Assessing Singapore's Cyber ManifestoEducation, Partnership, Commitment Are Key
Singapore's Infocomm Development Authority has spelled out a three-pronged approach to implement its National Cyber Security Master Plan 2018. But are the objectives and milestones realistic? Information security experts weigh in with their candid reactions.
See Also: A Toolkit for CISOs
"It's hard to see if it's practical, as it's subjective," says InfoSec expert Anthony Lim, vice chairman, advisory council, application security at (ISC)Â², the global information security training and certification organization. "We can never have the whole picture of what's in the government's mind. In any case, there is always a trade-off between security and convenience; hence, a balance is necessary as new needs appear."
Released at the end of 2014, IDA's new NCSM 2018 aims at three areas: enhancing security and resilience of critical infocomm for Singapore; reinforcing cybersecurity awareness programs; and growing Singapore's pool of infocomm security experts with an emphasis on the public-private partnership model.
This latest document is the third InfoSec master plan released since 2005. The first, released in 2005-2007, initiated efforts toward a secured infocomm environment by first making the government's infocomm more secure. The second master plan in 2008 included critical infocomm infrastructure, or CII, to make Singapore a 'secure and trusted hub'.
The NCSM 2018 is the latest five-year plan to enhance the cybersecurity of Singapore's public and private sectors. In addition to government and critical infocomm infrastructure, its scope has now been broadened to take into consideration businesses as well as individuals.
In announcing the latest plan, Dr. Yaacob Ibrahim, Singapore's minister for communication and information, cited the need to grow Singapore's pool of infocomm security experts and build their capabilities to defend network infrastructure from cyberthreats. He defined the plan's mission of enhancing Singapore's cybersecurity capabilities in four areas: the government, CII, businesses and individuals.
"Singapore's security measures must evolve, keeping pace with the changing infocomm environment," he said. "Guided by NCSM 2018, the government will work closely with the private and public sectors, further upgrading and strengthening cybersecurity capabilities so that Singapore will be able to deal with cyberthreats effectively."
So, how will this new master plan get implemented?
According to the IDA, the first step is to enhance the security and resilience of CII. This includes implementing a CII Protection Assessment Programme to identify vulnerabilities and gaps and facilitate strengthening of CII.
Secondly, IDA will increase efforts to promote adopting security measures among individuals and businesses through online platforms, road shows, educational and current affairs programs, as well as collaboration with industry and trade associations and evolving information-sharing processes.
The third step is to grow Singapore's pool of infocomm security experts. "IDA will work with Singapore's institutes of higher learning to include infocomm security courses and degree programmes into the curriculum, besides working with industry partners to attract and retain skilled professionals," says an IDA spokesperson.
In response to the new master plan, Lim says he hopes the new plan has considered new aspects, including enhanced mobile services, cloud, Internet of Things and smart city/smart nation, each of which could throw up challenges.
He says the earlier plan focused on education, training and awareness. The new plan focuses on testing and assessing processes and contingencies, as well as threat analysis and cyber-surveillance - a realistic approach.
Experts say the right approach for implementation is to have physical resources - a department led by a team, funds, the right equipment, intelligent marketing and effective security tools plus education and influence - to create a cyber-resilient enterprise. "There should be policies and processes to audit and a QA of the initiative to ensure it's going in the right direction, consuming the right resources, having the right relationships and achieving the desired goals," Lim says.
Jonathan Tan, managing director-ASEAN at Palo Alto Networks, lists his prescribed measures for achieving mission needs:
- A security posture covering all bases - the network, cloud and the endpoint (mobile);
- Visibility, giving security teams the ability to see what's happening in real time on the network, so they can take appropriate action;
- Encouraging enterprises to change from the traditional "detect and remediate" approach to a "detect and prevent" posture;
- Awareness about the inability of older cybersecurity products to protect against today's more sophisticated cyberattacks;
- Fool-proof options to transition to a next-generation security platform, providing security for all applications, networks and endpoints, on or off premises;
- Education - the workforce is any organization's first line of defence.
"On a larger scale, it's important to grow a pool of experts and partner with higher learning institutes to update and strengthen their curriculum with the latest technologies and techniques," Tan says.
While IDA's focus is on the public/private partnership model, critics say it will take time, education and trials to develop this model, so it's hard to say how efficient it will be.
In response to critics' concerns, IDA's spokesperson vouches for the policy's pragmatic approach in roping in the necessary processes and procedures.
In the public sector, IDA is upgrading the Cyber-Watch Centre to strengthen the government's detection and analytical capabilities. According to the spokesperson, this upgrade will allow the team to better monitor government websites and inspect if there are malicious activities that could affect access to online public services.
In addition, the government will appoint chief information security officers to strengthen agencies' infocomm security governance in government. The IDA will also be setting up a Monitoring and Operations Control Centre to provide the government with a full suite of capabilities to guard against security threats and respond to them in a timely manner.
For the public sector, the government's focus will be on providing proactive defence-in-depth to mitigate attacks, upgrading of existing detection and analysis capabilities, as well as strengthening preventive and recovery measures.
In a new initiative, the National Cybersecurity R&D Programme seeks to develop R&D expertise in cybersecurity and improve cyber-infrastructure, with emphasis on reliability, resiliency and usability. The programme, involving NRF, MINDEF, MHA, NSCS, IDA and EDB, promotes collaboration among agencies, academia, research institutes and the private sector.
"A five-year S$130 million fund has been committed for research in both technological and human-science aspects of cybersecurity, complemented by studies into cyberspace governance and policy research," the IDA spokesperson says.
Under the initiative, Singapore Institute of Technology will launch Singapore's first undergraduate information security program in September. Nanyang Technological University will include an information security specialization programme in its undergraduate curriculum in August. IDA and the National Research Foundation will run a scholarship programme, sponsoring more than 30 postgraduate candidates for research in cybersecurity.
"We are increasing our thrust on effectively implementing the PPP [public-private partnership] model," IDA says. "IDA and other like-minded members formed the Cyber Security Awareness Alliance in April 2008 to increase awareness on cybersecurity issues and best practices."