22 March 2010 - Speech By Mr Peter Ho, Head Of Civil Service, And Chairman, National Infocomm Security Committee, At The Information Security Seminar, Suntec Singapore International Convention & Exhibition Centre
Speech By Mr Peter Ho, Head Of Civil Service, And Chairman, National Infocomm Security Committee, At The Information Security Seminar On 22 March 2010, 9.20am, At The Suntec Singapore International Convention & Exhibition Centre
Acting Minister, Mr Lui Tuck Yew,
Ladies and Gentlemen,
1. Infocomm technology is a key engine that powers our economy. Many sectors leverage on IT extensively, such as the banking and finance sector, the transport sector and the Government,. This means that infocomm security is critical to our economic well-being and everyday life. Hence, governments around the world consider infocomm security as a strategic priority.
2. National Infocomm Security Committee has overseen the development of two Infocomm Security Masterplans over several years. These plans were the result of collaborative efforts led by IDA together with various public and private organisations. These plans have factored in the needs and priorities of the public, private and people sectors. Minister Lui has highlighted programmes aimed at strengthening the security of the internet infrastructure, the public sector, businesses and end-users. With infocomm security threats constantly changing, the public sector, like the people and private sectors, must keep its guard up. Defences against infocomm security threats must be continuously upgraded. It is a war without end. Let me elaborate.
Infocomm Security in the Singapore Government
3. The Singapore Government is recognised to be among the most IT-enabled in the world. In the recent 2010 Waseda University International e-Government Ranking, Singapore emerged top for the second time. It reflects the Government's commitment to leverage on infocomm technology for greater productivity and more efficient service delivery.
4. With the widespread use of IT, it is important to treat infocomm security not as an obstacle but as a competitive advantage. It must be part and parcel of any good IT system. Of course, organisations must strike the right balance between business needs of efficiency and productivity, and security requirements.
5. In Singapore, various security measures to protect the public sector IT infrastructure have been put in place over the years. Some of the major initiatives implemented under the Infocomm Security Masterplans include the Cyber-Watch Centre, the Threat Analysis Centre and the Security Health Scorecard.
6. These initiatives have collectively enhanced our situational awareness, and boosted our ability to respond to cyber incidents. The Government is now able to monitor, collect, collate and analyse cyber threat information and data on a 24/7 basis. We are also able to notify government agencies, in real-time, on significant impending or on-going security events so that mitigation measures can be effected in a timely manner.
7. With the establishment of the Standard ICT Operating Environment (SOEasy), 60,000 public sector officers across 75 agencies in the Singapore Government will be connected within in a robust, innovative and flexible infocomm environment. This single environment consolidates all IT services and harmonises the desktop, messaging and network environments across all government agencies.
8. SOEasy allows for a higher level of infocomm security to be achieved. Security policies can be standardised and consistently implemented across the entire environment. Security updates and patches can also be expeditiously applied across government agencies in a non-intrusive manner. However, this will not absolve public sector infocomm users from their personal responsibility in complying with sound infocomm security practices. Let me illustrate this point.
9. The distributed-denial-of-service (DDoS) attacks on South Korea last year were caused by hundreds of thousands of computers that were remotely controlled by hackers, without the knowledge of their owners. These compromised computers made probably hundreds of thousands of simultaneous requests to online services, crippling their ability to handle legitimate requests. These services thus became inaccessible. Hackers took control of computers by tricking users into downloading malicious software. Users who are aware and adopt good security practices will avoid being tricked. Instead, they will be better able to protect themselves online, minimising the risk that their computers will be compromised. Hence, this will contribute to improving the overall security health of our cyberspace.
10. Government agencies have taken up ownership of their security awareness programmes, developing and carrying out customised awareness and outreach programmes to their own user community. Centrally, IDA develops resources and collaterals for agencies' use and provides advisory support.
11. According to the Annual Public Sector Infocomm Security Awareness Survey by IDA in 2009, 75.5% of the respondents were sufficiently aware of essential security practices, as compared with 64.95% from the previous survey. Despite the improvement, I encourage all public sector agencies to continue with their efforts to educate officers on infocomm security. While policy and technology can help to mitigate against cyber threats, it is the users' behaviours and actions that ultimately determine the effectiveness of infocomm environment's security.
Developing Greater Infocomm Security Capabilities
12. As cyber security threats evolve, it is vital that security measures against these threats are continuously updated and enhanced. In this regard, key capabilities to achieve greater security situational awareness and to mitigate against cyber threats such as DDoS attacks have been identified as priority needs under our 2nd Infocomm Security Masterplan.
13. With the availability of richer and more extensive information on the prevailing security situation, the ability to get the right information to the decision-makers in a timely manner is further enhanced. The Government will put in place advanced business analytics tools to improve the collation and analysis of such security information.
14. Consequently, through aggregating existing information of cyber security threats impacting the Government and combining that with international threat analysis and prediction, a dashboard view of security-related information can be presented to policy and decision makers and security managers to facilitate security planning.
15. There is also an immediate need to address the threat from massive cyber attacks which has increased significantly, as such attacks have become more prevalent and massive in scale. Globally, we now see more government websites being targeted by such attacks.
16. The Singapore Government aims to address this threat through a combination of technical controls, policies and competency-building. Technical controls afford the means to develop specific capabilities to mitigate against these threats. Policies support the establishment of infocomm security best practices and procedures that reduce the risk of such threats. Competency-building helps to further sharpen skills and ability of our infocomm security officers in detecting, analysing and responding to such threats. Having a combination of all three will enhance our capabilities to mitigate against massive cyber attacks.
17. These new programmes to enhance security of the public sector under our 2nd Infocomm Security Masterplan will be rolled out progressively from this year. Infocomm security is a strategic enabler and there must be sustained effort to proactively fine-tune and enhance our capabilities amidst the evolving infocomm security climate. Even as the Singapore Government has developed strategic capabilities over the years, we must continue to stay vigilant and committed to strengthening our infocomm security measures.
18. Thank you.
- Securing Our Cyberspace, A Shared Responsibility - Opening Address By Mr Lui Tuck Yew, Acting Minister For Information, Communications And the Arts At The Information Security Seminar On 22 March 2010, 9.05am, At The Suntec Singapore International Convention & Exhibition Centre
- Media Release - Strengthening National Preparedness To Mitigate Cyber Threats