Investigations into Cyberattack on MINDEF's Systems

1 Dr Lim Wee Kiak asked the Minister for Defence (a) in the past three years, from which countries did most of the cyberattacks on the Ministry's military data systems originate; (b) how long did it take the Ministry to detect the breach of its system in the February 2017 attack; and (c) what steps have been taken to strengthen the Ministry's IT systems.

2 Mr Vikram Nair asked the Minister for Defence (a) if he can provide an update on the Ministry's investigations into the cyberattack on its IT system that took place in February 2017; (b) whether the perpetrators have been uncovered; and (c) what steps may be taken to prevent or minimise the risk from such attacks in future.

The Second Minister for Defence (Mr Ong Ye Kung) (for the Minister for Defence): Mdm Speaker, may I take Question Nos 1 and 2 together?

Mdm Speaker: Yes, please.

Mr Ong Ye Kung: Because computer systems are designed to facilitate connectivity, they are inherently vulnerable to cyberattackers from any location motivated by mischief, criminal theft or national interest, at varying levels of sophistication. This is a global phenomenon. Symantec, a global cybersecurity company, recently reported more than 430 million new pieces of malware in just one year. The Ministry of Defence (MINDEF) and the Singapore Armed Forces (SAF) systems are no different and, on a daily level, experience hundreds of thousands of cyber intrusion attempts ranging from simple probes to sophisticated cyber espionage efforts. The latter include covert attacks by highly-skilled operators who mask or obfuscate their actions by routing through multiple countries to hide their real point of origin.

MINDEF/SAF adopts a multi-layered, risk-based approach to cyber defence, which balances between connectivity and speed on one hand, and security on the other. On one extreme are networks which contain sensitive military information, which are physically separated from the Internet and further protected with encryption and access controls. On the other extreme are systems, like I-net, aimed to facilitate connectivity and ease of use with limited security features which require some personal information of users for access. The I-net system contains no classified information and is designed to allow National Service (NS)men on In-Camp Training to access the Internet for civilian work and personal matters when in camp. However, across all MINDEF/SAF networks, multiple sensors, intrusion detection systems and firewalls are placed at critical nodes to detect intrusion attempts and activities.

Computer systems globally are updated consistently with new applications. Each new change can potentially introduce vulnerabilities. It takes about 120 days, on average, for industry players to develop a patch. Cyberattackers exploit this window of vulnerability by evading the most commonly used commercial sensors and anti-virus signatures. Industry reports cite an average of about 150 days, five months, before a breach is discovered in any computer system. For example, the hacking into the US Government's Office of Personnel Management began in November 2013 but was only discovered in March 2014. That is about a four-month lapse. This breach resulted in the loss of up to 18 million personal data records. More recently, hackers breached the email servers of the Democratic National Committee in mid-2015 and this was detected only in April 2016, almost a year later and, by which time, all of their emails and chats had been stolen.

The breach of MINDEF's I-net system was detected on 1 February 2017 and the affected server was taken offline. Forensic investigations on the I-net system showed that the breach had occurred weeks before detection. The modus operandi was consistent with a covert attack, with means used to mask the perpetrator's actions and intent. Our investigations are ongoing but findings will be kept confidential for security reasons. Other relevant Government agencies were also informed about the breach, and the 854 personnel, whose personal information was stolen, were contacted to take the necessary precautions.

As part of ongoing initiatives to strengthen our cyber systems, MINDEF/SAF will develop better assessment tools, data analytics and content scanning engines to enhance our response to cyberattacks. We will also review the storage of personal data on our Internet systems to minimise risks of cybertheft.

Mdm Speaker: Dr Lim Wee Kiak.

Dr Lim Wee Kiak (Sembawang): Mdm Speaker, I would like to ask the Second Minister this: with so many intrusions and so many cyberattacks on our systems, what are the current measures or laws that protect MINDEF? Are we investigating and prosecuting some of them? With these intrusions, how many of these investigations lead to successful prosecution of the perpetrators?

Mr Ong Ye Kung: If the perpetrators can be identified and are locally situated, we will make sure that we take them through the process of law. Often, they are not. Having said that, prosecution and punishment are just one way. We have to do a lot of other things. Technologically, as I have mentioned, various sensors can be put at critical nodes which will help us detect such intrusions. The system architecture is important, which is why MINDEF had separated the I-net system from the more confidential systems. That helped a great deal. In this case, the perpetrator went through the window but could not access the house because the house is separated. The Civil Service is doing likewise.

More importantly, the weakest link is often the human factor. A lot more education is needed because we can have the most sophisticated cyber defence system, but if we do not have the discipline and we plug an external device into our office network, it can be infected. All these are things that we would have to do.

Mdm Speaker: Mr Dennis Tan.

Mr Dennis Tan Lip Fong (Non-Constituency Member): I thank the Second Minister for his answer. I just have two supplementary questions. First, have the perpetrators who were responsible for the recent attack on MINDEF been identified? Two, will the hackers be able to make use of the personal information that they have obtained from the recent attack for future hacking or other cybercrimes? If so, has MINDEF taken any steps to mitigate this?

Mr Ong Ye Kung: I have to seek the Member's understanding that because this concerns a security issue, I would rather not comment about how we have identified the perpetrator and who it can be or who it is. For the second question, the information lost is basic, which are National Registration Identity Card, telephone numbers and dates of birth. No passwords were lost and I do not think that with this information, they can conduct further hacking.