Singapore’s Deputy Prime Minister Heng Swee Keat announced Singapore’s Safer Cyberspace Masterplan 2020 at the opening ceremony of the virtual Singapore International Cyber Week today. Building on the 2016 Singapore Cybersecurity Strategy*, the Masterplan outlines a blueprint for the creation of a “safer and more secure cyberspace in Singapore”, according to the government press release. Developed in consultation with industry and academic partners, it aims to raise the general level of cybersecurity for individuals, communities, enterprises, and organisations. It comprises three strategic thrusts: securing core digital infrastructure; safeguarding cyberspace activities; and empowering a cyber-savvy population.
First Thrust: Securing Core Digital Infrastructure
The first strategic thrust aims to defend Singapore’s cyberspace at the outset by minimising vulnerabilities in the Internet architecture, devices and endpoints, and enterprise applications. Through this approach, end-users connected to the Internet in Singapore will have reduced exposure to known cybersecurity vulnerabilities.
An Emphasis on 5G
To strengthen the protection of the Internet architecture in Singapore, the Singapore Government will collaborate with Mobile Network Operators (MNOs) to secure Singapore’s 5G networks. The Government will apply “Security-by-Design principles” in developing Singapore’s 5G networks, while concurrently building up “world-class telecommunications cybersecurity capabilities locally to handle 5G cybersecurity threats”.
The Infocomm Media Development Authority (IMDA) together with CSA will work with the MNOs to enhance the 5G cybersecurity posture, such as conducting vulnerability assessments and threat hunting work. This will involve developing close partnerships with the cybersecurity industry and academia to research and implement cutting edge solutions to complement existing security tools designed for 5G systems.
As part of the ongoing cybersecurity enhancement measures to be adopted for the 5G networks, IMDA and MNOs will establish a 5G Security Programme for technology exploration and research to better protect the country’s 5G networks against cyber threats and vulnerabilities. The Programme will provide a testbed environment to train and raise the 5G cybersecurity skills and knowledge of telecommunications cybersecurity professionals. IMDA together with CSA will also take the lead to conduct cybersecurity exercises with the MNOs to improve the incident response and coordination among stakeholders, in the event of a cyber-attack on 5G systems.
DNS and Cloud
CSA is working with the IMDA and the Internet Service Providers to implement The Domain Name System Security Extension (DNSSEC) protocol across Government agencies and local Internet domains to protect users from the inherent DNS vulnerabilities.
The IMDA, together with CSA, is working with Cloud service providers, industry certification bodies, industry associations, professional bodies, academia and SME representatives to review and update the Multi-Tier Cloud Security (MTCS) standard to mitigate the latest security concerns in Cloud Native environments. The MTCS standard was first developed in 2013 by the government and the industry to provide enterprises in Singapore with greater clarity on the levels of security offered by the different Cloud service providers, and encourage the adoption of Cloud security risk management practices in the country’s enterprises.
Together with the Cloud consumers and industry certification bodies, the updated MTCS standard, which will be published in late-2020, is envisaged to raise the cybersecurity posture of Cloud services in Singapore.
Cybersecurity Labelling Scheme (CLS)
The Government will offer a Cybersecurity Labelling Scheme (CLS) that device manufacturers can voluntarily apply for, which provides different levels of cybersecurity ratings to help consumers easily assess the level of security offered by a smart device and make
informed choices. These labels indicate the security provisions of the registered products, based on a series of assessments on:
- Meeting basic security requirements such as ensuring no universal default password;
- Adherence to the principles of Security-By-Design;
- Absence of common software vulnerabilities; and
- Resistance to common cyber-attacks.
As a start, CSA will introduce the CLS to a few product types, such as home WiFi routers and Smart Home hubs. These products are prioritised because of the impact that a compromise of such products could have on users.
