Formed in 2015, the Cyber Security Agency (CSA) of Singapore is the national body overseeing cybersecurity strategy, industry development, outreach and education. We spoke to David Koh, Chief Executive Officer of CSA, to discuss Singapore’s cybersecurity landscape, the global shortage of cybersecurity manpower and regional partnerships.
Tell us about CSA's work and role.
The Cyber Security Agency of Singapore (CSA) provides dedicated and centralised oversight of national cyber security functions, and works with sector leads to protect Singapore’s critical services. It also engages with various industries, and stakeholders to heighten cyber security awareness as well as to ensure the holistic development of Singapore’s cyber security landscape.
CSA monitors the threat landscape and issues advisories to alert organisations and public of threats and vulnerabilities, as well as the security measures that can be taken. We also work closely with industry partners, as well as the critical information infrastructure sector leads, to facilitate the sharing of cybersecurity information. In the event of a cyber-threat or incident, the Singapore Computer Emergency Response Team (SingCERT) in CSA will advise on the appropriate mitigation measures that should be taken, and if necessary, provide assistance to affected businesses or members of the public.
Why is Singapore an attractive target for cyberattacks and what kind of attacks is the country currently facing?
Given Singapore’s reputation as a commercial hub and its high connectivity, Singapore is an attractive target for cyber criminals. Statistics from the police further confirm this; the total number e-crimes including involving e-commerce crimes, credits-for-sex, and Internet love scams had almost doubled from 2014 to 2015. The frequency and sophistication of cyber threats have also increased with almost 40 million new malware samples being discovered every quarter in 2015. In Singapore, banking malware remains a prevalent threat given the high number of mobile and internet banking users. The malware is spread primarily through malicious emails or advertisements. Once the victim's computer or device is infected with the malware, it will attempt to steal his/her banking credentials (such as User ID, PIN, OTP from SMS or iB Secure Device, etc.) by altering the login flow of the internet banking site.
Another prevalent threat is business email fraud where the sender of the email pretends to be the CEO or a trusted vendor. Unsuspecting victims have fallen for this scam as they recognised the names and were quick to respond, but without first checking if the sender is indeed who he/she claims to be. Lastly, a threat that is of increasing concern is ransomware. Ransomware is a type of malware that denies a user access to the files residing in his/her computers unless a ransom is paid. Besides encrypting the files on the computer(s), the malware can also travel across the network and encrypt any files located on shared network drives. Once the files are encrypted, the victim will be informed that the encrypted files or computer can only be decrypted if the ransom is paid. Globally, the number of ransomware cases has been increasing significantly, and this upward trend applies to Singapore.
What’s your strategy and approach to cybersecurity for a highly connected city such as Singapore?
We have developed Singapore’s cybersecurity strategy which was recently launched by Prime Minister Lee Hsien Loong at the opening of the inaugural Singapore International Cyber Week in October 2016. The Strategy will underpin Singapore’s Smart Nation aspirations and act as an enabler for its economy and society, while enhancing its standing as a trusted digital hub.
The Strategy sets out Singapore’s vision, goals and priorities in cybersecurity and outlines the country’s commitment to build a resilient and trusted cyber environment for Singapore and Singaporeans. It outlines how Singapore will continue to strengthen the resilience of the country’s cybersecurity and was developed after a consultation process with 50 stakeholders over the past year. These are mapped out in four pillars - namely Building a Resilient Infrastructure; Creating a Safer Cyberspace; Developing a Vibrant Cybersecurity Ecosystem; and Strengthening International Partnerships.
The cyberspace is too vast for any one single entity to defend. Hence, we are also looking to promote a culture of collective responsibility for cybersecurity, and this means the government, businesses and the man on the street as well as the wider community will have a part to play in keeping cyberspace safe.
Cyber security must be designed from the beginning and not as an afterthought. CSA works closely with the Smart Nation Programme Office to co-create security measures in smart nation initiatives. These include guidelines-based architecting and pilot cybersecurity solutions to strengthen emerging platforms.
