Taking the Lead on Regional Infocomm Security

Mrs Tan Ching Yee, Chief Executive Officer Infocomm Development Authority of Singapore  Keynote - CSI-Asia Computer Security Conference, Suntec International Conventional and Exhibition Centre, Ballroom 1

Mrs Tan Ching Yee, Chief Executive Officer
Infocomm Development Authority of Singapore 
Keynote - CSI-Asia Computer Security Conference, Suntec International Conventional and Exhibition Centre, Ballroom 1
Singapore, 20 October 2004

Mr Chris Keating, Director, Computer Security Institute
Mr Philip Khoo, Publisher, Computer Security Institute-Asia
Colleagues from the industry
Ladies and gentlemen

1. Today marks the inauguration of the CSI-Asia Computer Security Conference in Asia. Singapore is proud to play host to the world's largest computer security event and I am delighted to be here. With a stellar line-up of 12 global expert speakers, I am confident that everyone will gain some very useful insights in successful security management over these two days.

2. We live in a highly connected world today. "Computer security" really means "network security". This has two implications. Firstly, the network is only as strong as its weakest link. Vulnerabilities can be found in hardware, software, business procedures and what experts call "social engineering" - compromises by the people who run the networks.

3. Secondly, there is no one single "magic bullet" which we can deploy to ensure security. Many parties have to work together, and many pieces of the puzzle must "click" to present an impregnable front to cyber-attacks.

4. In Singapore, given the pervasiveness of computer usage, there is a heightened awareness of cyber threats. Many organisations and businesses are beginning to take Infocomm security more seriously. Many decision makers and IT professionals are also making these issues one of their top priorities.

5. The Ernst & Young Global Information Security Survey for 2004 found that after hardware failure, major virus, trojan horse or Internet worms was the number two cause of system downtime in the past year. The survey also revealed that companies are mounting multi-faceted strategies to counter these security concerns, like setting up their incident response teams to handle security incidents, conducting vulnerability and penetration assessments periodically and ensuring an adequate level of protection to defend against external attacks.

The Role of CERTs - Vigilance and Timely Response

6. In the fight against cyber threats, continuous vigilance and early detection are key. The Singapore Computer Emergency Response Team (SingCERT) was set up in 1997 to facilitate the detection, resolution and prevention of security-related incidents on the Internet.

7. Beyond its work in Singapore, SingCERT has forged strong relationships and collaborations with their foreign counterparts. Last month, a university network in Australia came under attack by an army of zombie PCs that were controlled by a server hosted in Singapore. The server, which was found to be compromised, turned out to be the master of a botnet with 10,000 zombie PCs. SingCERT was alerted by the Australia Computer Emergency Response Team (AusCERT), its counterpart in Australia and took immediate steps to work with the hosting service provider to take down the server. This prevented further attacks on the victim. This is an example where years of working together between AusCERT and SingCERT have paid off.

8. In recognition of the importance of international collaboration in ensuring Infocomm security, SingCERT is a founding member of the Asia Pacific Computer Emergency Response Team (APCERT) initiative since 2002 and serves on its steering committee. The purpose of the APCERT is to encourage and support the cooperation between national CERTS in the Asia Pacific region. APCERT maintains a trusted network of computer security experts in the Asia pacific region to improve the region's awareness and competency in relation to computer security incidents.

9. SingCERT has also shared its experiences with its counterparts in the ASEAN region on capacity-building. In August this year, Singapore collaborated with the APCERT and organised a CERT training workshop to help ASEAN member countries like Cambodia, Laos, Myanmar and Brunei enhance their CERT capabilities. To promote collaboration among the CERTs in this region, SingCERT has also developed a "Minimum Performance Guideline for Setting up of a National CERT" and "Guidelines on Information Sharing".

10. Come June 2005, Singapore will play host to the FIRST annual conference. FIRST or the Forum of Incident Response and Security Teams is a global organisation for computer incident response teams and Singapore has been a member country since 1998. This will be the first time the conference is held in Asia and we look forward to a rich exchange with other CERTs in the world.

Common Criteria Recognition Arrangement - Improving Market Access for Local Infocomm Security Products

11. Even as we speak of cyber threats and Infocomm security, there are business opportunities. According to IDC, global corporate spending for IT security and business continuity solutions is expected to hit US$155 billion in 2006.

12. In the Asia Pacific region excluding Japan, the security solutions market is forecast to increase from US$1.9 billion in 2003 to US$4.9 billion in 2008, increasing at a 5-year Compound Annual Growth Rate (CAGR) of 21%. The ASEAN market for Infocomm security solutions is also expected to grow, from US$250.3 million in 2003 to US$782.9 million in 2008 at an even higher CAGR of 25.6%.

13. Singapore companies are well-placed to benefit from these opportunities. As Infocomm security products are essentially built on trust, products that have received a recognised "assurance mark" will have a higher chance of success in the market. After consultation with the industry, IDA has decided that Singapore (through IDA) will participate in the Common Criteria Recognition Arrangement or CCRA by the end of the year. As required by the CCRA, Singapore will first join as a Consuming Participant by January 2005. IDA is working with PSB Certification, who will take the role of Certification Body, to set up a local Common Criteria Scheme. IDA is also in discussion with a few foreign Evaluation Facilities to set up local facilities. We aim to become a Certificate Authorising Participant by the year 2006.

14. This is another step forward in our efforts to promote the development of security products in Singapore. Once the Certification Body and the Evaluation Facilities have been set up, solution providers will be able to obtain the necessary Common Criteria certifications for their security products here, and have the certification recognised and accepted worldwide. The certifications will help solution providers to enter countries which mandate the use of Common Criteria, such as Australia, Canada, the United Kingdom and the United States.

15. For the Singapore industry, IDA plans invite product vendors to submit their products for certification. IDA will co-fund the initial few product certifications, especially when the local scheme is in its infancy stage.


16. Security need not be all about vigilance, caution and high technology. It is also about human factors, business processes, and new business opportunities. I hope that you will have the opportunity to exchange ideas with other participants here and to benefit from the insights of the speakers.

17. May I wish you a fruitful and secure conference.