S’pore vulnerabilities are no different from those of other nations: Commissioner of Cybersecurity
Sign up now: Get ST's newsletters delivered to your inbox
Cyber Security Agency chief executive David Koh holds legal authority to investigate cyber threats and incidents.
ST PHOTO: CHONG JUN LIANG
Follow topic:
- Geopolitical tensions heighten cyber threats, potentially disrupting essential services in Singapore, warns CSA chief David Koh, emphasising vulnerabilities despite perceived security.
- CSA partners with Google on Google Play Protect, extending cyber security to global citizens, and shares knowledge with ASEAN and Japan to support international rules.
- Singapore businesses often pay ransomware despite advice, but legislation is not planned; instead, CSA will work with SBF to increase reporting and victim support.
AI generated
SINGAPORE – Cyber-threat levels have heightened amid geopolitical rivalries, with some states trying to coerce countries such as Singapore into taking or refraining from certain actions.
Singapore’s Cyber Security Agency’s (CSA) chief executive David Koh warns that in this realm, the Republic’s vulnerabilities are no different from those of any other nation.
“Train systems can be disrupted, power plants, water systems. It will move to a new dimension, where you will encounter real-world harms that will affect all of us,” he said.
Mr Koh, who is also the country’s first Commissioner of Cybersecurity, holds legal authority to investigate cyber threats and incidents, ensuring the continuity of essential services during cyber attacks.
“When we first started, the majority of threats were straightforward – web face defacements, DDoS (distributed denial of service) attacks. They were a bit more like digital graffiti,” said the former defence specialist in the armed forces, who has been CSA’s chief executive since its founding 10 years ago. July 18 marks its 10th anniversary.
These threats have grown in complexity as the economy has become more interconnected through the use of digital services. That means the agency has had to extend its umbrella, working with the private sector, to cover the man in the street.
For instance, in 2024, CSA partnered with Google to launch the enhanced fraud protection, a feature under Google Play Protect, which blocks malicious apps once detected. Google has since introduced the feature to places such as Brazil, India, South Africa, the Philippines, Thailand and Hong Kong.
Mr Koh said that such a partnership would have been unimaginable 10 years ago.
Today, besides chairing the United Nations’ Open-Ended Working Group on cyber security, Singapore is also passing on its knowledge to its Asean neighbours and countries such as Japan, which is in the process of passing cyber-security laws.
“It is in Singapore’s interest to support the international rules-based system; not just physical trade, but goods and services are increasingly also being transacted digitally,” Mr Koh said.
Countries justifiably want control of their national security and have different tolerance levels for personal data sharing, he said, noting that interoperability can still be achieved.
Singapore, Britain, Germany and Australia also co-lead the International Counter Ransomware Initiative.
Singapore businesses, despite CSA’s advice to refuse ransomware demands, routinely cave in, according to surveys. High-profile ransomware cases here in 2024 included those of law firm Shook Lin & Bok, the Jumbo Group and Mustafa. Recent polls by global security services firms Bitdefender and Sophos found that companies here are more likely than their global peers to keep silent about security breaches and pay up, and are less likely to negotiate the amounts.
But there are no plans to legislate ransomware reporting, which is now voluntary. “Cyber security, ultimately, is a risk management issue. It is not possible for us to mandate a standard of cyber security for everybody. It’s not a one-size-fits-all,” Mr Koh said.
Instead, the CSA hopes to raise reporting by working with the Singapore Business Federation to offer help to victims.
With 70 per cent of companies that support the country’s essential services coming from the private sector, the CSA has, over the years, evolved to assist businesses on security issues and work on training and professional standards.
From about 70 employees when it started, the outfit has since grown to a headcount of around 500.
Singapore was one of the first countries to establish a cyber-security agency and one of the first to have a Cybersecurity Act, which was enacted in 2018. The US, Britain, France and Australia were other leaders in the domain then.
CSA’s sphere now includes scams, national threats, cyber-security certifications and data security, which it works on with other government agencies, businesses and institutes of education and training.
Singapore ranks well in cyber maturity compared with many countries, but the issue is how it compares with a determined attacker, Mr Koh said, urging Singaporeans to play a part.
“The weakest link can be the company that doesn’t patch its software, uses weak passwords, or the supplier in the supply chain who makes a mistake, who doesn’t take cyber security seriously. It could be the employee who clicks on the phishing e-mail, or the individual customer who comes in and has unsafe practices,” he said.
Sometimes, extra security comes with friction.
“You need to recognise that this is a trade-off between convenience and security. Sometimes, it also translates into a little bit more cost. We must be willing to pay this cost,” Mr Koh said.
Correction note: An earlier version of the story said CSA partnered with Google to launch Google Play Protect. CSA partnered with Google to launch the enhanced fraud protection, a feature under Google Play Protect.
