Parties advised to review and strengthen cyber security measures

Website defacement, disruption and data theft and breaches were among the categories of threats observed in elections elsewhere. PHOTO: THE NEW PAPER

Political parties should appoint an individual to take charge of cyber security for the organisation, and consider appointing professionals to review and manage this area of operations, including dealing with any incident, the Cyber Security Agency and Elections Department said yesterday.

Cyber attacks have been launched to disrupt the election process in various countries, and the same could happen in Singapore during the next general election, the agencies added.

"Political parties and candidates are responsible for their own cyber security, and need to strengthen their cyber security posture, and take precautionary measures to protect their assets and online presence," they said in a joint advisory.

"This includes all IT infrastructure including any smartphone, computer and computing device, online and social media assets, as well as data storage and management."

Areas to review include knowing where and how data is stored, checking for and patching vulnerabilities promptly, and establishing capabilities to monitor for breaches.

The advisory highlighted three general categories of threats observed in elections elsewhere.


After gaining unauthorised access to a website, attackers may post graphic images or leave messages to express their views.

They could also bring down the site, or use it to put out false or misleading information that could affect the reputation of the party or its candidates.


Attackers could overwhelm a target server, service or network with a flood of Internet traffic in what is known as a distributed denial of service (DDoS) attack. This would make websites or network services unavailable to legitimate users, affecting a party's campaign efforts.

Attackers may also use ransomware to hold their victims hostage. Victims will be told to pay a ransom to access their files or computer systems. But there is no guarantee they will be able to recover their data, even if they pay up.

These attacks are usually carried out through phishing e-mails containing malicious attachments or links. Users could get infected if they open such attachments or links, or if they install pirated software which masks the ransomware in it.


Data can be stolen through various methods, many of which can involve gaining entry to the system through a phishing e-mail.

The stolen data may be sold by attackers or published to damage their victim's reputation. If passwords or account numbers are involved, they could use the data to launch more attacks.

Correction: The Cyber Security Agency of Singapore has since clarified that parts of its original press release were inaccurate.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on April 21, 2020, with the headline Parties advised to review and strengthen cyber security measures. Subscribe