It was only last year that the personal particulars of 1.5 million SingHealth patients — including that of Prime Minister Lee Hsien Loong’s — were compromised.
Dubbed the "most serious breach of personal data” in Singapore’s history, investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) confirmed that the high profile cyber attack on SingHealth’s network was a “deliberate, targeted and well-planned cyber attack”.
But the authorities are unwavering in their constant efforts to rise up to the challenge of battling cyber threats so that history will not repeat itself. And this calls for innovative solutions to tackle the evolving landscape of cyber threats.
Mr Desmond Hsu, director of local start-up oneKIY, suggests a two-pronged approach — an overall cyber security system to protect the hospital data, paired with personalised data encryption “keys” that are held by each individual. His company’s innovation is the KIY (Keep It Yourself) security system, an advanced user-controlled physical security key that is built to safeguard an individual's information and data.
He explains: “In this way, patients’ data will not be compromised in a single attack; the attacker instead has to infiltrate the second layer of security but can only attempt to access personal data one record at a time because everyone’s security is separated and independent.”
Mr Wahab Yusoff, vice-president (Asia) of Forescout Technologies, notes that IT environments are getting more complex with a growing number of devices or end points — each representing a risk — connected to an organisation’s network. By next year, 50 billion devices globally are expected to be connected to the Internet, up from 700,000 two decades ago.
His company’s innovative cyber security platform enables users to “see” devices the instant they connect to the network, control them and orchestrate information sharing and operation among disparate security tools.
“It is essential for organisations to gain complete and reliable visibility into what these devices are and where they are connected, across the business location, data centre, cloud and operational technology networks,” he says. “Continuous visibility can help safeguard and prevent breaches by identifying non-compliant or risky devices so that the appropriate preventive or remedial action can be taken.”
Evolving landscape of cyber threats
According to the CSA’s Singapore Cyber Landscape 2018 report, cyber threats are growing in scale and sophistication. It is clearly no longer a question of “if”, but rather “when” an attack will happen, says Commissioner of Cybersecurity and Chief Executive of CSA David Koh.
Last March, an unidentified United States-based service provider was hit by the largest Distributed Denial-of-Service (DDoS) attack ever recorded at 1.7 Tbps — the equivalent of streaming 850,000 ultra-high-definition videos at the same time. In a DDoS attack, the victim is bombarded with incoming web traffic from potentially hundreds of thousands of sources.
Even the Opening Ceremony of the PyeongChang Winter Olympic Games last February was a target. The incident was attributed to an Advanced Persistent Threat (APT) group based in Asia that disrupted Internet access and telecasts, and shut down websites covering the event. Often associated with a nation-state, APT groups have access to many resources and possess deep expertise to achieve their objectives of causing disruption, cyber theft for financial gain, conducting cyber espionage, and more.
Threats can also take the form of seemingly safe sites. Last year, 2,450 phishing Uniform Resource Locators (URLs) were observed using “HTTPS” (commonly associated with secure websites). This is more than a tenfold jump from just 200 of such URLs the previous year.
Companies in the banking and financial services, technology and file hosting services made up almost 90 per cent of spoofed companies last year. In Singapore, websites of Government organisations such as the Singapore Police Force were commonly spoofed to steal personal and financial data from victims.
Cyber criminals without programming knowledge can even “rent” ransomware that can be customised. Adversarial artificial intelligence technologies are also being leveraged to deceive cyber security applications that rely on machine learning, thus bypassing malware detectors.
In light of this, Mr Koh feels that cyber security solutions need to be developed quickly to address current and anticipated threats.
He says: “Cyber security is a fast-moving field. The attackers are constantly innovating and evolving. So we have no choice — we have to innovate as well; and as quickly as the attackers. We need our best minds and from different backgrounds — government, industry and academia — to work together on this challenge.
“If we can succeed in innovating for cyber security, then Singapore will be well-placed to strengthen our competitiveness in this area globally.”
Laying the groundwork
With the Cybersecurity Act in place since last year and the launch of various initiatives such as the Industry Call for Innovation, Smart Nation Scholarship, and the establishment of the $30 million Asean-Singapore Cybersecurity Centre of Excellence, Singapore shows its commitment to the establishment of a rules-based international order in cyberspace and strong support of nurturing a vibrant cyber security ecosystem.
CSA, too, is behind programmes and partnerships with industry and academia, such as the Innovation Cybersecurity Ecosystem @ Block 71 (ICE71) that was established in 2018 as the region’s first cyber security entrepreneur hub. Platforms, like the Singapore International Cyber Week (SICW), also serve to bring together industry players and cyber security solution providers to address industry challenges.
Mr Hsu says that with the help of the ICE71 Accelerate community and partners such as CSA, the Infocomm Media Development Authority, Singtel Innov8 and NUS Enterprise, oneKIY was able to get to the forefront of technology and gain valuable exposure. Part of the initiative’s second cohort, oneKIY went through a three-month accelerator programme, in addition to receiving capital funding and access to a co-working space with like-minded early-stage cyber security start-ups.
ICE71 provided training so the oneKIY team could develop better pitches for bigger impact; Mr Hsu and his colleagues also gleaned valuable advice and insights from investors and a lawyer.