In particular, for home Wi-Fi routers, IMDA will set minimum security requirements as part of the interoperability and communication standards. IMDA has also published an IoT Cyber Security Guide to offer enterprise users and their vendors better guidance on deploying IoT systems and technology. Moving forward, CSA will work with likeminded international partners to establish mutual recognition arrangements for the CLS.
National Digital Identity
To safeguard enterprise applications, the Government has encouraged enterprises to leverage the National Digital Identity’s trusted services, such as MyInfo and SingPass Login, to augment their own identity assurance and authentication processes.
Enterprises must apply and be approved by the Government before using NDI Application Programming Interfaces (APIs). To protect the security of the data maintained by the Government, enterprises are not permitted to request for more data than is required for their purposes, and will need to justify the request for confidential data with explicit approval granted by the user. Enterprises interested to sign up to leverage NDI trusted services can get started at the NDI API Portal.
Second Thrust: Safeguarding Digital Activities
The second strategic thrust aims to ensure swift detection and remediation of malicious cyber activities at the national and enterprise levels, in order to minimise the impact and damage caused by cyber threats. To do so, the Government will aim to strengthen Singapore’s national malicious cyber activity detection and analysis capabilities. Some of the key initiatives include an Artificial Intelligence-enabled Cyber Fusion Platform for threat detection and analysis, as well as an Internet of Things (IoT) Threat Analytics Platform.
The AI-powered Cyber Fusion Platform
CSA will implement a Cyber Fusion Platform capable of assimilating and analysing information from a “myriad of sources”. This will allow CSA to swiftly triage high-priority cyber evidence that may be warnings of impending malicious cyber activities, correlate evidence across all cybersecurity information sources, and conduct the requisite investigations with enhanced efficiency. This automation of threat detection and analysis, coupled with human knowledge and expertise in cybersecurity, will allow Singapore to develop a national early warning system against malicious cyber activities.
A key feature of the Cyber Fusion Platform is the use of Artificial Intelligence (AI) engines in cybersecurity. AI will play a key role in transforming cybersecurity, and the cybersecurity domain is one of nine key sectors identified under the National AI Strategy launched by the Smart Nation and Digital Government Group (SNDGG) in November 2019. The AI-powered analytic engine will be able to:
- Perform automated predictive trend analysis.
- Auto-correlate cyber evidence from all information feeds and achieve early warnings of malicious cyber activities.
- Reduce dependence on cyber analysts to deal with voluminous data and hasten the speed at which cyber threats can be detected and responded to.
IoT Threat Analytics Platform
CSA will be working with its partners to set up an IoT Threat Analytics Platform. This will provide CSA with information on, and analysis of, the global IoT threat landscape. Through this analysis, CSA can “better detect impending, large-scale IoT attacks and assess the impact before they happen”. These insights from the IoT Threat Analytics Platform will allow CSA and other Government agencies to put in place policy and technical measures to safeguard the cybersecurity of IoT devices and address the threats before they cause damage.
Internet Cyber Hygiene Portal
The Government will support enterprise efforts by introducing self-help resources and solutions for enterprises, through an Internet Cyber Hygiene Portal. The benefits of the Portal are two-fold: first, the Portal will provide cyber guides and toolkits housed in a single location at CSA’s webpage, making it easier for users to access self-help resources and adopt cyber best practices; second, the Portal incorporates cyber health lookup tools that help enterprise users to assess their domain, email and connectivity cyber health.
These are critical cyber health indicators, and their cybersecurity status will be reported to the enterprise user along with actionable suggestions on how users can improve their cybersecurity. This includes encouraging the adoption of Internet best practices, such as the DNSSEC protocol and email hygiene practices. In this way, enterprise users can readily access resources on Internet security best practices
and standards, and receive advice to improve their own cybersecurity. This one-stop Portal also simplifies cybersecurity for the user to only key indicators that matter.
‘Cybersecurity Essentials’ SaaS
CSA is collaborating with local cybersecurity industry partners to design an architecture for an integrated and automated Security-as-a-Service (SaaS) solution that incorporates all the ‘Cybersecurity Essentials’, to better protect enterprise users from malicious cyber activities.
