Mandatory Government Security Vetting for Personnel with Access to Singapore’s Critical Information Infrastructure

18 Mr Gerald Giam Yean Song asked the Minister for Digital Development and Information (a) whether the Ministry will introduce mandatory, centralised government security vetting for personnel with access to Singapore’s critical information infrastructure to mitigate insider threats; and (b) if not, how the Ministry ensures that current employer-led vetting of personnel, including foreign nationals, in sensitive technical roles is sufficiently robust against sophisticated state-sponsored cyber threats.

The Minister for Digital Development and Information (Mrs Josephine Teo): Mr Speaker, insider threats are just one of a multitude of threats facing our critical information infrastructure (CIIs). Under the Cybersecurity Act, owners of CIIs are required to put in place access management controls and processes to monitor for anomalies and suspicious activities in these systems. Upon detection of any unauthorised activity, CII owners are required to investigate such anomalies. These controls mitigate potential insider threats or any other threats.

The Government takes the cybersecurity of our CIIs very seriously. We will continue to review the standards we require and consider further enhancements that could be effective.

Mr Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song (Aljunied): I thank the Minister for the reply. I am asking more in terms of dealing with the issue upstream, in terms of vetting personnel. And given that many technical experts in our telco and energy sectors are foreign nationals, what specific assistance does the Cyber Security Agency provide to private CII owners to verify the backgrounds of such individuals? And could the Ministry introduce a tiered vetting system, where personnel with super user or administrator access rights to our sensitive core areas of our CII must undergo Government-led G50 security clearance, just like public servants and vendors who access our Government systems?

Mrs Josephine Teo: Mr Speaker, if we are serious about mitigating against insider threats, we should not assume that any particular profile of someone who is able to access the system is more or less likely to commit nefarious activities. This is the first point I want to put across. You do not want to have a preconceived idea that this profile would necessarily be safer than another profile. If you want to be able to defend against as many insider threats as possible, you have to assume that every single person that has access to the system could pose an insider threat.

Second, we also do not assume that security vetting is a silver bullet. If a nefarious actor is determined to infiltrate the system and they know that there is a vetting process of some sort, then clearly, it would be an effort on their part to overcome whatever it is that would stand in the way of them clearing a vetting system. So, a vetting system is also not a silver bullet.

Thirdly, in cybersecurity, today we operate with the concept of zero trust, meaning that you decide in terms of how you architect the access controls, and you provide what is known as least privileged access, for every single one who has access to the system, you design the access controls in such a way that they only access what they are supposed to access in order to get the job done.

Then, you need to put in place a robust system so that you never trust, you always verify whether a user is accessing the part of the system that they should access.

Then, you need the system to monitor, to look at suspicious behaviour, whether there was a user that attempted to go beyond the access privileges that were granted. And you are very careful about who you provide more access to.

That is the approach that we take, rather than to think that just because we have done security vetting upstream, other controls are not as important; or since they have cleared vetting, then it is safe. We do not make that sort of assumption. Security by design means that you have all these multiple layers of defences in order to be able to guard against the cyber risk.

Mr Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song: I thank the Minister for her reply. I agree that we should not assume any of these things and we should not assume that just because someone is security cleared, therefore they are safe to continue using the systems.

But in this age of cybersecurity threats and Advanced Persistent Threats (APTs), should we not consider that aligning the security clearance of our CII personnel, especially those with access to sensitive systems, with public servants? Because our all public servants have to go through this standard security vetting. Why not we extend that to CII personnel as well?

Mrs Josephine Teo: Mr Speaker, I think I addressed the Member's question, which is that where it is useful and relevant to do so for certain types of cybersecurity accesses, yes, we do have measures in place to ensure that the persons accessing them fit the right conditions and we have no concerns.

But we do not publicly reveal all the requirements that we put in place, and that is for obvious security reasons. Because if it was so plain, if you state it so clearly that there is this particular process and once you clear it, that is it. Then, that becomes the easiest thing to overcome.

So, I take the Member's point. It is not the case that there is no vetting. It depends on what the activity is.