MCI response to PQ on impact of SolarWinds breach on Singapore & cybersecurity of critical systems

Parliament Sitting on 2 February 2021

QUESTIONS FOR ORAL ANSWER

*3. Mr Alex Yam Ziming: To ask the Minister for Communications and Information (a) what is the impact of the SolarWinds breach on Singapore and the cybersecurity of our critical systems; and (b) what steps is the Ministry taking to mitigate the cyber threats to Singapore arising from this and other global cybersecurity incidents.

*4. Mr Desmond Choo: To ask the Minister for Communications and Information in light of the SolarWinds cybersecurity incident (a) how many companies and government agencies are affected or vulnerable to such attacks; and (b) how can companies providing essential services and government agencies have better oversight over cybersecurity arrangements with third party providers.

Answer:

1. Mr Speaker, the SolarWinds cybersecurity breach compromised a network management software that is widely used by major companies worldwide. The attacker used the software’s regular updates to implant a backdoor and gain a foothold in the networks of organisations that downloaded and installed the malicious update. This is a very sophisticated attack that evaded detection for many months. As reported by the media, SolarWinds’ clients include US government agencies and Fortune 500 companies – including Microsoft, CISCO Systems and VMWare. It affected about 18,000 customers, although a much smaller number were compromised by follow-on activity on their systems. This breach is especially noteworthy because the SolarWinds software is part of the network control and management infrastructure – hence, it was trusted and had privileged access to internal networks. The situation is still evolving, and the affected firms are continuing with their investigations.

2. When first alerted of the breach, the Cyber Security Agency (CSA) immediately raised the National Cyber Threat Alert Level, and worked with our Critical Information Infrastructure sectors to check and monitor our critical systems. There is no indication thus far that Singapore’s CII and Government systems have been adversely affected by the SolarWinds breach. The Government is nonetheless adopting a cautious stance, and CSA has issued public advisories on steps that enterprises and organisations should take to safeguard their systems against this threat. These include having full visibility of their networks and detecting unusual activity in a timely manner. 

3. In the longer term, dealing with these sophisticated cyber threats requires a fundamental shift in mindset towards a “zero-trust” cybersecurity posture. At its core, this “zero-trust” cybersecurity posture has the notion that we should protect our networks by observing two key principles – first, we should not trust any activity without first verifying it; and second, ensure constant monitoring and vigilance for suspicious activities. This includes compartmentalising and restricting access to different segments of the network, validating transactions across segments, reconciling any escalation of user privileges, and actively and regularly hunting for threats. Organisations should also put in place robust plans for cyber incident response in the event they fall victim to a cyber-attack. CSA will strengthen engagements with CII sectors, enterprises and organisations to adopt and sustain these measures.

4. Mr Speaker, the SolarWinds incident underscores the global and transborder nature of cyber threats. Given the nature of the digital domain, such cyber incidents will happen from time to time. Malicious actors only need to exploit one vulnerability, while the defenders must ensure that there are no vulnerabilities in all the systems and networks that they are protecting, all the time. Though difficult to completely prevent, we need deliberate, targeted and consistent efforts to strengthen our cyber defences against sophisticated threats like the SolarWinds breach, which exploit the supply chain of trusted vendors and software. Our CIIs, enterprises and citizens must also maintain their vigilance against cyber threats, as we mitigate the risks while leveraging the opportunities of digitalisation.