Assessment of Whether Leaked Classified US Military and Intelligence Documents Relate to Singapore

16 Mr Alex Yam asked the Minister for Defence (a) what is the assessment of the purported leak of top secret security documents in the US; (b) whether any of the information relates to Singapore; and (c) how does the Government reduce the risk that sensitive discussions or information is leaked or spied upon.

17 Mr Gerald Giam Yean Song asked the Minister for Defence (a) whether any of the apparently classified US military and intelligence documents that appeared online addresses Singapore; (b) how does the Government ensure that information and intelligence that it shares with other countries are not compromised by those countries; and (c) in the event of a leak of information, whether the Ministry has damage assessment and mitigation protocols in place to protect related sources, information and intelligence.

The Senior Minister of State for Defence (Mr Heng Chee How) (for the Minister for Defence): Mr Speaker, may I have your permission to answer Question Nos 16 and 17 together?

Mr Speaker: Yes, please.

Mr Heng Chee How: Thank you. Mr Speaker, with regard to the incident highlighted in the Members' questions, no classified information from Singapore has been reported or detected so far. There were two pieces of information related to the Ministry of Defence (MINDEF) contained in those "leaks", but they are not sensitive and they are information that is already in the public domain, namely, that the Singapore Armed Forces (SAF) uses the SPYDER air defence system and that a British Defence Singapore Support Unit is located in Sembawang to provide support services to visiting vessels from Australia, New Zealand and Britain as members of the Five Power Defence Arrangements.

The need to protect our secrets is paramount and is a perennial preoccupation of MINDEF and SAF. As the dictum goes, "loose lips sink ships" and even our country, too, if the plans and capabilities of SAF are compromised and our defences weakened.

Guarding our secrets securely requires a systemic approach and layers of safeguards, both physical and virtual – something that all defence establishments and militaries put into place to prevent leaks of important and vital information. I will assume that the Members' questions relate more to protecting information online and will not deal with the protection of physical assets.

At the highest level of security, highly classified information is stored in air-gap systems with only internal connectivity and strict protocols for access and monitoring. This keeps the information secure but there is always a trade-off which impacts on efficiency for the organisation. Apart from productivity, classified information needs to be shared when plans are reviewed or when dealing with quick cycle events where information is needed expeditiously. All defence organisations face this conundrum through levels of classification, in order to strike that balance between protection and utility.

When dealing with external parties or external partners, whether they be commercial or government-to-government, there are agreements for protection and handling of classified information and mutual obligations to protect both parties' classified information. But there is a limit despite these agreements in which MINDEF/SAF can control or compel standards of protection in their systems. Therefore, their security standards form an integral part of the assessment when MINDEF awards contracts. In some cases, companies assessed to have inadequate security standards have been dropped from consideration even when their products may be superior or competitively priced.

In all systems, even ones with the most stringent protection, humans are a potential source and cause for leaks. Attempts to enter into secure systems by exploiting the vulnerabilities of selected individuals with access, using phishing emails or other means are an everyday occurrence. Proactive steps are taken to educate our personnel to mitigate against this vulnerability. MINDEF/SAF has also a cyber-monitoring centre that is stood up to detect malware and other threats posed online.

When security breaches occur, there are established processes in place to thoroughly investigate and ascertain the information compromised and the extent of the damage incurred. The causes of the breach are also examined, and mitigating or improvement measures will be implemented, as necessary.

Mr Speaker: Mr Alex Yam.

Mr Alex Yam (Marsiling-Yew Tee): Mr Speaker, two clarifications.

In the incident in the United States (US), the access to the classified documents was by relatively low-ranking individuals within the service. How does the Ministry/SAF ensure that personnel who have access to classified documents in Singapore are properly and regularly vetted to prevent any leak of information? And how do the agencies continue to ensure that there is no untoward or unauthorised access, retention or removal of information, such as the incident that we saw in the US?

Mr Heng Chee How: Mr Speaker, I thank the Member for his supplementary questions. I think the start point is the acknowledgment that our systems, like systems everywhere, can be vulnerable to exploitation, either technologically or through human intervention. So, we must, therefore, develop systems in order to secure ourselves the best we can and part of that would include constant 24/7 monitoring to pick up abnormal patterns of behaviour and to be able to then react quickly to them and effectively.

On the human front, as I explained in my answer, this is also an acknowledged source of vulnerability. And as the Member himself has also mentioned, there is a system of vetting and re-vetting. And this happens not only with incumbents periodically, but also whenever there are changes of personnel who are to be granted access to classified information. It is not foolproof, I agree, but, at the same time, we do it very systematically and rigorously to make sure that, to the extent possible, we take down that risk. At the same time, we constantly emphasise on reminding, educating, as well as emphasising the consequences of breaches to all related personnel, so that everybody knows that this will not be tolerated and the full force of the law will be applied when there are breaches.

Mr Speaker: Ms Sylvia Lim.

Ms Sylvia Lim (Aljunied): Thank you, Speaker. Two supplementary questions for the Senior Minister of State.

To the best of my recollection, this is probably at least the third time where confidential or information shared with the US government has been leaked. I think we know of the earlier Wikileaks episodes and this is the third time.

So, my question is whether our Government has made changes in the way that it communicates any sensitive information with the US, or other governments, to minimise the risks of such leaks?

And the context of that is that in 2011, in the wake of Wikileaks, I had asked the then-Foreign Minister George Yeo about whether we would change the way we communicate on the diplomatic front and he had said that "Well, we have to because if it happens once, it will happen again". So, my question is whether the Government has actually changed the way it communicates information, especially sensitive information, with the US or other governments?

The second question is, it was reported in this recent incident that information from ST Electronics was also leaked, and that is, of course, not a Government department as such. So, does the Government actually work with such entities that may have sensitive information, to minimise the risks of such information wrongly getting out in the public domain?

Mr Heng Chee How: Mr Speaker, I thank the Member for her supplementary questions. On the first one relating to the sharing of information with foreign governments, these are done through government-to-government agreements, such as the one that we have with the US. Certainly, wherever there are instances or incidents of a breach and so on, then these are all very specifically investigated in order to establish what might be the vulnerability, and what might be the additional measures that must be put in place in order to minimise the risk of such recurrence.

And I think the Member would also agree that this will be an endless endeavour in the sense that you can never predict what might be the next breach but it is constant vigilance and established processes in order to mutually review and to tighten them up.

The sharing of information is itself important for the ensuring of security in so many different aspects and, certainly, the utility of that is also not to be compromised. At the same time, we must look at how best to safeguard, especially, as technology moves and especially as perpetrators look for new ways to do it. That is the first one.

With regard to the second question, Mr Speaker, may I ask the Member to just remind me.

Ms Sylvia Lim: Yes, the second question related to the recent incident where it was reported that at ST Electronics, which is not a Government department as such, some information was leaked in the recent episode.

Mr Heng Chee How: I thank the Member. As part of my reply earlier, I alluded to that, where we have external partners, external to MINDEF and SAF, and this could be commercial partners, vendors that we use or they could be government-to-government. So earlier, my response was with regard to government-to-government.

ST Engineering, where it provides a service to MINDEF and SAF, would be doing so under a commercial arrangement. And as part of my explanation earlier, I have also explained that MINDEF takes it very seriously, how we assess a provider, in terms of the standards of its cybersecurity in deciding whether or not to award a contract, of whatever classification that will be appropriate to that vendor. And where there are weaknesses exhibited in the systems of that vendor, we would certainly take that into account immediately, in working with that vendor on what happened, how do you strengthen your system to prevent recurrence and how MINDEF should take that into account in the future evaluation of contract awards.