Possible Legal Proceedings by Singapore Agencies That Suffered Loss from CrowdStrike Cybersecurity Incident

29 Mr Saktiandi Supaat asked the Minister for Digital Development and Information in light of the lawsuit filed by Delta Air Lines against cybersecurity firm CrowdStrike (a) what are the status and expected timelines of the study being done by the Ministry’s internal task force that was set up in the aftermath of the 19 July 2024 disruption; and (b) whether any agency which has suffered losses will be initiating or joining in legal proceedings against CrowdStrike.

Mrs Josephine Teo: The Ministry’s internal task force has completed its study of the incident and distilled lessons, particularly relating to software supply chain risks and patch management. The Cyber Security Agency of Singapore will be issuing advisories on them in due course. The task force also identified enhancements to improve incident response when such disruptions occur, and to strengthen the resilience of our Critical Information Infrastructure (CII) and Foundational Digital Infrastructure (FDI). Work by the respective Ministry of Digital Development and Information agencies and other Government stakeholders are underway.

As updated to Parliament previously, the Crowdstrike incident did not significantly affect our CII or FDI. The impact to other entities has also been relatively modest. In any case, it is up to affected entities to decide whether or not to take legal action against Crowdstrike or their intermediaries.

Not all disruptions can be prevented, nor will their impact be equally severe. Nonetheless, it is important to have the plans in place to recover quickly from unexpected disruptions and to have business continuity plans. I encourage all businesses to step up their efforts by tapping on resources, such as SingCERT’s advisory on building digital resilience, CSA’s cybersecurity toolkits and cybersecurity roadmaps in Infocomm Media Development Authority’s Industry Digital Plans.