President of the Law Society of Singapore, Adrian Tan discusses the risks that come with digitising a nation
In its aspirations to become a Smart Nation, Singapore wants to better harness technology for growth, prosperity, and human flourishing.
However, greater digitalisation also comes with greater risks. Two recent incidents underscore how events in the cyberspace can potentially have drastic impact on our daily lives.
Between 2019 and late 2020, hackers exploited a vulnerability in a widely used network management software called SolarWinds. This allowed them to implant a backdoor and gain access to sensitive information and systems of about 18,000 organisations. The breach was significant not only in terms of its scale, but also its ability to evade detection by directly targeting cybersecurity software.
Last year, the IT systems of one US’s most vital oil pipeline – Colonial Pipeline – were infected with ransomware. This led to the shutting down of pipelines all along the US East Coast, affecting access to petrol, jet fuel and home heating for thousands of airlines and consumers.
When the digital world promises so much, it is easy to think of cybersecurity and data protection as obstacles or barriers that stand in tension to the benefits of digitalisation, or a cost to innovation and economic interests from a business perspective.
But the truth is, none of benefits of digitalisation can be harnessed if we are the victims of debilitating cyber-attacks that disrupt our essential services, or if our companies are regularly held at ransom by malicious actors. All these incidents erode the trust that is essential for the realisation of the benefits of our digitalisation. We must therefore think of cybersecurity and data protection as enablers – things that we must do so that good things, like economic growth and human flourishing can continue to take place in the digital space.
Three key approaches to address cybersecurity risks in Singapore:
- The first area that are actively looking at is to ensure that laws can keep up with evolving technologies and cybersecurity threats.
- The Cybersecurity Act currently provides with a legal framework to secure and protect our Critical Information Infrastructure, which are key to delivering essential services such as water and power.
- This is currently being reviewed and are planning to expand the Act’s mandate to cover foundational digital infrastructure and key digital services. These are important enablers for Singapore’s digital future, as more transactions and communication will take place online.
But given the global and cross-border transnational nature of cyber threats, we need to look beyond borders and shape rules, norms, and standards at the international level. A rules-based multilateral order in cyberspace is vital to foster trust and confidence between States and ensure that we have an open, stable, secure, and interoperable ICT environment. This ensures that the cyberspace will not be a domain where might make right.
Singapore has been actively participating in cyber discussions at the United Nations through the inaugural UN Open-Ended Working Group (OEWG) and the sixth UN Group of Governmental Experts (GGE).
It is part of the process to negotiate and seek adoption of the consensus reports and re-affirm the UN Member States’ commitment to the cyber stability framework.
Since last year, Singapore’s Permanent Representative to the UN in New York Ambassador Burhan Gafoor has also been the Chair of the OEWG on Security of and in the use of ICTs.
Laws and regulations are one approach in our toolkit. We also need and want to empower all enterprises and individuals to take greater ownership over their digital safety and security. Everyone a stake in making the online community safe for all Singaporeans.
As part of the broader Safer Cyberspace Masterplan, there was a launch of the SG Cyber Safe programme last year to help enterprises strengthen their cybersecurity awareness and adopt appropriate cybersecurity measures.
It can be confusing for enterprises to navigate through the various cybersecurity measures and solutions, especially for those that are just starting out on this journey. For this reason, our initiatives such as the Cybersecurity Toolkits provide tailored guidance for different enterprise stakeholders.
Singapore also wants to promote greater trust and transparency between enterprises and their vendors and suppliers, particularly since these third parties can be an additional source of cybersecurity risks. The Cyber Essentials and Cyber Trust marks are good ways to provide assurance that their customers’ data and IT systems are well protected.
Besides enterprises, as internet users and consumers, also play an important role in practising good cyber hygiene. Last year, Singapore embarked on a national awareness campaign called “Better Cyber Safe Than Sorry”. This campaign shares ways through which we can better protect our personal data and devices.
It will be pushing out more campaign publicity on social media platforms and television channels later this year.
One common theme across all its initiatives is that the Government cannot do everything on our own. Cybersecurity is a team sport, and public-private partnerships are key to address emerging and evolving threats.
One group of partners that it has been working closely with are local hardware manufacturers. Together, it has developed the Cybersecurity Labelling Scheme (CLS) to help consumers make more informed decisions when purchasing computer products.
Consumers and manufactures have shown support for CLS. There are now close to 150 products on the scheme, including smart home appliances and smart locks, and we expect many more coming onboard in the following months.
The legal fraternity is seen as a key partner in cybersecurity as well.
In the review of the Cybersecurity Act, it will consult with a wide range of stakeholders on the proposed amendments, given that the changes will have uneven impact across different industries. Singapore will seek the legal industry’s views and my colleagues will share more details with you in due course.
Many will also collect commercially sensitive information that need to be protected. As trustees and guardians of these data, we encourage firms in the legal fraternity to consider attaining the Cyber Essentials and Cyber Trust marks, which will provide added assurance for your clients. The certification will also be a good way to differentiate yourself from your competitors.
The Law Society has been supportive of efforts to uplift cybersecurity for local enterprises and is on board the SG Cyber Safe Partnership programme to drive this collectively.
It is important to tap on each other’s expertise to tackle more complex cybersecurity challenges.