The state of cyber security in Singapore

Cyber attacks have been on the rise in Singapore since 2017, following the breaches of SingHealth, Sephora, AXA Insurance, Uber and Red Cross, alongside the leaking of Singapore HIV data and security scares at the Ministry of Defence and Singapore Armed Forces.

Once a global problem, the city-state has become a hotbed for hackers due to the wealth of riches on offer, with Prime Minister Lee Hsien Loong also on the target list.

In light of such breaches, Huang Shao Fei, president of Cybersecurity Chapter at the Singapore Computer Society, assesses the security threats set to impact the city-state in 2020. “The most dangerous concerns in the market today are supply-chain cyber security threats,” Huang observed. “This is in addition to unconventional, chain-linked threats that do not depend on one single attack vector. In particular, supply-chain threats include Tier 2 and Tier 3 suppliers and sub-contractors that could compromise security, with organisations being the last one to find out they’ve been compromised.”

Since launching in 1967, SCS has evolved into a leading digital media professional society in Singapore, housing more than 33,000 members through 16 specialist divisions. Alongside holding responsibilities for the cyber security chapter in the city-state, Huang is also the chief information security officer (CISO or CSO) of the Land Transport Authority of Singapore (LTA). This is in addition to concurrently holding the position of director for Cybersecurity and Data Science, as well as overseeing IT governance and strategy.

In occupying dual executive roles, Huang is well-placed to assess the state of cyber security in Singapore, as well as how to leverage emerging technologies to combat rising threat levels.

“Machine learning, while relatively nascent at this stage, has great potential in detecting supply-chain and non-conventional threats,” he assessed. “Also, blockchain technology has the potential to mitigate some supply-chain risks. … But I do not pursue technology for technology’s sake. Rather, the litmus test of any potential security investment lies in whether it delivers value to the organisation’s mission and priorities, in addition to a robust cost-benefit assessment (CBA) performed together with relevant stakeholders in the organisation. … Secondly, it is important to have a comprehensive cyber security strategy encompassing all parts of the organisation, backed by a risk assessment framework to aid investment decisions.”

The average cost of a cyber security attack for organisations in Singapore stands at approximately S$1.7 million per breach, with the city-state housing the highest estimated costs stemming from a breach across Asia Pacific, ahead of markets such as Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand and Thailand.

According to McAfee Cyber Resilience Report findings — which surveyed 480 cyber security decision-makers in the region — estimated costs from respondents in Singapore were more than double that of the next highest country in Asia Pacific, identified as Indonesia with financial implications at roughly S$785,000 per breach.

In response, 92 per cent of Singaporean organisations revealed plans to invest more in cyber security in 2020, with plans in place to leverage external expertise such as solution providers (68 percent), system integrators (58 percent), vendors (57 percent) and consulting firms (52 percent).

“The biggest challenges for CISOs lie in managing expectations from the executive board and establishing a cyber security program with limited budgets to meet those expectations,” Huang added. “The role of the CISO is no longer a functional one and will include that of a security architect, backed by deep, technical knowledge and skills.”

Huang’s journey as CISO

“I started coding, disassembling and hacking computer games on an IBM XT when I was about 11 years old,” recalled Huang, speaking to CSO ASEAN. “Later, I grew out of playing computer games and my security interests shifted towards computer networks and systems. There was no going back after that, I was going to make my hobby my career.”

Huang studied Mechanical Engineering at the University of Tokyo under a scholarship awarded by the Singapore and Japan Governments. Upon graduating in 1998 and the subsequent completion of his national service in the Singapore Army, Huang started his career as a policy executive in the Ministry of Home Affairs.

“It was sheer luck on my part that I discovered there was a job opening in the Ministry of Defence for a new IT security role,” he recalled. “During those days, IT security jobs were rare and such opportunities were closely-guarded and need-to-know.

“Several years later, I joined the Infocomm Development Authority and as a mechanical engineer by training with a passion for IT security, I eventually joined the Land Transport Authority as the organisation’s work resonated and aligned with my professional and personal objectives.”

Specific to SCS, Huang has helped nurture and develop “win-win partnerships” with industry, academia and the start-up community in Singapore, as well as developing initiatives capable of growing the nation’s cyber security ecosystem.

The challenges of security staffing

One such initiative is the Cybersecurity Career Mentoring Programme jointly developed by SCS and Cyber Security Agency (CSA), which aims to help young aspiring professionals and tertiary students in their cybersecurity career discovery journey.

“The most difficult roles to fill are those that require industry-specific domain knowledge, such as cyber security professionals with engineering experience or knowledge of rail systems or of automotive platforms,” he said.

“Additionally, it is challenging to fill cyber security roles that require deep technical skills such as cyber forensic investigators, threat-hunting specialists and security operations centre (SOC) analysts.

At the higher level of the cyber security career spectrum, Huang also acknowledged the difficulty in recruiting CISOs at director level, especially in roles which demand substantial years of relevant industry experience and alignment with the organisational culture.