SINGAPORE - State agencies did not hack Workers’ Party (WP) chairman Sylvia Lim’s iPhone, said Home Affairs and Law Minister K. Shanmugam in Parliament on Friday (Feb 18).
He also said he did a quick check with the Defence Ministry’s Security and Intelligence Division and added that the Home Affairs Ministry would be interested to see the alerts Ms Lim received on her phone and find out who is trying to “get into her phone”.
Mr Shanmugam’s response came after an exchange between Ms Lim (Aljunied GRC) and Minister of State for Home Affairs Desmond Tan, who was responding to a question from Mr Leon Perera (Aljunied GRC) on the Government’s use of spyware.
Ms Lim said she had received a threat warning from Apple suggesting her iPhone could have been subjected to hacking.
She said: “Not long ago, I received a threat warning from Apple informing me that it could be that my iPhone has been the subject of hacking by state-sponsored attackers, and they also said it is likely to be so because of who I am individually or what I do.
“So based on what the Minister of State said just now that reliance on technology is required for national security reasons, can I get his confirmation that I should have absolutely no concerns that the Singapore government agencies are trying to hack into my phone?”
In his response, Mr Shanmugam said if Ms Lim was serious about finding out if her phone had been hacked and by whom, the proper way to do it is to approach MHA, which will do a thorough investigation, he said.
“If you raise it in Parliament, then we must assume the intention is to publicise the fact rather than actually get to the bottom of it, and it’s obvious then why it’s made public,” he added.
He also asked to see the Apple notification, and whether it was a general notification sent to several people or a specific one only sent to her phone.
If it was only to Ms Lim, MHA would be extremely concerned since the warning was about a hack involving a state-sponsored agency, he said.
Ms Lim is an MP, and all MPs are potential targets, Mr Shanmugam added.
He said: “MPs are high-value targets for foreign agencies. As our own experience and the experiences of other countries have shown, even as late as last year in Australia.”
While Mr Shanmugam did not cite specific incidents, last December, reports emerged that about 10 years ago, Australian intelligence officers had discovered that the country’s telecommunications system was breached after a software update “loaded with malicious code” from Chinese technology firm Huawei.
This allowed “private communications and information that could be used to target specific people” to be recorded and sent to China, a Bloomberg report said. The discovery was reported to the United States and is said to be a key reason why the US has been wary of Huawei.
Huawei refuted the claims in Bloomberg’s report.
The company clarified that its equipment does not have malware, and that it has robust measures to ensure software updates that have been tampered with cannot be uploaded or installed.
Huawei said it has no means of accessing an operator’s networks without their express written permission too. The claim that Huawei’s software updates can push any code at any time without anyone knowing “is simply not true”, the company said.
Huawei also has measures to manage its engineers and said its service engineers cannot access or compile source code.
Mr Shanmugam said: “It is the duty of our security agencies to be very aware of whether MPs or ministers or senior civil servants or those around them or their families are being approached or suborned, and it is in the interest of Singapore and the security of Singapore that state agencies are on top of the game.”
Mr Perera, a WP MP, had asked whether the Government uses spyware from Israeli company QuaDream and if it has deployed the spyware or other spying technologies in Singapore.
This was on the back of a report early this month by Reuters that QuaDream, which develops smartphone hacking tools intended for government clients, counted the Singapore Government as one of its first clients. The Government did not reply to queries by Reuters on the matter at the time.
Responding to Mr Perera, Mr Tan said: “For obvious reasons, the Government cannot and should not discuss specifics on any operational aspects or capabilities regarding our national security.
“One of the most critical responsibilities of the Government is to keep Singapore safe, secure and sovereign.”
He added that the Government has to deal with serious national security threats to the country such as terrorism, foreign subversion, espionage and interference.
“To this end, agencies charged with the mission of safeguarding national security necessarily have to rely on a range of intelligence capabilities, including harnessing technology.”
Mr Tan suggested that Ms Lim make a police report if she has any concerns regarding what happened to her iPhone.
Meanwhile, Ms He Ting Ru (Sengkang GRC) on Friday asked in Parliament if there was an update on the Cyber Security Agency’s (CSA) investigations into local cyber-security firm Computer Security Initiative Consultancy (Coseinc).
CSA had looked into the firm after it was blacklisted by the US Department of Commerce in November for allegedly selling hacking tools that were used against individuals and organisations worldwide.
Other firms also blacklisted included Israel’s NSO Group and Candiru, which were accused of developing and supplying the Pegasus spyware.
Pegasus could remotely tap smartphones and has been used against government officials, journalists and activists internationally.
Ms He also asked if the Government has procured services or products from Coseinc and, if so, what was the nature of the contract awarded to the firm.
Senior Minister of State for Communications and Information Janil Puthucheary said people in the US who want to export, re-export or transfer items the US regulates to Coseinc must first get a licence from the US government, since the firm is on the US’ list.
Dr Janil, who is also Senior Minister of State for Health, said Coseinc’s offerings include cyber-security training courses. The firm is also one of the many vendors to provide training services to the Government under standard contractual terms.
“CSA found no evidence that Coseinc had breached cyber-security laws in Singapore,” he said. “Companies found to have contravened our laws and regulations will be dealt with in accordance with the law.”
This report has been edited for clarity