What do you think is most lacking in today’s cybersecurity landscape that needs to be addressed?
There are numerous challenges in the cyberspace. In particular, we are experiencing a global shortage in manpower for cyber security. The number of cyber security professionals in Singapore is insufficient. According to the Annual Survey on Infocomm Manpower 2015 conducted by IDA, the demand for cyber security professionals in Singapore has doubled, from 2,300 in 2014 to 4,700 in 2015. About 1,000 vacancies were unfilled. The demand for cyber security professionals will continue to increase with an estimated demand of 7,200 in 2018 and 9700 in 2021.
We are looking at ways to augment the manpower shortage through workforce development initiatives such as the Cyber Security Associates and Technologies (CSAT) programme, the introduction of CREST certifications in Singapore, a Professional Conversion Programme (PCP) for aspiring career switchers and a review of salaries of engineers in the public service. The CSAT programme will facilitate professionals in related fields to be trained and upskilled for cybersecurity roles. Professionals who participate in the CSAT programme will be able to acquire Cyber Security competencies through courses and On-the-Job Training. The PCP is designed to equip career switchers that aspire to become cyber security professionals with the necessary skills to enter the profession. Participating companies will employ the trainees before commencing the PCP training which includes classroom and workplace training.
CSA has also been working closely with Institutes of Higher Learning (IHLs) and industry partners to ensure that the courses offered by IHLs are of optimal relevance to industry needs. These include ensuring that students develop practical skills and gain hands-on experience through industry-oriented projects during their course of study. CSA has been in discussion with the Singapore University of Technology and Design and Singapore Polytechnic to develop their cyber security degree curriculum. In addition, to ensure that cybersecurity courses offered by IHLs are relevant and are in accordance with the National Infocomm Competency Framework, CSA works with GovTech to review and endorse these courses.
We see a need to elevate the status of the cybersecurity profession, into one that is well-respected. We need to strengthen the branding of the cyber security profession especially amongst youths, for example by providing overseas scholarships for promising students. At the corporate level, we are also encouraging larger companies to define apex cybersecurity positions at the C-suite level. This is in recognition of the fact that boards and senior management need to take into account cyber security at enterprise level given that cyber security impacts the entire organisation and is no longer just a domain solely for the CIOs. To do so, CSA will work with industry partners to conduct C-suite education as well as reach out to SMEs.
How can governments work together to create a more secure cyberspace?
The borderless nature of cyber threats means that to tackle them effectively, countries need to work closely together. Singapore continues to work with like-minded countries and partners to strengthen collaborations in cyber security. This includes exchanges on cyber security operations and policy, CERT-CERT information sharing and drills as well as exchange of best practices in areas such as cybersecurity standards and manpower development. To date, we have established partnerships with our counterparts in France, India, Netherlands, UK and the US.
To foster greater partnerships amongst our local and international counterparts, we organised the inaugural Singapore International Cyber Week (SICW) from 10 to 12 October this year. The event brought together thought leaders, policy makers, cyber security professionals and innovators from around the world with the common goal to develop a secure and resilient digital future. Over 5,000 attendees from close to 50 countries took part in SICW conferences, forums and exhibition and SICW received the strong support of about 200 sponsors and participating organisations.
We also convened the inaugural ASEAN Ministerial Conference on Cybersecurity (AMCC) during SICW 2016 which saw the attendance of ministers and senior officials from all 10 ASEAN Member States. At the Conference, ASEAN Ministers and cybersecurity principals agreed on the value of developing a set of practical cybersecurity norms of behaviour in ASEAN. These norms contribute towards ensuring a secure and resilient cyberspace which is a crucial enabler for ASEAN Member States to harness digital technologies to achieve economic progress and improvement of living standards across the region. We are excited to kick-start this process of discussions with our ASEAN partners and look forward to taking these discussions to the next level.