SINGAPORE - Cyber criminals can find vulnerabilities and breach any organisation's IT system given enough time, and current protection measures are insufficient.
To counter this, the Government and industry players need to work together on collective systems that share information to continually learn and prepare defences, said the former director of America's National Security Agency (NSA), Mr Keith Alexander, on Monday (Nov 12).
He was testifying before the Committee of Inquiry (COI) looking into the SingHealth cyber attack, in which hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.
"The threats we face exceed the defences that we have... we need to up the game on the defence and the defences have to grow quickly," said Mr Alexander, who is now chief executive officer of IronNet Cybersecurity.
In a submission to the COI, he said that cyber security has thus far been approached through an individualistic lens. The sharing of information is done only after malware has been detected, due to liability and public image concerns.
But collective cooperation is needed for the cyber security of all sectors, including healthcare, he added.
"It is ironic that the network and associated devices have become the biggest technological advances of our time, yet we don't use a network to defend a network," Mr Alexander said in his report, referring to the links between different stakeholders that could be used to bolster cyber defence.
Mr Alexander called for cyberthreat exercises involving different sectors and between the Government and industry players.
He stressed the need for a system that can analyse behaviour and raise alerts on suspicious activity to identify online threats, which will make collective defence a possibility.
For instance, if an unauthorised user makes repeated requests for a particular patient's data or for data from a large number of patients, a system should be in place to detect this.
"An effective and tested behavioural analytic capability produces a wealth of events that can be shared in a collective defence strategy at network speed," he said.
During the hearing, Solicitor-General Kwek Mean Luck, who is leading the inquiry into Singapore's worst cyber attack, asked if such behavioural analytical tools were already commercially available.
These tools are already out there, said Mr Alexander, but many companies do not always accurately state the limitations of their products. The solution is to run these tools through comprehensive and effective testing and emulation programs.
Mr Alexander was also asked about the use of two-factor authentication and its potential to be used in the healthcare sector - a suggestion that the COI has heard from other experts in previous sessions.
"It can and should be used, especially in sensitive data transactions, and should be considered for the healthcare sector here," he said.
Mr Alexander was speaking during the COI's third tranche of hearings, which is expected to end on Thursday (Nov 15).
The next expert scheduled to go before the committee is Associate Professor James Yip, the group chief medical informatics officer of the National University Health System (NUHS).