'Zero trust' approach to beefing up govt cyber defences

Singapore's new cyber-security strategy seeks to beef up cyber defences and ensure government systems are secure.
Singapore's new cyber-security strategy seeks to beef up cyber defences and ensure government systems are secure.ST PHOTO: KELVIN CHNG

SINGAPORE - The Republic's new cyber-security strategy launched on Tuesday (Oct 5) has spelt out a "zero trust" method in protecting government applications and information technology systems by verifying that all activities on them are safe.

The approach assumes that all the activities are dangerous from the get-go, even if they appear to be from legitimate government users.

Work on implementing this started last year, said the Government Technology Agency (GovTech).

One example of this in action is requiring users and computing services to prove their identities – by using usernames, passwords and biometric data to sign in, for instance – before they can access information.

But this needs to be corroborated with other factors, such as their locations and who owns the devices being used, before access is given.

To complement this, a new Government Cybersecurity Operations Centre will also begin work to do real-time online monitoring to allow the public sector to swiftly thwart cyber threats, said the Cyber Security Agency of Singapore (CSA).

It is expected to be fully operational in the middle of next year and will be manned by GovTech.

"We hope that the Government's risk-based approach towards cyber security can serve as a guide for other organisations and enterprises looking to strengthen their cyber-security posture," said CSA.

This comes amid the digitalisation of public services, as well as serious cyber attacks in recent years.

They include Singapore's worst data breach in 2018 when 1.5 million SingHealth patients' data, including Prime Minister Lee Hsien Loong's, was stolen.

In July this year, hackers exploited a previously unknown bug in software from Kaseya, a United States firm that helps other companies manage their IT networks.

The crooks used the software to launch ransomware attacks on 1,500 businesses globally. Ransomware locks up digital files until the cyber criminals are paid.

To try and mitigate such threats, Singapore's new cyber-security strategy, announced by Senior Minister and Coordinating Minister for National Security Teo Chee Hean on Tuesday, seeks to beef up the public sector's cyber defences and ensure government systems are secure.

Some steps include putting in place tailored measures to safeguard various public-sector infocomm technology and smart systems, based on factors such as how critical they are, and how sensitive the information involved is - to balance between security and business requirements.

For example, less sensitive government IT systems could be hosted on commercial cloud environments, with virtual fences put up to try and prevent classified information from being exposed.

The Smart Nation and Digital Government Group is advising public agencies on implementing these tailored measures and deploying chief information security officers across the Government to help.

The public sector also conducts regular tests on government systems to find vulnerabilities so they can be fixed early.

Beyond using technology, the Government is planning to keep its officers' cyber-security skills up to date.

"As we become more reliant on digital systems, the Government must ensure that public officers are well equipped with the skills and knowledge to keep themselves cybersafe," said CSA.

These include developing a framework to help guide public-sector cyber-security specialists on the skills they need.

GovTech’s Digital Academy launched in June will also, among other things, provide customised cyber-security training for public officers in infocomm technology and smart systems.