SINGAPORE - Nations and organisations need to assume that their systems have been breached in order not to be caught off guard when a cyber attack actually happens, panelists at a cybersecurity summit in Estonia said on Tuesday.
Russia's sudden attack on Ukraine brought this principle to the fore, said Singapore's Communications and Information Minister Josephine Teo at the discussion on Paradigms of Trust in Cybersecurity amidst Global Conflict at the Tallinn Digital Summit.
"The turn of events has just demonstrated to us how (real) the risks are," said Mrs Teo, who is also Minister in-charge of Smart Nation and Cybersecurity.
"We should practise zero trust in how we defend our systems and assume we have already been breached. This is significant because it changes the way we think about our priorities. It means we will also have equal focus on recovery," she added.
But with rapid digitalisation over the past few years, the world is still in catch-up mode when it comes to securing digital assets.
This requires action that she summed up in three Cs:
• Clarity of national roles and responsibilities for cybersecurity;
• Capacity to take legal action under a cybersecurity law; and
• Capabilities in the population to act.
Another panelist, Chilean senator Kenneth Pugh, said that while there needs to be zero trust that investments in cyber security solutions have provided enough cover, there is a need 3 to have trusted connectivity across the globe to deliver better protection against cyber risks.
Said Mr Pugh: "In cybersecurity, you do not compete. You collaborate. Everybody shares information (about) vulnerabilities, especially the zero-days vulnerabilities."
A zero-day vulnerability is a flaw in a system that has been disclosed but not yet patched.
Cyber war does not respect boundaries, requiring international cooperation, stressed the panel.
"Cyber criminals or state actors will attack the weakest, not the strongest. So we have to be strong together," said Mr Roberto Viola, director-general of the European Commission's department for communication, networks, content and technology.
The remaining panel members were Mr Iurie Turcanu, Moldova's Deputy Prime Minister of Digitalisation, and Mr Janusz Cieszynski, Poland's Secretary of State and Government Plenipotentiary for Cybersecurity.
Meeting with Singapore reporters through a video link after the session, Mrs Teo was asked whether the recent attacks on Singtel's two Australian subsidiaries - mobile operator Optus and tech consulting firm Dialog - deliberately targeted the Singapore telco.
"The Australian Cybersecurity Agency is in close discussions with Optus and we must let them complete their investigations at the appropriate time," she said.
On Monday, Singtel said the hack on Dialog, which it bought earlier in 2022, might have compromised the data of fewer than 20 clients and 1,000 current and former staff.
The revelation about Dialog's attack came a month after Optus said it had suffered a massive security breach exposing the details of 9.8 million former and current customers. These include customers' names, dates of birth, phone numbers and e-mail addresses. Singtel said there was no evidence that the two recent incidents were linked.
Mrs Teo said: "The important thing is to consider what lessons can be drawn from the incident. Always ask ourselves: 'What is it telling us that we didn't know before? And what must we do better in our own cyber security?'"