MDDI's response to PQs on Impact of Crowdstrike Outage on SG Gov Services
Parliament Sitting on 7 August 2024
QUESTION FOR ORAL ANSWER
*5. Mr Ang Wei Neng asked the Minister for Digital Development and Information (a) how many websites or phone applications of Government and statutory boards were affected by the recent outage on 19 July 2024 that was caused by a software update; (b) how long did the affected websites or phone applications took to restore it back to normalcy; and (c) what are the lessons learnt from the said outage.
*6. Mr Don Wee asked the Minister for Digital Development and Information (a) how many Government agencies were affected by the software update from cyber-security firm CrowdStrike which caused a major technological outage globally on 19 July 2024; and (b) whether the Singapore Government subscribes to CrowdStrike’s services.
*7. Mr Alex Yam Ziming asked the Minister for Digital Development and Information (a) what is the Ministry’s assessment of the impact to Singapore due to the tech outage caused by the cyber-security firm CrowdStrike’s software update on 19 July 2024; (b) whether any Government agencies or critical public services have been affected by the outage; and (c) what is the Ministry’s contingency plans for such global tech outages that may impact Singapore’s socio-economic security.
*8. Mr Gerald Giam Yean Song asked the Minister for Digital Development and Information with regard to the recent IT outage caused by CrowdStrike (a) whether the Cybersecurity Agency of Singapore (CSA) has updated its threat and risk assessment protocols to cover supply chain risks of this nature; (b) if so, whether these updated protocols will be implemented across all critical information infrastructure (CII); and (c) what new strategies are being considered to enhance the resilience of CIIs against systemic propagated shocks that are not directly linked to cybersecurity threats.
*9. Ms Hany Soh asked the Minister for Digital Development and Information with regard to the global IT outage that occurred on 19 July 2024 (a) whether the Ministry has conducted an overall local impact assessment; and (b) if so, what are the Ministry’s findings and whether any measures have been implemented to prevent such a recurrence.
*10. Mr Yip Hon Weng asked the Minister for Digital Development and Information (a) whether the Government will conduct an After-Action Review (AAR) to assess Singapore's preparedness and response, and identify areas for improvement, in light of the recent global technology outage; (b) what key considerations will guide such AAR; and (c) whether the Government will (i) develop a local technology ecosystem or (ii) stipulate guidelines that will implement redundancy systems to insulate our essential services from global disruptions as part of digital resilience.
27. Dr Syed Harun Alhabsyi asked the Minister for Digital Development and Information with regard to the recent IT outage caused by CrowdStrike (a) what has been the extent of its impact and cost to local businesses and institutions; (b) what lessons have been learnt from this outage thus far; and (c) what steps are being taken to ensure that the IT systems used by these businesses and institutions remain resilient against similar outages.
28. Mr Saktiandi Supaat asked the Minister for Digital Development and Information (a) which areas of the public service sector were most severely affectedn by the CrowdStrike outage on 19 July 2024; (b) what are takeaways on the strengths and weaknesses of Singapore's public service systems to ensure a reliable, efficient, and accessible public service for Singaporeans; and (c) what steps have been taken to ensure that possible vulnerabilities from any of our current and future cyber security solutions are mitigated.
From 6 Aug sitting
*60. Ms Jessica Tan Soon Neo asked the Minister for Digital Development and Information (a) whether there will be actions taken to strengthen the response and recovery of essential services dependent on digital platforms to minimise the impact of outages or disruptions of services in view of the outage caused by the cyber-security firm CrowdStrike’s software update on 19 July 2024; and (b) whether there will be further requirements for organisations and businesses that provide essential services to have robust business continuity plans and to test them regularly.
*64. Ms Ng Ling Ling asked the Minister for Digital Development and Information (a) what are the key learning points for Singapore’s cybersecurity strategy from the CrowdStrike outage on 19 July 2024; and (b) how are key public service systems protected from risks of outage from such single point of failure.
*65. Mr Melvin Yong Yik Chye asked the Minister for Digital Development and Information (a) what are the learning points from the global outage of IT systems related to Microsoft Azure and CrowdStrike on 19 July 2024; (b) how does the Ministry support companies in Singapore whose services to the public are affected by the outage; and (c) whether guidelines or legislation will be considered to safeguard against hidden technological dependencies on a small handful of technology companies.
*66. Miss Cheryl Chan Wei Ling asked the Minister for Digital Development and Information (a) what is Singapore’s approach to ensure economic continuity to address the risk arising from integration of third-party software into our critical digital infrastructure; (b) how much coordination with the relevant Government agencies is required of third-party software suppliers when they make independent changes to their software which may affect the overall system; and (c) whether the Ministry will require key digital suppliers to conduct regular drills simulating different incident scenarios and test the joint response plans towards these incidents.