Another recent initiative includes CSA’s Co-Innovation & Development Proof-of-Concept (POC) Funding Scheme, which supports the co-development of innovative cyber security solutions between solution providers and committed cyber security end-users with up to $500,000. The POC grant, now in its second round, was launched last year in tandem with the first Cybersecurity Industry Call for Innovation.
One of the POC 2018 awardees is Attila Cybertech, which test-bedded an Anomaly Detector and Protector of Industry Control System (ICS). The smart innovation uses machine learning to monitor and analyse the ICS network in real-time for any anomalies.
Says chief executive officer David Ong of Attila: “If sufficient warning is given, operators can avoid costly unscheduled shutdowns such as that of train and water supply systems, or blackouts.”
Attila is also one of the founding members of the Singapore Cybersecurity Consortium, which was created for engaging industry, academia and government agencies to encourage use-inspired research, translation, manpower training and technology awareness in cyber security.
Also noteworthy is the National Cybersecurity R&D Programme (NCR), which was launched in 2013 to develop research and development expertise and capabilities in cyber security for Singapore, and improve the trustworthiness of cyber infrastructures. With a total of $190 million in funding available, NCR is poised to support research efforts into technological and human-science aspects of cyber security until 2020.
Ensuring security by design
However, ideas, no matter how good they are, cannot exist on their own.
Mr Koh of CSA explains that innovation must produce an outcome that is operationally useful and transforms the way things are done in order to be more effective and sustainable.
He adds: “In the product development cycle for IT hardware and software, developers must consider Security-by-Design, where cyber security measures are considered early in the design stage. This will enable products to be secure at the start, rather than for any piecemeal add-ons to be made later.
“Increasingly, products are judged based on the security they provide, and this presents opportunities for developers who are at the forefront of the game.”
Although the approach of nipping cyber security vulnerabilities in the bud can largely reduce cost, as compared to mitigating such risks at a later stage of the system development lifecycle, Mr Ong of Attila says that in practice, this is easier said than done.
“Many stakeholders are involved at many stages of the development lifecycle, which could result in higher cost and longer project duration,” he says, adding that implementing Security-by-Design is challenging and requires the system owner and users to be motivated by the need to comply with regulations or insurance companies, or both.
Recognising this hurdle, CSA published the Security-by-Design framework in 2017 to guide Critical Information Infrastructure owners through the process of incorporating security into their Systems Development Lifecycle process. It also provides a Security-by-Design Framework Checklist as a quick reference guide on its website.
Internationally recognised certification can now be issued in Singapore
There are plenty of opportunities for innovation in Singapore. In August, it was announced that global and local companies are welcome to partner the Government, with Singapore as their base to experiment and trial innovative 5G mobile network use cases. That same month, 13 deals were inked with Chinese companies to cooperate on using digital technologies in education, manufacturing and telecommunications.
As such innovations need to be sustainable and secure to go the distance, innovators can get their products evaluated and certified based on international cyber security standards to help them stay competitive. These standards refer to Common Criteria (CC). CC, also known as ISO/IEC 15408, is the de facto technical standard adopted internationally by both governments and the industry for the evaluation and certification of cyber security products.
Previously, companies seeking CC certification could only do it via overseas evaluation labs. This took more time and money, due to the different time zones and the need to fly a foreign Certification Body representative to Singapore for an on-site audit. But since Singapore attained the status of a certificate authorising nation in January, companies here can now apply for CC certification through the Singapore Common Criteria Scheme (SCCS). As a Certificate Authorising Nation, Singapore ensures product evaluation conforms to the strict requirements of the CC standards. At the same time, the Singapore Common Criteria Scheme will support the growth of our local secure tech ecosystem and the product evaluation and certification industry in the region.
To ST Engineering’s Electronics sector, this signified the Government’s intent and support in levelling up the general security of information and communication technology products, as well as facilitates access not just to overseas markets for export, but also to state-of-the-art products and technologies.
Its entire certification journey was laborious and took nearly 20 months to complete in 2016. Today with SCCS, the duration is halved, with estimated cost savings of about 20 to 30 per cent compared to if the certification were to be done in Europe, says Mr Goh Eng Choon, general manager of Info-Security, Electronics, ST Engineering.
One such facility that can now carry out CC certification here is UL’s Cybersecurity Center of Excellence. It is the only one in the Asia-Pacific region that can provide on-site testing for both CC and EMVCo (a payment standard), among other cyber security capabilities serving the payments, mobility, smart home, smart building, smart healthcare and industry 4.0 ecosystems, says Mr Anthony Tan, UL’s vice-president and managing director (Australasia and Asean).
UL is also working with Interpol in the areas of counterfeiting, cybercrime and IP protection, and there are hopes to expand this expertise to the region, in collaboration with CSA and the Interpol Global Complex for Innovation.
“Strengthening our nation’s resilience in cyber security will create a safer cyberspace, a thriving digital ecosystem. This leads to the forging of international partnerships and maintaining of good relationships with other CC authorising and consuming nations,” adds Mr Arkadiusz Czopor, managing director of T-Systems Asia South, which is another approved evaluation lab.
He adds that on top of CC evaluation, T-Systems hopes to collaborate with key institutions such as CSA to co-develop new Protection Profile for new technology in the CC arena, with the aim to contribute to Singapore’s push to become the cyber security hub for Asia.