22 February 2005 - Keynote Address By Mr Peter Ho, Permanent Secretary (Foreign Affairs), Permanent Secretary (National Security & Intelligence Coordination) and Chairman, National Infocomm Security Committee At Infocomm Security Seminar 2005, The Auditorium, Matrix Building, Biopolis.
Keynote Address By Mr Peter Ho, Permanent Secretary (Foreign Affairs), Permanent Secretary (National Security & Intelligence Coordination) and Chairman, National Infocomm Security Committee At Infocomm Security Seminar 2005 on 22 February 2005, The Auditorium, Matrix Building, Biopolis.
1. DPM Tan has already explained the rationale behind the need for the Infocomm Security Masterplan, and has spelt out its objectives. I shall now explain our strategy to achieve the goals of the Masterplan.
2. First, we should remind ourselves that infocomm security is not a new area of concern for Singapore. Since the early days of computerisation in Singapore, emphasis has been placed on the assurance of the confidentiality, integrity and availability of information, as well as the security of the underlying systems and communication networks. Infocomm security policies and guidelines have long been instituted within the government. Singapore was among the first nations in this region to establish a Computer Emergency Response Team. We established the first Public Key Infrastructure in Asia. We enacted laws that recognise the use of digital signatures. We have proactively issued guidelines and requirements for infocomm security for the banking and finance sector in Singapore.
3. But given our country's reliance on infocomm technology, the rising number of cyber attacks threatens our infocomm environment. Inaction is not an option. We need to act decisively and swiftly through a concerted and collaborative effort to boost our defences and prepare ourselves to counter those threats.
Infocomm Security Masterplan
4. The Infocomm Security Masterplan is a three-year strategic roadmap. It will guide our effort in protecting the critical information infrastructure in Singapore, and in maintaining a secure infocomm environment for the government, businesses and individuals.
5. The Masterplan was developed through a multi-agency effort led by the Infocomm Development Authority of Singapore, under the guidance of the National Infocomm Security Committee. In the course of developing the plan, many stakeholders and users were consulted over a period of 12 months. A survey of more than 500 infocomm-related companies and 83 government agencies was conducted to find out more about their infocomm security needs and concerns. Several focus group discussions with 17 companies in different business segments were conducted. Three intensive planning workshops involving 10 different government agencies were conducted. The Masterplan is indeed the product of a collective effort, and rightly so. This plan must be relevant to the needs and concerns of today and the foreseeable future.
6. The Masterplan aims to protect the critical infocomm infrastructure of the nation. Ensuring that the infocomm infrastructure in the public sector is secure and robust helps to foster a trusted infocomm environment in which businesses can thrive. The individuals are users of the infocomm infrastructure. We have to ensure that they adopt appropriate measures to protect themselves online, so that they do not become the weakest link in the infcomm infrastructure value chain.
7. The Masterplan has identified strategies to secure the infocomm environment of the people, private and public sectors. In addition, the Masterplan seeks to develop national capabilities; to enhance security technology research and development; and to ensure a reliable underlying national infrastructure.
Strategies for a More Secure Cyberspace
Securing the People Sector
8. One vital strategy is to secure the people sector. Currently, ill-informed and careless online users not only expose themselves to security vulnerabilities but also end up as the weakest links in the chain of infocomm services provided by businesses and government agencies. Through the National Infocomm Security Awareness Programme, home computer users will be educated on adopting security best practices and using appropriate security tools to protect themselves from security threats and risks. A series of public outreach and awareness promotion activities will be organised to achieve this objective. To protect our online users against identity thefts, we will further develop the concept and study the feasibility of a National Authentication Infrastructure, so that more secure e-services can be offered by the government and businesses by leveraging on a common, trusted identification and authentication framework.
Securing the Private Sector
9. Currently, the private sector owns and operates most of the national critical infocomm infrastructure, so it is important that the private sector devotes sufficient attention and effort in the security upkeep of their systems. In the past, we have focused on the physical security of this critical infrastructure. Going forward, we will need to implement complementary initiatives to assess the state of cyber security health and ascertain the resiliency of the critical infrastructure. This will be achieved through an Infocomm Vulnerability Study for National Critical Infrastructure, in which we will work with the various infrastructure owners and operators to ascertain the adequacy of their infocomm protection measures.
