Impact of SolarWinds Breach on Singapore and Cybersecurity of Critical Systems

3 Mr Alex Yam asked the Minister for Communications and Information (a) what is the impact of the SolarWinds breach on Singapore and the cybersecurity of our critical systems; and (b) what steps is the Ministry taking to mitigate the cyber threats to Singapore arising from this and other global cybersecurity incidents.

4 Mr Desmond Choo asked the Minister for Communications and Information in light of the SolarWinds cybersecurity incident (a) how many companies and Government agencies are affected or vulnerable to such attacks; and (b) how can companies providing essential services and Government agencies have better oversight over cybersecurity arrangements with third party providers.

The Minister for Communications and Information (Mr S Iswaran): Mr Speaker, the SolarWinds cybersecurity breach compromised a network management software that is widely used by major companies worldwide. The attacker used the software’s regular updates to implant a backdoor and gain a foothold in the networks of organisations that downloaded and installed the malicious update. This is a very sophisticated attack that evaded detection for many months.

As reported by the media, SolarWinds’ clients include US government agencies and Fortune 500 companies – including Microsoft, CISCO Systems and VMWare. It affected about 18,000 customers, although a much smaller number were compromised by follow-on activity on their systems. This breach is especially noteworthy because the SolarWinds software is part of the network control and management infrastructure. Hence, it was trusted and had privileged access to internal networks. The situation is still evolving and the affected firms are continuing with their investigations.

When first alerted of the breach, the Cyber Security Agency, or CSA, immediately raised the National Cyber Threat Alert Level and worked with our Critical Information Infrastructure, or CII, sectors to check and monitor our critical systems. There is no indication thus far that Singapore’s CII and Government systems have been adversely affected by the SolarWinds breach. The Government is nonetheless adopting a cautious approach and CSA has issued public advisories on steps that enterprises and organisations should take to safeguard their systems against this threat. These include having full visibility of their networks and detecting unusual activity in a timely manner.

In the longer term, dealing with these sophisticated cyber threats requires a fundamental shift in mindset towards a "zero-trust" cybersecurity posture. At its core, this "zero-trust" cybersecurity posture has the notion that we should protect our networks by observing two key principles. First, we should not trust any activity without first verifying it; and second, ensure constant monitoring and vigilance for suspicious activities. This includes compartmentalising and restricting access to different segments of the network, validating transactions across segments, reconciling any escalation of user privileges, and actively and regularly hunting for threats. Organisations should also put in place robust plans for cyber incident response in the event they fall victim to a cyber-attack.

CSA will strengthen engagements with CII sectors, enterprises and organisations to adopt and sustain these measures.

Mr Speaker, the SolarWinds incident underscores the global and transborder nature of cyber threats. Given the nature of the digital domain, such cyber incidents will happen from time to time. Malicious actors only need to exploit one vulnerability, while the defenders must ensure that there are no vulnerabilities in all the systems and networks that they are protecting, all the time. Though difficult to completely prevent, we need deliberate, targeted and consistent efforts to strengthen our cyber defences against sophisticated threats like the SolarWinds breach, which exploit the supply chain of trusted software and vendors. Our CIIs, enterprises and citizens must also maintain their vigilance against cyber threats, as we mitigate the risks while leveraging the opportunities of digitalisation.

Mr Speaker, may I also have your permission to say that this is also in response to Question No 4.

Mr Speaker: Please do. Mr Desmond Choo.

Mr Desmond Choo (Tampines): I would like to thank the Minister for his clarification. I have two points of clarifications for the Minister. The first, is before the SolarWinds incident, FireEye was also a victim of hacks. According to media reports, 30% of companies have actually not used SolarWinds nor FireEye software. This means that the vulnerability could be a lot more extensive than we believe. How would the Government go ahead in the future to make sure that we close up our weakest link?

The second point of clarification is on the roles of CSA and GovTech, in helping our companies providing essential services to toughen up their defences. Not all companies are equally well-resourced, some will need more support than others, we are probably only as good as our weakest link. So, I hope the Minister can point us the way forward.

Mr S Iswaran: Mr Speaker, I thank the Member for his question. I think his two questions are in some ways inter-related. Because the first is, how we can ensure that we are not vulnerable and the second is how we can help companies fortify themselves against such threats.

I think underlying this is the key point first, what I stated earlier in my main response, which is that, the nature of cyber threats is such that they are global, they are transborder and they can occur or affect us through a multiplicity of chance; not least, as the SolarWinds incident illustrates, through trusted network systems and vendors.

And therefore, the first and perhaps most important point is the "zero-trust" posture that we must adopt. In other words, always be vigilant, constantly evaluate our systems and conduct regular monitoring and threat hunting exercises. I think this is a fundamental; it is a posture that we need to adopt across not just our critical information infrastructure, but indeed across all organisations, especially as our digital footprint grows as we adopt new digital solutions.

Secondly, on the part of CSA and the Government, CSA works with our CII sectors in particular, to share information regularly on evolving threats and also on solutions that are available for adoption. In particular, CSA is in regular contact with its counterparts around the world and that is an important source of this information and intelligence that is necessary to strengthen our own system.

CSA also has, as I mentioned, an alert system, so that when it is warranted, the alert levels are raised so that our CII owners are aware that the threat landscape has shifted and they need to step up some of their activities in response to that.

Finally, CSA works with several private sector partners and others to ensure various forms of cybersecurity solutions are available for adoption and use by not just the large enterprises and our CIIs but also SMEs.

This is an important part of our work going forward, raising awareness of cybersecurity and also putting in place solutions or making available solutions which businesses can use, and at the same time also working with individuals.

So, there is a range of measures we are undertaking and that we continue to undertake. I think the fact of the matter is, we can never be foolproof in this effort, but we can make sure that we take every effort to strengthen our system and learn from incidents like SolarWinds to further fortify ourselves.