Singapore faced 1 million web-facing cyber attacks every single day in 2015. And 2016 was no different, according to the Republic’s Cyber Security Agency (CSA).
Among one of the most high-profile attacks was the unprecedented Distributed Denial of Service on StarHub’s Domain Name Servers (DNS) in October. Then, thousands of infected computers and web-linked devices flooded the telco’s servers with messages, causing a spike in traffic which jammed StarHub’s servers, disrupting internet services for its users.
This incident came off the back of an even larger attack overseas on internet infrastructure company Dyn, which disabled access to services such as PayPal and Twitter.
The CSA said that while such attacks on DNS servers were “generally rare”, it also noted that “it is surfacing as an emerging trend” as countries around the world become increasingly connected. Market research firm Gartner predicts that the number of internet devices will rise from 6.5 billion last year to as many as 21 billion in 2020 – each a potential entry point into an organisation that attackers could exploit.
“Because of the nature of attacks – constantly evolving, and the attack surface increasing, we can’t achieve 100 per cent security – I think there’s no amount of pre-emptive work that we can deal with, that we can do in order to cut off all these different attack vectors,” said the agency’s Chief Executive David Koh.
“Instead I think the approach has to be one of resilience. We have to accept that it’s a matter of time that attacks will come in and will be successful. So the challenge is, in my view, not trying to close off all the attack vectors. What needs to be done is that we need to detect these attacks quickly, deal with them robustly, and recover the services as quickly as possible.”
A DIFFERENT APPROACH TO CYBERSECURITY
This requires a far different approach to cybersecurity in recent years – one that goes beyond just firewalls and antivirus software.
They include internet surfing separation, or “air gapping” – the disconnection of some or all critical networks and systems from the wider internet, as what the civil service will practise from May next year. But this is not an option that is always available to every organisation and individual, due to the costs and the inconvenience involved.
“The Government has taken this step because we have done our own evaluation firstly on the risks and the threats that we face, and secondly on the criticality of the information that we hold. Individual companies – big, small, individuals themselves, have to make their own evaluation of the threats that they face, the risk that they’re likely to encounter, and the criticality of the information they hold,” said Mr Koh.
“Not all companies should follow the Government in terms of what we have done with respect to internet surfing separation – some companies may make the assessment that the risks that they face are not that critical, and such measures may not be necessary. Instead simpler, low-level straightforward measures could suffice. For example, regular back up of critical information which are critical to the business which are done regularly and kept offline.”
Another approach that has emerged in recent times is the setting up of cyber-ranges – part digital battleground, part laboratory and part training centre. Through the enactment of various cyber attack scenarios modelled after attack methods and patterns both past and projected, organisations can test how their cyber infrastructure responds. But it also has a human element – staff learn how to react to attacks as they happen and the appropriate steps to take in real-time.
Such an environment allows organisations to test plans for continued operations during and after an attack – a more progressive approach to cybersecurity according to cybersecurity firm Quann’s Managing Director Foo Siang-tse.
“In a way it’s really no different from a business continuity plan (BCP) that most companies already have. Most companies actually practise fire drills, and have BCP plans for H1N1 and other forms of real-world disasters,” said Mr Foo.
Quann recently launched Singapore’s first cloud-based cyber range, which it says offers organisations flexibility and scalability regardless of geographical location.
“The cyber range provides this environment to help companies make the trade-offs, understand the decisions that they’re making in a context that’s safe and realistic,” said Mr Foo.
“It helps them understand how do they make these decisions to maximise and optimise the risk bearing in mind the ‘trilemma’ that we see in cybersecurity – which is really about cost, convenience as well as security coverage. You can have two out of three, but you really can’t have all three.” He noted that cost could indeed become an issue, with the slowing economy and sluggish outlook for 2017.
This view was shared by telecommunications giant Singtel, which has its own cyber range within its Cyber Security Institute launched earlier this year. Its CEO for Group Enterprise Bill Chang said that while industries and sectors have become increasingly aware of the security demands of the digital economy, much work could still be done in terms of deeper collaboration between organisations – who are used to seeing each other as competitors.
“We have to figure out how do we collaborate and develop defence mechanisms – maybe to look at how do we do it at scale so that it lowers the cost, and how do we think about innovations in technologies, new ways of protecting (cyber infrastructure) based on cloud technologies that allow you to scale to more companies, more cost effectively, said Mr Chang.
But he also noted that this might also have to be deployed and managed in ways that involve not just an organisation’s IT department.
“We just don’t have enough professionals in cybersecurity,” said Mr Chang.
DEALING WITH CYBER PROBLEMS, AND SEIZING OPPORTUNITIES TOGETHER
Manpower remains a challenge for the cybersecurity industry both worldwide and in Singapore, with about 15,000 vacancies in 2015.
But it is a challenge the CSA is tackling head-on, partnering polytechnics and universities to design courses relevant to industry needs. On the front-end, the agency also runs the Cybersecurity Associates and Technologists programme – with industry partners like Quann and Singtel coming on board this year – to convert those already in the workforce into cybersecurity professionals.
But Mr Koh said the field is not just open to IT engineers or computer scientists.
“It’s not just about technical work that needs to be done – cybersecurity actually offers a wide range of opportunities in terms of jobs, in terms of the career options,” said Mr Koh.
“We don’t just need the deep technical expertise, we also need policy makers, we also need people who work with psychologists – because a lot of cybersecurity work actually involves human nature, changing mindsets, et cetera. And we also need people who help us in terms of our dealings with international partners. So there’s a whole range of kinds of expertise that we need in the cybersecurity arena, and there are lots of opportunities for people both young and old.”
Such moves to strengthen the manpower pipeline were outlined under Singapore’s Cybersecurity Strategy launched in October this year. It not only spells out strategies to tackle cyber threats of the future, but shows how one can seize the opportunities they present.
“Cybersecurity is something that no one agency – not even the Government by itself – can do. It requires concerted effort across government, between government and businesses, individuals, communities, trade associations, everybody working together in concert in order to safeguard Singapore from cyberattacks,” said Mr Koh. “(It) is a document that lays everything down so that we can all be working in a common direction.“
The Strategy covers the protection of the nature’s Critical Infrastructure – such as its aviation, public utilities, telecommunications, logistics and banking sectors. Such sectors will be required to raise their cybersecurity standards, as well as work together and participate in joint exercises. These measures will be put to the test in 2017, when the CSA conducts a large cybersecurity exercise involving all 11 critical infrastructure sectors. This is a far larger scale than this year’s Exercise Cyber Star in March – Singapore’s first multi-sector cybersecurity exercise, which involved the Banking and Finance, Government, Energy and Infocomm sectors.
The Cybersecurity Strategy also lays out the Republic’s plan to make its cyberspace safer, develop a cybersecurity pipeline of innovation and expertise, and strengthen partnerships with international bodies.
It is for this reason that Singapore has also invested in a S$10 million ASEAN Cyber Capacity Programme aimed at enhancing cybersecurity in the region.
“We recognise that for Singapore to be cybersecure, we need our neighbours, similarly, to be aware about the threats of cybersecurity and to take action,” said Mr Koh. “In order for them to be able to take the requisite action – whether in terms of investigation, or to stop the attack, we need them to have a certain level of awareness, a certain level of capability.”
“In a way we’re helping our neighbours in order to help ourselves. Because if the whole of ASEAN can become more cyber-secure, it actually becomes an attractive place to do business, and this is something which becomes a competitive advantage for not just Singapore but the whole ASEAN region – something which business people are looking for in terms of where they will site their factories, where they will site their business,” he added.