MCI response to PQ on attempts to attack Singapore's supply chain software
Parliament Sitting on 26 July 2021
QUESTION FOR ORAL ANSWER
17. Mr Mohd Fahmi Bin Aliman: To ask the Minister for Communications and Information in light of the recent global cyberattack that forced Swedish Coop supermarkets to close, whether there have been any attempts to attack Singapore’s supply chain software in the past three years.
Answer:
-
Mr Speaker, Swedish Coop supermarkets were forced to close earlier this month due to what is know as a supply chain attack. The Coop used the the Kaseya Virtual System Administrator (VSA), which is a software management platform designed to help organisations manage their IT services remotely.
-
Similar attacks have occurred in recent months, such as the SolarWinds breach reported in December 2020 and the attack on the Microsoft Exchange Server reported in January 2021. How are these supply chain attacks orchestrated? Essentially, they take advantage of unsuspecting companies’ introduction of new software into their systems, that turn out to contain malicious elements or ransomware .
-
Usually, neither the companies nor their vendors that supplied the software were even aware that the software had been compromised. The same software that afflicted tens of thousands of organisations and businesses can also find their way into IT systems in Singapore. To date, we have not observed any adverse effects on our Critical Information Infrastructure (CII) and Government systems. The Singapore Computer Emergency Response Team (SingCERT) has also not received reports of any Singaporean businesses falling victim to these attacks.
-
Nevertheless, the Government continues to adopt a cautious stance, and the Cyber Security Agency (CSA) monitors global developments very closely. Whenever potential threats arise, CSA will immediately direct our CII sectors to check for any potential compromise in their networks. SingCERT issues alerts and advisories to the public on actionable steps to take, should they be affected. Given the global and transnational nature of such cyber-attacks, CSA also works closely with regional CERTs and its international counterparts to track developments and share information.
-
The attack through the Kaseya VSA is yet another example of how cyber-attacks have spilled over into the physical realm, with real-world consequences. Attackers are clearly learning and evolving their tactics to maximise their gains from a single attack. We must expect that cyber attacks will become increasingly commonplace and sophisticated. They can strike any of us or our organisations, and we must assume that our systems will be breached at some point.
-
As was mentioned in the response to a query on the SolarWinds attack in Parliament earlier this year, CSA is strengthening its engagements with CII sectors, enterprises and organisations to shift towards a “zero-trust” cybersecurity posture. This comprises two key principles: first, do not trust any activity on your networks without first verifying it and second, ensure constant monitoring and vigilance for suspicious activities.
-
Organisations should also implement simple steps not only to prevent breaches, but to detect incidents early and recover quickly from them. These include keeping systems and software updated, backing up data regularly and keeping the backup offline, and practising incident response and business continuity plans to ensure that employees are well-prepared when breaches happen.
-
The Government is taking steps to reinforce this mindset and raise the national cybersecurity posture against this new normal. CSA will launch the CII Supply Chain Programme later this year, in partnership with the owners of such infrastructure and their vendors, to ensure that stakeholders adhere to international best practices and standards for supply chain risk management. At the same time, CSA is developing the SG Cyber Safe Programme to provide businesses with actionable cybersecurity toolkits and resources to bolster their cyber defences.
-
Mr Speaker, I would like to stress that everyone must play their part. Businesses and organisations are responsible for their own cybersecurity, and must take action to strengthen their posture. Conduct an assessment of the risks, contemplate in advance how you will mitigate them, and ensure that you have business continuity plans after an attack. It is in our own interest to stay vigilant against cyber threats, even as we leverage the opportunities of an increasingly digital world.