10. The cyber threat landscape is constantly changing. No single organisation can deal with these changes alone. Instead, collaboration among infrastructure owners, operators and government must take place. This is because separately, each of us sees only a small part of the picture and may not comprehend the full scale of malicious activities involved. Such collaboration can take place in the form of cyber threat information sharing across critical infrastructure owners and operators, managed security services providers and the government.
Securing the Public Sector
11. The government is the largest user of infocomm technologies and solutions. Over the years, much has already been invested in the security of public systems and infrastructure. However, we cannot let our guards down. Under the Masterplan, we will look at how to further improve the security assurance of infocomm technologies that the government deploys in its environment, how to measure the business continuity readiness of our critical operations, and how to measure the overall cyber security health of the government. While many government agencies already have business continuity plans in place, a Business Continuity Readiness Assessment Framework will be developed to measure their preparedness. An Infocomm Security Health Scorecard will be developed to provide an overall picture for the public sector so that common issues can be identified and weaknesses can be removed.
12. The three remaining strategies to strengthen our critical infocomm infrastructure are targeted at building a strong foundation by developing the national human and intellectual capital in infocomm security.
13. We need to groom a pool of capable and qualified security professionals who are available and qualified to drive and execute important security initiatives and projects. The development of infocomm security manpower will contribute to a vibrant infocomm security industry. This will also strengthen our attractiveness in drawing world class infocomm security companies to establish their operations here. Under the Masterplan, we will build up the nation's human capital in infocomm security by encouraging the acquisition of professional skills.
14. One critical component in developing a vibrant infocomm security industry is the quality of the products and research and development capabilities. IDA is in the process of establishing a Common Criteria Certification Scheme so that Singapore will have the capability of certifying infocomm products against the Common Criteria, an international security standard. Furthermore, IDA will work with the relevant agencies to collaborate with local and foreign research institutes and centres to help chart the R&D roadmap for the country. This will ensure that while we deal with current infocomm security threats and issues, we are also equipping ourselves with the knowledge to deal with threats and challenges of the future, and positioning to exploit new technologies as they emerge.
15. The critical infocomm infrastructure of the nation is the nerve centre of our nation's economy. The failure of the nerve centre can paralyse the country. The Masterplan seeks to secure this national infrastructure proactively by ensuring that vulnerabilities are reduced and threats are detected early. Therefore, there is a need to improve the nation's real-time situational awareness of cyber threats and trends, by building new capabilities as well as consolidating and expanding several government efforts currently in operation. This will be achieved through the National Cyber-threat Monitoring Centre, which will provide a central facility to maintain round-the-clock vigilance and analyse threat information.
Everyone Has a Part to Play
16. At today's seminar, we are happy to have leaders, key executives and managers with us. As the leader of your organisation, you must take the lead to be responsible for the security of your organisation's assets, including the security of your network, infocomm systems and data. You may delegate the authority, and you may outsource the work, but ultimately, you are fully accountable if the security of your data, systems or infocomm infrastructure is compromised.
17. You have to understand and appreciate the potential cascading effects of infocomm security lapses. It is easy to assume that the consequences of inadequate security in your organisation are confined to your environment. But the truth is that our networked infrastructure has become increasingly inter-dependent and inter-connected. A cyber security incident in one organisation could very likely have a ripple effect across other infrastructures and systems.
18. Public sector officers should keep in mind that the government is highly dependent on infocomm systems and networks to deliver its services to businesses and individuals. The security and resilience of the government infrastructure is not just a matter of public interest. In some parts of the government, it is also of national security importance. This is why the Masterplan has devoted significant amount of resources to the public sector.
19. Infocomm solution providers should also accord high priority to security in the products and services that are offered. Sloppy software code and bad practices are the root cause of many security vulnerabilities. Security should not be an after-thought in the design and implementation of infocomm systems. For those who have the necessary expertise and experience, we look forward to partnering with you for your professional services and solutions.
20. The Masterplan has something for everyone, down to the individual. Your role is to be a responsible and secure user of infocomm technologies. You can achieve this by keeping up to date with safe infocomm practices.
21. In closing, I would like to re-iterate that enhancing the infocomm security, resilience and preparedness of the nation is a journey without end. This Masterplan is major step forward in that journey. Just as technology will evolve and develop, the infocomm environment and the threats that it faces are ever changing. We foresee our Masterplan to be a long running process of re-evaluation, re-assessment and re-adjustment in order to provide adequate protection to our information assets and infocomm investments. I look forward to your commitment and contribution to help us secure the cyberspace.
22. Thank you.