MCI's response to PQ on Enhancing Resilience from DDoS Attack on Public Healthcare Institutions

22 NOV 2023

Parliament Sitting on 22 November 2023

QUESTION FOR WRITTEN ANSWER

30. Ms Jessica Tan Soon Neo: To ask the Minister for Communications and Information with the recent cyberattack and disruptions experienced by the public healthcare institutions (a) whether there are wider implications for the public and other critical services given the greater reliance on digital services including Government services; and (b) whether there are further measures required to enhance Singapore's resilience against such cyberattacks.

31. Ms Sylvia Lim: To ask the Minister for Communications and Information (a) what are the lessons learnt from the extended and large-scale distributed denial of service attack on the websites of public healthcare institutions on 1 November 2023; (b) what steps are being taken to upgrade protections to Singapore’s key civilian services and infrastructure and to reduce such disruptions; and (c) when will the authorities release a report on the event to the public.

Answer:

  1. The Government recognises that, as we digitalise more, we become more dependent on digital services and infrastructure. We can never rule out cyber incidents or service disruptions happening. The Government and system owners will mitigate and manage these risks taking into account how critical a given system is. We allocate more resources to harden the most critical systems, and ensure a baseline of measures for all systems. Cybersecurity defence has to be complemented by business continuity plans that mitigate the impact of e-service disruptions when they occur.

  2. The Cyber Security Agency (CSA) identifies and regulates Critical Information Infrastructure (CII) that are necessary for the provision of essential services in sectors such as government, infocomm, banking and finance, and others. For instance, in 2022, Government agencies maintained an availability uptime of at least 99.5% for most of our critical systems, which is equivalent to less than four hours of unscheduled down time per system per month. Sector regulators also impose requirements on service providers in their respective sectors, such as requirements for service availability in the telecommunications, banking and healthcare sectors.

  3. While some disruption might be inevitable, prolonged disruptions should not be the norm. In addition to prevention, we must also focus on recovering quickly. MCI has been reviewing our measures, to ensure they remain relevant and fit for purpose. For example, CSA is in the midst of reviewing the Cybersecurity Act to look beyond CII, and consider other digital infrastructure and services that are important to the nation. MCI will provide more details when ready.