The objectives of this are three-fold:
- Secure computers and achieve swift detection and response to malicious cyber activities;
- Reduce the demand for cybersecurity manpower through the automation of cybersecurity services; and
- Define the standards for interoperability for the SaaS components to overcome the challenges that users face in integrating several different cyber solutions. Vendors who wish to integrate their tools into this may do so.
At the core of this solution is the ability to allow only trusted applications and software to be executed by the Operating System. This is in essence application control, such that malicious, untrusted applications and software cannot be executed — and hence cannot cause damage
to users. In addition, the solution will protect data through encryption, thereby preventing data exfiltration in unencrypted (i.e. easily-readable and accessible) form.
This SaaS solution will be able to defend against threats including malware sent via phishing emails, ransomware, hijacked privileged administrator accounts and insider threats, among others. The SaaS solution will be made available for SMEs under Enterprise Singapore’s Productivity Solutions Grant14 and IMDA’s SMEs Go Digital programme.
Third Thrust: Empowering a Cyber-Savvy Population
The third thrust of the Masterplan seeks to empower the population to respond to cyber threats. This is to be achieved through enhancing awareness of cyberspace security, changing attitudes towards cybersecurity and encouraging the adoption of cybersecurity measures. At the enterprise level, the Government will develop resources and toolkits that are customised for enterprise leaders, employees, Chief Information Security Officers and cybersecurity teams to aid enterprise leaders in making decisions on addressing cyber risks that their enterprises face.
An example is the Exercise-in-a-Box Singapore tool that the Cyber Security Agency of Singapore (CSA) will be launching in partnership with the United Kingdom’s National Cyber Security Centre. Designed to complement organisations’ existing cybersecurity measures, the EiaBSG tool will provide organisations in Singapore with a safe environment to exercise and test their response to a variety of cyber-attack scenarios. Organisations can use the tool to assess their cyber resilience and readiness, identify possible gaps in their cybersecurity, and better prepare against such cyber-attack scenarios.
SG Cyber Safe Trustmark
In addition, to encourage enterprises to adopt cybersecurity, the Government will roll out a voluntary SG Cyber Safe Trustmark by 2021. With the Trustmark, enterprises can demonstrate that they have put in place cybersecurity processes and measures. Clients can then select enterprises with the requisite cybersecurity assurance to meet their needs.
The Trustmark aims to reduce risks arising from high-volume, low-sophistication malicious cyber activities. Most importantly, the Trustmark can provide a degree of transparency on the level of cybersecurity of enterprises, for the market to make informed decisions when services
are procured. It will be a voluntary programme that enterprises may wish to sign up for, to demonstrate that they have put in place pre-determined cybersecurity measures.
At the community level, CSA will continue to expand its outreach efforts through the GoSafeOnline Community Outreach Programme. David Koh, Commissioner of Cybersecurity and Chief Executive, CSA, said: “Singapore’s digital transformation to achieve our Smart Nation goals in this post-COVID environment must be undergirded and enabled by robust cybersecurity. To leverage the opportunities, we must also mitigate the risks. To this end, the Safer Cyberspace Masterplan aims to raise the general level of cybersecurity in Singapore for Singaporeans, our enterprises and organisations. Cybersecurity is a collective responsibility, where all stakeholders can and must play a role to protect ourselves in the digital domain.”
CSA aims to implement the initiatives in this Masterplan from 2021 – 2023. In addition, CSA will review the Masterplan regularly to keep up with the prevailing cyber threat landscape, according to its press release.
The entire Safer Cyberspace Masterplan 2020 can be downloaded here.
*Singapore’s Cybersecurity Strategy was launched in 2016 and comprises four pillars: (1) building a resilient infrastructure; (2) creating a safer cyberspace; (3) developing a vibrant cybersecurity ecosystem; and (4) strengthening international partnerships.