Readiness of Singapore Telecommunications Companies to Thwart Cyberattacks

3 Mr Desmond Choo asked the Minister for Communications and Information in light of the recent cyberattacks on one of our telcos (a) how ready are our telcos and essential infrastructure in meeting such cyberattacks; and (b) and how can the Government better support our companies to improve their readiness.

The Minister for Communications and Information (Assoc Prof Dr Yaacob Ibrahim): Madam, given Singapore's heavy reliance on digital technologies, cyberattacks can significantly disrupt the smooth running of essential services, such as finance, telecommunications and transportation. The Government takes these cyber threats seriously. We formed the Cybersecurity Agency of Singapore (CSA) last year and the Prime Minister launched Singapore's Cybersecurity Strategy last month. The recent attack that affected Internet access for some users is a timely reminder that these threats are real and everyone has a part to play to secure our cyberspace.

Eleven critical sectors that provide essential services have been identified and CSA works closely with Government agencies and operators in these sectors to strengthen the cyber resilience of their Critical Information Infrastructure (CII). For example, through the Readiness Maturity Index (RMI) programme, CSA engages sector leads and operators to review the current level of preparedness, identify areas of improvement and take steps to beef up their defences. CSA also conducts regular exercises to validate and test the readiness of these plans.

CSA works closely with the Info-communications Media Development Authority (IMDA), as the sector lead for the infocomm sector. CSA and IMDA place strong emphasis on the cyber resilience of our telecommunications infrastructure as it is a crucial enabler for other sectors. Besides aligning with national level plans, IMDA requires Internet service providers (ISPs) to comply with the Secure and Resilient Internet Infrastructure Code of Practice as part of their licence conditions. This Code requires ISPs to put in place various controls related to prevention, detection and response to cyber-attacks across telecommunications networks. The ISPs are also required to engage IMDA-approved auditors to audit their compliance with the Code.

To improve responses to cyber threats in the infocomm sector, the then-IDA also formed the Infocommunications Singapore Computer Emergency Response Team (ISG-CERT) last year. Its remit has since been expanded to include the media sector with the formation of IMDA. ISG-CERT shares information through the issuance of actionable intelligence and alerts to the telecommunications and media operators to enhance their readiness. ISG-CERT also coordinates sector-wide responses to cyberattacks.

However, Madam, the cyber threat landscape facing our CIIs is rapidly evolving and attacks are becoming more sophisticated. Despite our best efforts, breaches cannot be eliminated entirely. It is important that we respond swiftly when attacked and bring services back to normalcy as soon as possible. We will also need to continually adapt our plans based on lessons learnt. While investigations are ongoing for the recent attack, IMDA, CSA and ISPs have not stood still. IMDA, through ISG-CERT, has issued advisories to local ISPs on measures to take to mitigate similar attacks, such as beefing up Domain Name Server capacity, and monitoring and placing limits, if needed, on traffic coming from identified network ports.

Beyond the critical sectors, it is also important that companies, including small and medium enterprises, adopt good cyber security practices. Consumers expect that digital processes are secured and their private information is protected when transacting with companies. Businesses should, therefore, view cyber security as investments to improve their competitiveness, rather than just additional cost. To keep informed of latest cybersecurity threats and steps to take to mitigate these risks, companies can refer to regular advisories and alerts that are issued by the Singapore Computer Emergency Response Team (SingCERT).

As shown by the recent incident, consumers also play an important role in building a safer cyberspace. Consumers should adopt good cyber hygiene to minimise the risk of falling prey to cybercriminals or unwittingly allow their Internet-connected devices, such as webcams and routers, to be used to launch cyberattacks against others. Each of us can take responsibility by taking steps, such as changing the default password on home equipment and wireless networks, and regularly applying software updates to our computers and mobile phones. Such measures are published regularly on SingCERT's website.

Mdm Speaker: Mr Desmond Choo.

Mr Desmond Choo (Tampines): I thank the Minister for his responses. I have two points of clarification. One, I note that we have done quite a fair bit for the essential services. Of course, there is a need to level up the individuals and consumers, including companies' capabilities to deal with the attacks. I would like to check what are the additional measures that the Ministry will put in place to help companies that might not have the requisite resources to level up?

Secondly, would the Ministry also consider SG Secure-like counter-terrorism exercises for the individuals and consumers so that everyone can be better prepared in the event of an attack and take better precautions?

Assoc Prof Dr Yaacob Ibrahim: I thank the Member for the two questions. On the first question as to whether there are additional measures to help our companies to level up, the answer is yes.

CSA will work with the various chambers and trade associations to help our SMEs to understand what are their states of cyber readiness and what are the solutions available out there. We have recently launched a starter kit for companies to see what are the things they need to put in place, the necessary defences of their IT systems.

On the second question as to whether or not we will conduct exercises with the consumers, currently, what is being done, as the way we have organised the space, is that we have 11 critical sectors. CSA works with the sector leads and the various members of the sectors, be it finance, telecomms, water or energy, to do table-top exercises.

At the same time, what we do is that we send out advisories and we inform through our website, what are the things that not only businesses, but also consumers can do.

I agree with the Member that there is a need for us to step up cyber hygiene, especially for consumers. This is something which has to be ongoing. The kind of exercises that the Member suggested is something we can study. Certainly, I think a public campaign is something that we have launched and we want to continue to reach out to as many consumers as possible to make sure, as I mentioned in my reply, that they ensure that their passwords are changed regularly and they adopt good cyber hygiene.