*68. Mr Desmond Choo asked the Minister for Digital Development and Information in light of the global disruption of systems related to CrowdStrike on 19 July 2024 (a) how does the Ministry ensure that critical infrastructure in Singapore is not overly dependent on a small group of providers; and (b) how has the Ministry strengthened resilience in the technology infrastructure in Singapore.
*69. Dr Wan Rizal asked the Minister for Digital Development and Information (a) what measures are in place to protect Singapore’s critical business and aviation infrastructure from cyber outages, such as the recent incidents affecting the banks and Changi Airport; (b) what contingency plans and support systems are available during such outages, and how are these made known to the affected stakeholders; and (c) how can the Ministry work with international partners and cybersecurity firms to mitigate the risks of such outages.
Answer:
On 19 July 2024, a faulty software update by a cybersecurity service provider CrowdStrike disrupted major services around the world. Images of the now infamous Blue Screen of Death appeared in media news cycles and attracted significant public attention. According to public reports, outages were experienced by users of the Microsoft Windows operating system that adopted CrowdStrike’s Falcon Endpoint Detection and Response (EDR) solution. It is a security solution that requires frequent and timely updates to be effective.
The Members’ questions fall broadly into two categories. First, what is the impact of the outage in Singapore, particularly in relation to services provided by Government. Second, what are the lessons learnt, particularly in relation to the resilience of our IT systems.
Fortuitously, Government services and most essential services in Singapore were unaffected by the outages. However, some businesses that use CrowdStrike’s Falcon EDR were affected. In most cases, the impact was to internal staff. In a minority of the cases, customers were impacted due to service disruptions. Prominent examples of these were the passenger check-in for some airlines at Changi Terminal 4 and gantry operations at some HDB carparks.
Customers of affected business met with delays and were inconvenienced. However, Business Continuity Plans (BCPs) kicked in. These included switching over to manual processes, such as for flight ticketing and check-in. The Singapore Cyber Emergency Response Team (SingCERT) of the Cyber Security Agency of Singapore (CSA) also quickly issued an advisory to guide affected system administrators and users on how to manually recover their systems. Most of the affected IT systems had recovered within a day, and services returned to normal.
As Members know, IT systems may experience outages and disruptions from time to time. In this particular instance, it is not yet fully understood what caused a relatively routine software update to have created such major disruptions around the world. My ministry has set up an internal taskforce to engage relevant partners to gain insights into the incident and assess if further measures should be taken to improve Singapore’s resilience when such disruptions occur.
In the meantime, one key lesson can already be reinforced. As we have said on previous occasions, even with best efforts, not all disruptions can be prevented. System owners should therefore have plans in place to help them to recover quickly from unexpected disturbances.
On its part, the Government adopts a risk-based approach to ensure our critical systems and essential services are resilient. Critical Information Infrastructures (CIIs), Essential Services (ES) and Government services are all subject to stringent requirements and have to put in place robust BCPs, Disaster Recovery Plans (DRPs), and Incident Response Plans (IRPs). The Cybersecurity Act (CS Act) and specific sectoral regulations hold CIIs and key ES operators accountable for meeting the baseline security and resilience requirements. This includes timely review of risks assessments and audits. For example, Government agencies using third-party software in their ICT systems have to do a thorough risk assessment and put in place necessary mitigation measures. CSA also established the CII Supply Chain Programme to better manage key vendor supply chain risks.
Businesses must also play their part to improve their resilience when disruptions occur and recognise that it is in their own, and their customers’ interests to do so. When things are running smoothly, businesses may question why they should incur cost or prioritise efforts to assess and improve their resilience measures. Unfortunately, some may not take appropriate actions until it is too late.
We therefore encourage businesses to conduct their own risk assessments and put in place the appropriate BCPs to help business continuity in the event of a disruption. SingCERT has recently published an advisory on building digital resiliency, which can be found on CSA’s website. As part of the support for enterprises’ digitalisation, my ministry offers other practical resources and financial assistance to encourage robust IT practices. This includes CSA’s cybersecurity toolkits and IMDA’s SMEs Go Digital Programme.
While these efforts may not specifically address IT outages like the one related to CrowdStrike, they can help businesses prevent incidents and recover more quickly should disruptions occur. I also encourage all businesses to take advantage of the Government’s resource support to strengthen their digital resilience.