6 June 2014 - Opening Address by Ms Jacqueline Poh, Managing Director, Infocomm Development Authority of Singapore, at the Opening of the DigiSAFE Cyber Security Centre, Devan Nair Institute of Employment & Employability on 6 June 2014 at 9.15am.
Opening Address by Ms Jacqueline Poh, Managing Director, Infocomm Development Authority of Singapore, at the Opening of the DigiSAFE Cyber Security Centre, Devan Nair Institute of Employment & Employability on 6 June 2014 at 9.15am
Mr Lau Thiam Beng
Deputy President (Operations), ST Electronics
Ladies and Gentlemen,
Good morning
1. It is my pleasure to join you for the opening of the DigiSAFE Cyber Security Centre. It is also very timely that I am standing here with you today.
New World, New Risks
2. In today's converging media landscape, the Internet as a platform has become fraught with vulnerabilities. You will be familiar with the incident we reported just days ago involving the SingPass system. A number of SingPass users had received a SingPass Password Reset Notification Letter even though they did not request for any password reset. IDA's preliminary investigations revealed that about 1500 users' IDs and passwords had potentially been accessed without the users' permission.
3. Of these, about 400 passwords were also reset triggering these SingPass Password Reset Notification Letters that were sent to the registered address of the actual account holder, and thereby alerting us. The matter is currently under investigation, but after various checks, there is no evidence that the user credentials were obtained from within the SingPass IT system though they were subsequently used to access it. All affected users should have already been contacted.
4. This incident brings to the fore the immense importance of information security in cyber space. IDA is currently in the process of refining the SingPass system and users can look forward to an enhanced version to be ready in 2015. A tender for the next version of SingPass was called in June 2013 with the option to offer 2FA gateway and was awarded to Accenture in April this year. We are seriously considering more extensive use of two factor authentication (2FA) for e-government transactions and other options for usernames instead of NRIC, particularly for those involving sensitive data. Of course, all the changes we make have to balance the usability and security of the system especially for one that is used by so many Singaporeans.
5. Other Internet vulnerabilities have made the news this year. In early April, the world was rocked by the announcement of the Heartbleed Vulnerability in OpenSSL. Initially thought to affect two-thirds of the world's websites, governments, corporations and tech giants, including cyber security firms, scrambled to deploy patches and apply other remedies.
6. Also evident in recent times - the dramatic increase in the potency of Distributed Denial-of-Service (DDoS) attacks, due to the wider adoption of two attack methods: large synchronisation packet flood (SYN flood) and network timing protocol (NTP) amplification attacks. In February 2013, researchers1 tracking the DDoS landscape recorded the largest of such attacks at four Gigabits per second (4Gbps). By July 2013, they were at 60 Gigabits per second and larger DDoS attacks had become a weekly occurrence. The very same researchers reported witnessing a NTP amplification attack peaking at 180 Gigabits per second by February this year. Other reports2 have highlighted the simplicity of launching NTP attacks of 400 Gigabits per second. And just as we are grappling with the mayhem of such attacks, pundits are now setting their sights on the SNMP protocol3, touted to have a theoretical 650 times amplification factor!
7. Consequently, organisations, including governments, have become more wary of the potential costs of cyber attacks. A survey of companies around the world by PricewaterhouseCoopers found that the frequency of attacks and their costs to organisations have risen by 25% and 18% respectively. Attack sophistication has also risen drastically, with online black markets offering automated attack tool-kits, zero-day vulnerabilities and hacking services, which come with support services and a helpline, to anyone willing to pay.
Developing Cybersecurity Manpower
8. With the understanding that cyberspace is fundamentally challenging to defend, now is the time to recognise the importance of having a corps of skilled cyber security specialists. There is ready demand for such specialists in government and in the corporate world. Along with the anticipated doubling of our cyber security market, from $63.7 billion Singapore in 2011 to $120 billion in 20174, the outlook for cyber security as an industry appears very optimistic.
9. Developing our cyber security human capital is a key thrust of the National Cyber Security Masterplan launched in July 2013. Under this Masterplan, we offer scholarships to encourage students to specialise in cyber security and work with Singapore's Institutes of Higher Learning to offer infocomm security courses and degree programmes. We will also continue to welcome other initiatives from the education and private sectors that will help Singapore increase its pool of cyber security professionals and upgrade their competencies to meet fast evolving challenges.
10. I am pleased, therefore that the ST Electronics DigiSAFE Cyber Security Centre will take us a step forward toward this objective in three ways: first, it will cater to those who are new to the field, such as individuals seeking a mid-career change. Second, it will help upgrade the skills of existing cyber security professionals and thirdly, it will hone the skills of companies' cyber security staff through cyber exercises.
11. The DigiSAFE Cyber Security Centre will be an important contributor towards nurturing more highly-skilled cyber security experts for Singapore and we hope it will inspire more initiatives to do the same. But even as we strive to train more cyber security experts, this education must be accompanied by appropriate ethics education instructions to ensure that they do not use their new-found skills for nefarious purposes. I am delighted that ST Electronics and Nanyang Polytechnic will be cooperating on the joint promotion and delivery of co-developed courses to industry and students respectively, and that this MOU will be signed at this event.
Conclusion
12. In order to tackle the multifaceted threats exploiting the Internet, we must all play our part not just as service providers and educators, but also as users and role models to our loved ones. It is only by lifting awareness and encouraging positive security behaviour of all Internet users and increasing the numbers and skills of our experts that we can together enhance the security and trustworthiness of our cyber environment.
13. In this spirit of collaboration, let me wish the DigiSAFE Cyber Security Centre every success! Thank you.
Notes to Editor:
1http://threatpost.com/ntp-amplification-syn-floods-drive-up-ddos-attack-volumes/105069
2http://threatpost.com/400-gbps-ntp-amplification-attack-alarmingly-simple/104256
3http://threatpost.com/400-gbps-ntp-amplification-attack-alarmingly-simple/104256
.webp)