigger and bigger part of our lives," he said. "That means that whoever controls this technology, can create a new economy."

A version of this article appeared in the print edition of The Straits Times on October 11, 2016, with the headline 'Call to rethink cyber security policies'. Print Edition | Subscribe