Singapore government remains ‘juicy target’ for cyber attackers

The Singapore government has been a “juicy target” for cyber attackers and attempts to breach into its system are a given, said Singapore’s minister-in-charge of the country’s smart nation initiative, Vivian Balakrishnan.

Speaking at the Stack 2020 developer conference organised by the Government Technology Agency (GovTech) today, Balakrishnan, who is also foreign affairs minister, said he has seen attacks on government systems, which are being addressed by baking security into the design and implementation process.

He was responding to a question from a conference participant on how GovTech incorporates security features into its systems and ensures that privacy questions do not slow down innovation.

Balakrishnan said the government also needs to be prepared to quickly iterate and improve systems whenever it detects problems. It is also looking increase bug bounties significantly in its vulnerability disclosure programmes, because the cost and impact of security breaches is potentially tremendous, he added.

“We must remain open, we must listen, we must take feedback, and we must be prepared to reward people who give us tips, or who inform us of any vulnerabilities and leaks,” Balakrishnan said.

In late 2019, nearly 300 white hat hackers from around the world participated in GovTech’s third bounty programme, testing 13 public government ICT systems, digital services and mobile applications.

The hackers discovered a total of 33 valid security vulnerabilities and earned $30,800 in bounties – financial incentives awarded for submitting valid security vulnerabilities – making this the most successful programme to date for the agency.

Weighing in on the government’s approach to cyber security, Chan Cheow Hoe, government chief digital technology officer at the Smart Nation and Digital Government Office and deputy chief executive of GovTech, pointed out the importance of full-stack security.

“In the past, the focus was very much on infrastructure – secure the perimeter, build as many firewalls as possible, and life was good, but not any more,” said Chan.

“The whole concept of full-stack security becomes important, whether it’s through DevSecOps, whereby a lot of security features are built into the entire CI/CD [continuous integration/continuous delivery] platform, or application security, which is probably one of the most under-emphasised developments today.”

Chan said GovTech’s efforts to adopt full-stack security are underway, with DevSecOps capabilities already built into the Singapore Government Technology Stack (SGTS), which comprises a container-based platform, shared middleware such as centralised application programming interface (API) gateways, and a library of commonly used microservices such as payment and authentication.

In February 2020, the Singapore government said it would set aside S$1bn over the next three years to build up its cyber and data security capabilities, to safeguard citizens’ data and critical information infrastructure (CII) systems.

This was followed by the launch of the Safer Cyberspace Masterplan in October 2020, which aims to raise the general level of cyber security for individuals, communities, enterprises and organisations.

The masterplan comprises three strategic areas: securing Singapore’s core digital infrastructure, safeguarding cyberspace activities and empowering a cyber-savvy population.