Singapore announced several new initiatives to boost online security during the recent Singapore Cyber International Week, including international collaborations and a new academy here to train professionals in the field.
The announcements were not as major as last year, when Prime Minister Lee Hsien Loong unveiled a four-pronged national cyber strategy plan.
Nonetheless, they are small but significant steps towards the long-term goal of securing Singapore against cyber attacks.
The setting up of the Cyber Security Agency (CSA) academy, for one, is long overdue, plugging gaps not currently covered by the institutes of higher learning.
Already, analysts have noted the shortage of cyber security professionals at the middle to top level.
“There are not enough cyber security leaders in Singapore,” said Mr Vincent Loy, cyber and financial crime leader at PWC.
“Our universities are coming up with all these courses, but they teach the basics, and we don’t need the basics.
“We have a lot of doers, but not enough of those in middle management with more than five years’ experience. We also need more people with both specialised technical and broad-based skills.”
The new academy will be able to step in and fill this gap, and it will need to scale up in terms of both numbers and quality of such professionals, Mr Loy stressed.
It needs to also develop training taking local context into account, as Singapore’s needs and the threats it faces might be different from those of the United States or China, he noted.
While its short-term target would be to address the urgent manpower needs of the industry, in the long run, the academy will have to run talent development programmes to groom leaders in the field, said Mr Bill Taylor-Mountford of security intelligence firm LogRhythm.
In the meantime, the shortage of talent at the more senior levels has to be plugged by bringing in overseas expertise.
The academy’s first training partner is American cyber security services provider FireEye, which will carry out training in incident response and malware analysis and help to develop the curriculum.
On the part of local telcos, they have also been partnering with or acquiring similar overseas cyber security service providers to boost their capabilities.
Last week, the CSA also signed an agreement with the Information Systems Audit and Control Association — a global professional body — to train cyber security professionals here.
The Asean Cybersecurity Industrial Attachment Programme, also announced last week, will offer further training opportunities in Singapore, for up to 18 candidates from Asean member states. Clearly, the intention of the programme is to foster greater cooperation and exchanges in Asean on cyber security.
To this end, Singapore can probably do more in fostering partnerships among Asean countries together to protect the region against cyber threats and crime.
As Minister for Communications and Information Dr Yaacob Ibrahim put it, a “unified Asean voice” is needed for greater coordination on cyber policy and capacity building.
Going beyond that, a global effort is key to a resilient cyber environment, he stressed.
With Singapore becoming the Asean Chair next year, the opportunity is ripe for it to drive the agenda on this.
“There is the expectation that Singapore will drive greater collaboration between Asean countries in knowledge sharing and regulations when it comes to cyber security,” Mr Taylor-Mountford pointed out.
Amid the push to boost cyber security, it is easy to forget how much Singapore has achieved in a short span of time.
Three years ago, there was not even a CSA. Singapore’s Cybersecurity Strategy was unveiled by PM Lee only last year.
By next year, the proposed new Cybersecurity Bill, with an expanded scope going beyond the Computer Misuse Act, will be tabled in Parliament.
So where do we go from here?
Experts point to two areas where legislation and policies can be beefed up: The voluntary sharing of intelligence on cyber threats, and the adoption of measures that go beyond covering only the critical sectors.
The proposed Cybersecurity Bill mandates that companies report incidents when they happen.
But experts like Mr Loy have pointed out that there is a lot of intelligence floating around even before incidents happen, within industry and from other governments.
However, most companies fear that their reputation will take a hit by sharing intelligence, with a recent report by Palo Alto Networks showing that less than a third of organisations in Singapore currently actually share threat information with other companies in their industry.
But cyber attacks come at a cost, with the same survey finding that 37 per cent of the respondents had suffered losses of at least S$140,000 as a result of data breaches.
So perhaps such companies need to be persuaded to see the clear business benefit in kickstarting a culture of sharing intelligence.
When this happens, everyone benefits by having more robust defences, and the financial costs and reputational damage from such cyber breaches are much smaller.
Currently, the Bill has proposed security measures covering 11 critical sectors that cut across banking, utilities and transport.
But more should be done beyond the critical sectors, as cyber threats can easily and invisibly hop from industries related, or even unrelated, to companies within the 11 sectors.
Mr Taylor-Mountford noted that cyber criminals are already targeting sectors that are not deemed to be as critical: “Naturally, the financial sector is moving ahead but the same cyber security measures must expand to cover all of Singapore’s sectors.”
He added that sectors such as retail, healthcare, and education are “becoming popular targets for criminals due to their relatively lower cyber resilience.”
But he observed that “a huge positive” around the government’s strategies is the awareness that even with the toughest preventive measures, it is a matter of when and not if, cyber breaches will occur.
“With this mindset, the nation has measures in place to discover possible breaches, investigate them, respond to and subsequently recover from them,” he said.
“Having a realistic view of the threat landscape will ensure that we will not get caught out in case of a large-scale cyber attack.”
For now, the plans and measures so far are a good start.
With a broad strategy and partnerships in place, what is needed now is action and implementation. The devil is always in the details.