Singapore's Cybersecurity Blueprint: Does It Come Up Short?Critics Say Plan Lacks Practical Insights on Mitigating Risks
Some security experts say the Singapore Cyber Security Agency's new strategic blueprint for creating a resilient and trusted cyber environment lacks a practical approach to addressing key risk issues.
Singapore Prime Minister Lee Hsien Loong launched the new cybersecurity strategic blueprint at the recent inaugural ceremony of Singapore International Cyber Week. The plan, which was developed after consultation with 50 stakeholders over the past year, focuses on four pillars: building a resilient infrastructure; creating a safer cyberspace; developing a vibrant cybersecurity ecosystem; and strengthening international partnerships.
Anthony Lim, vice chairman and senior cybersecurity adviser at Frost & Sullivan and vice chairman of the application security council at (ISC)2, says the plan fails to spell out best practices for addressing security issues arising out of human behaviour.
Ken Soh, CIO and director of e-strategies at BH Global, a provider of supply chain management, design, manufacturing and engineering services to the oil and gas industry, offers a similar assessment. "The current framework is comprehensively designed to meet the changes in the current threat landscape, but the challenge would still lie in the actual implementation mechanism involving people, process and technology, which the strategy doesn't really specify," he says.
Components of Blueprint
The strategic blueprint calls for:
- Stepping up the protection of essential services and implementing critical information and infrastructure protection programmes that emphasize robust and systematic cyber risk management processes;
- Enhancing organisations' capabilities to respond decisively to cyber threats, improving national cyber situational awareness and conducting regular multi-sector cybersecurity exercises;
- Strengthening the government's cybersecurity governance and legislative framework and introducing a Cybersecurity Act that will require critical information and infrastructure owners and operators to take responsibility for securing their systems and networks;
- Expanding efforts to secure government systems and networks. This includes allocating 8 percent of government information and communications technology expenditures to cybersecurity.
"We will protect essential services from cyber threats and create a secure cyberspace for businesses and communities," Lee said during the launch. "The CSA will work with other agencies and private-sector partners to achieve this as the government cannot do it alone."
What is Lacking?
Michael R. K. Mudd, managing partner at the security consultancy Asia Policy Partners, says the new strategy addresses high-level issues, but lacks insights on training and internal breach detection strategies.
"I am surprised that the document doesn't mention anything about data classification and its security and cloud security, which needs huge attention as the involvement of a global cloud provider may provide the ultimate resilience to data destruction," he adds.
To the point of the cybersecurity strategy recommending allocation of 8 percent of government's IT spending on cybersecurity, critics argue that money is not the issue; it's improving security hygiene within the enterprise.
"Cybersecurity is not about spending money on equipment and solutions," Lim says. "It's about lack of seriousness and awareness among C-level executives within the organisations in securing their data. ... CSA's document should prescribe guidelines to help the staff across enterprises on the best practices to handle cybersecurity ... to ensure a higher level of cyber wellness in the organisation and in the country."
Ingredients of a Cybersecure Ecosystem
One aspect of the blueprint that's drawing praise is its call for establishing formal cooperation on cybersecurity between Singapore CERT and other CERTs, with a goal of building an effective incident prevention and response mechanism and an information sharing platform.
CSA also plans to introduce a mechanism to establish stronger collaboration among various industry sectors to support each other during major cyberattacks.
According to Dr. Yaacob Ibrahim, Sinapore's minister-in-charge of cybersecurity, the agency will also beef up national resources such as the National Cyber Incident Response Team and the National Cyber Security Centre and introduce a Cybersecurity Act to give the Singapore CSA greater powers to secure critical information and infrastructure.
The blueprint also spells out a high-level game plan for securing the nation's critical infrastructure, building skills, securing networks and strengthening governance.
Koh argues, however, that CSA needs to influence enterprises to leverage appropriate technologies that can help in early detection of breaches and build a security culture within the organisation.
"The strategy need to prescribe rules on developing customized cyber awareness programs for senior management, mid-management and operational staff within enterprises and compel them to frame policies embedded with strong security and auditing capabilities, which is one way to ensure a cyber-secure environment," he says.
Singapore needs a cybersecurity strategy that directs enterprises and government to become far more engaged in securing both devices and networks, Mudd says.
Adds Lim: "While there is no shortage of technology for cybersecurity, what CSA needs to pay attention is how to impart education - train and groom the cybersecurity professionals ... to enable organisations to fight new threats and stay secure."