Cybersecurity highlights from the Singapore International Cyber Week

• Singapore announced several measures to improve cybersecurity at SICW 
• Among them were guidelines to improve cloud security. 
• Singapore also plans to develop more female cybersecurity professionals. 

The Singapore International Cyber Week (SICW) witnessed numerous announcements to boost cybersecurity in the island state. Security and government agencies announced partnerships with private companies as well as plans to develop more cybersecurity professionals in the country.

The Cyber Security Agency of Singapore (CSA) announced that it would be establishing separate cooperative efforts with Microsoft and Google on national cyberdefense and cybersecurity. This includes facilitating cyberthreat intelligence sharing, joint operations to combat cybercrime and malicious cyberactivity, exchanges on emerging and critical technologies, such as artificial intelligence, as well as capacity-building efforts.

CSA said it recognizes that in cyberspace, multi-stakeholder cooperation is key. With state and industry players sharing a collective responsibility to build a stable and secure cyberspace, the partnerships further Singapore’s commitment to continue working closely with key industry players in the digital domain to build a safer cyberspace for all.

“Cyberdefense is a team effort. Big tech plays a key role in shaping our digital terrain and is therefore an important partner in cyberdefense and cybersecurity. We look forward to working closely with Microsoft and Google to advance our shared mission of building a safer cyberspace for all users,” commented David Koh, Chief Executive of CSA.

Both Microsoft and Google also commented that the collaborations will not only enhance customers’ trust in the digital domain but also build greater cyber-resilience in Singapore. Both companies are hoping to use collective capabilities and innovate with AI to combat emerging cyberthreats.

Improving cloud security

CSA also collaborated with the Cloud Security Alliance to launch two cloud security companion guides to support Cyber Essentials and Cyber Trust, which are national cybersecurity standards developed by the agency.

Developed in close partnership with Amazon Web Services, Google Cloud and Microsoft, the companion guides provide advisories for cloud customers, including small-medium enterprises (SMEs), to better understand their cloud-specific risks and responsibilities, as well as the necessary steps to take. These include employee training on their roles in cloud security and how they can operate securely in the cloud and implement mechanisms to track and monitor the inventory of their cloud services.

With enterprise cloud adoption rising significantly, cybercriminals are also increasingly targeting organizations’ cloud environments, with considerable growth in cloud-based attacks reported over the last two years. A common confusion that arises from this is who is actually responsible for the data. While the organization is solely responsible for its data security in an on-premises deployment, it becomes a shared responsibility on the cloud.

This confusion and lack of understanding of responsibilities may increase the likelihood of misconfigurations, malicious attacks, and data breaches. As such, the companion guide for Cyber Essentials is targeted at SMEs. It uses a shared responsibility model to help organizations understand what they and their providers each need to take care of to secure the cloud environment.

Meanwhile, the companion guide for Cyber Trust is targeted at larger or more digitalized organizations. The guide maps each of the cybersecurity preparedness domains in the Cyber Trust mark, such as cybergovernance and oversight and cyber-education, to the framework published by the Cloud Security Alliance. This mapping provides a useful and convenient reference for organizations, making it easier for them to implement the measures necessary to attain the Cyber Trust mark.

“These companion guides are intended to help enterprises be cyber safe when using the cloud and help them achieve the Cyber Essentials and Cyber Trust marks. In doing so, their customers will have greater peace of mind when dealing with them. It will be a win-win situation for both enterprises and their customers,” said Dan Yock Hau, assistant chief executive of the CSA.

The three cloud companies have also developed provider-specific guides that are organized based on the measures listed in the Cyber Essentials and Cyber Trust marks.  Daniele Catteddu, chief technology officer for the Cloud Security Alliance added that it is clear that all organizations and users have a role to play in protecting themselves against cyberattacks in the cloud.

“By contributing our cloud controls matrix mappings to the companion guide for Cyber Trust, these best practices in the matrix are very relevant for both Singapore and the global market,” said Catteddu.

The CSA and the Police

Apart from the guides, the CSA also announced plans at SICW to collaborate with the Singaporean Police in developing a ransomware portal. The one-stop portal provides aid to ransomware victims seeking recovery support while providing organizations with access to ransomware-related resources.

The Counter Ransomware Task Force was established to bring together agencies across Singapore to enhance counter-ransomware efforts, especially in the wake of increasing numbers of ransomware cases in Singapore. As part of the recommendations, a one-stop portal was created to help victims of ransomware attacks and give them access to all ransomware-related resources.

The portal allows victims to easily report ransomware cases. It also offers recovery support in the form of decryption tools, incident response checklists and FAQs. In addition, the portal includes ransomware advisories, trends and prevention measures that can be adopted to avoid falling victim to ransomware attacks.

Developing the Singapore cybersecurity workforce

One of the biggest problems in cybersecurity is the lack of talent in the field. While AI is expected to ease some workflows in cybersecurity, the industry is still facing a huge shortage. And while it is a global problem, Singapore is hoping that it can reduce its own shortage much faster than the rest of the world.

As such, the government has announced several initiatives to boost the cybersecurity workforce in Singapore. First, the CSA is launching SG Cyber Associates, a new program under the talent pillar of its Cybersecurity Talent, Innovation and Growth (Cyber TIG) Plan. The program provides foundational and targeted cybersecurity training for non-cybersecurity professionals to develop cybersecurity skills relevant to their work.

In partnership with ISC2, 10,000 training and exam spaces over a period of three years will be offered to participants in Singapore who want to obtain an entry-level certification in cybersecurity. This program will complement existing efforts to increase the overall capacity of the cybersecurity workforce, which includes attracting more women and girls into cybersecurity.

The CSA is also partnering with professional bodies and training partners to introduce SG Cyber Associates to professionals such as engineers, auditors and lawyers, as well as IT and software professionals. The CSA will partner with ISC2 to offer foundational training by extending ISC2’s One Million Certified in Cybersecurity (1MCC) initiative under the SG Cyber Associates program. For targeted training, the CSA will work with professional bodies to develop customized cybersecurity training to meet the specific needs of their members.

Apart from that, Heng Swee Keat, Singapore’s Deputy Prime Minister launched the SG Cyber Leadership and Alumni Program, a structured program to cater to participants at different stages of their cybersecurity journey. To support this new program, Singapore’s earlier funding commitment of SG$30 million for cybercapacity building will be extended by another three years, from 2024 to 2026.

The program is catered to participants at the executive, foundation and advanced levels and is open to all countries. The foundation course is an introductory course focused on basic cyberdiplomacy concepts, international law, and norms in cyberspace, as well as the operational and technical considerations of international cyberpolicy.

In her speech at a Women in Cyber forum during SICW, Josephine Teo, Minister for Communications and Information highlighted that women remain a minority in cybersecurity.

“Because demand far outstrips supply, it’s a really good time to welcome more women to the cybersecurity profession. It also fits well with our holistic yet practical approach to growing a sustainable talent pipeline for cyber. The Singapore government sees this as important, but we also do not do this alone. In fact, we prefer to draw on the strengths of our partners to develop multiple pathways for crowding in talents into cyber,” said the Minister.

The CSA will also be collaborating with the UK’s Department for Science, Innovation and Technology to jointly build and develop a cybersecurity sector that is clearly defined and future-proofed. The two countries have agreed to cooperate on the following:

• Building and aligning a common knowledge base in cyber security.  This may include a joint research project to align the UK Cyber Security Body of Knowledge (CyBOK) and Singapore’s Information Security Body of Knowledge (IS-BOK).
• Mapping knowledge and skills required to areas of practice in cybersecurity. This may include work to eventually map qualifications and certifications to the skills and competencies needed by cybersecurity professionals in Singapore and the UK.
• Exploring the possibility of opening the UK Cyber Security Council (the Council) professional charters to cyberpractitioners in Singapore, who may be keen to apply. This includes introducing the Council to UK businesses located in Singapore.
• Facilitating a cyberskills dialogue. This will bring together representatives from across government and industry, as well as academic experts from the UK and Singapore to engage in dialogue with the aim of improving the size, diversity and quality of both national cyberworkforces.

Singapore wants collective regional responsibility in cybersecurity

In her opening address at the 8^th ASEAN ministerial conference of cybersecurity, Teo called on member nations to focus on two priorities to see progress in cybersecurity in the region. The first is to strengthen cybersecurity cooperation and resilience regionally and the second is to support the establishment of a rules-based multilateral order in cyberspace internationally.

“Cyberthreats do not respect borders. An attack can quickly spread across the world. It is therefore important for all our CERTs to work together to quickly share information and warn each other as early as possible. Last year, I shared with you our plans to establish the ASEAN Regional CERT. We are currently drafting the financial model that defines its structure and functions,” said Teo.

On developing standards, Teo suggested the need to adopt baseline technology standards, which she feels is vital to building confidence among businesses and users. For example, in the area of IoT, it has been estimated there could be some 50 billion IoT devices in use worldwide by 2030.

“Yet, many of these devices are developed without proper cybersecurity features. Why? Because developers tend to prioritize speed-to-market and cost. Even IoT devices with cybersecurity features can be vulnerable if they are not consistently patched. Imagine if smart home security systems are hacked by burglars or medical IoT devices are exploited to give incorrect readings. This is why Singapore introduced the Cybersecurity Labelling Scheme for IoT devices, to encourage greater awareness and the development of more secure products,” she added.

As such, the CSA is actively working to establish mutual recognition arrangements with international partners and is developing an international standard, ISO 27404, to define a cybersecurity labelling framework. The ISO standard will facilitate take-up in more countries.

Given the announcements made in SICW, there is no doubt that Singapore is taking a big step in boosting its cybersecurity. The only question now is whether businesses will make the most of the opportunities available to them in improving their cybersecurity.

---

---

---

---