Speech by SMS Janil Puthucheary at the International Common Criteria Conference at SICW 2019

01 OCT 2019

  1. Good morning everybody and thank you for joining us here today. We are very proud and happy to host the International Common Criteria Conference for the first time. 

    Building a Digital Economy

  2. We are witnessing and living transformation brought about by technology, in the way we live, work and play. This is change happening in our lives. Industries are transforming their businesses to harness the opportunities that are offered, and this is being driven by the growth in connectivity, data and processing. We used to only expect devices to do fairly limited set of functions, but increasingly, all of those devices, through a combination of power management, data management and processing power, are becoming smarter and more capable, developing the ability to feed into insights, as well as extract value for businesses. 

  3. That growth and capability have been matched with a growing set of aspirations and demands from the consumer base. Customers are purchasing these products, and citizens are engaging with government digital services and moving about in our city, enjoying the opportunities that have been created. Technology has been able to deliver on these expectations and will continue to drive those expectations further. Just as technology has been transforming the devices and the consumer base has aspirations, we also need to pay attention to how we transform our workforce. In Singapore, we have been paying particular attention to workforce transformation as a key enabler of our Smart Nation ambitions. Governments also need to play our part. Government services need to meet these types of aspirations around digital services - help citizens access these services through smartphones, create platforms for companies to collaborate and share data, and generate new types of experiences.

    Cybersecurity as an Enabler for the Digital Economy and an Economic Opportunity

  4. As we have transformed the devices and as that transformation through technology has created the need for transformation around the workplace and in the workforce resulting in the need for governments to likewise transform, so have the adversaries -   the thinking around how to penetrate systems, the thinking around how to exploit value from the systems. 

  5. And what this means is that every device then becomes a potential target, becomes a threat - workstations, printers, coffee machines, printers, televisions, webcams, lights, the list goes on - whether they themselves are the target or the platform for further targets. These then become conduits, increasing the complexity of the frontier that we have. Underlying all these, is of course the need for cybersecurity to be a key enabler of the digital economy or the opportunities that are described, and also a key enabler of the trust that we need for businesses to collaborate with each other, so  citizens and consumers can take advantage of these opportunities. That key enabler also then becomes the key risk when it breaks down. Cyber-attacks are successful when systems are broken down, when there is a significant risk to infrastructure, to the delivery of services.

  6. As IoT devices proliferate - potentially 20 billion by 2020 - it enables much larger surface area to be attacked and a much larger pool of devices to act as repository or conduit for the source of further attacks downstream. We need ways to deal with this. 

    Certification for System Assurance and Market Demand for Security Products

  7. The Common Criteria, or CC, is one of those things. It is the de facto standard for IT security product certification around the world. It advocates for devices to be secure-by-design, taking cyber security considerations into the product design and its subsequent life cycle, allowing customers and companies to identify products that have been rigorously tested, verified and certified. 

  8. Here in Singapore, we are very honoured to be recognised as a Common Criteria authorising nation early this year. It reinforces our policy principles of security-by-design being a necessary step to further our Smart Nation ambitions. Even as we have done so, we have ourselves experienced significant attacks - the personal data of millions of our citizens was compromised by cyber attackers, and there were many smaller incidents over the years, some of which were a result of poor security design of network-connected devices. Better product assurance, especially for network-connected devices, is going to be important. If we can adopt these product evaluation and certification regimes, such as CC, it will give the kind of assurance benchmarked at internationally-recognised standards, to strengthen IT security for our government, Smart Nation as well as the digital economy. 

    Growing a Vibrant Ecosystem

  9. We are determined to do our part to raise awareness of the importance of such product evaluation. We have signed a Memorandum of Agreement between the Cyber Security Agency of Singapore and Nanyang Technological University to establish the National Integrated Centre for Evaluation (NICE). It is a one-stop facility for product testing and evaluation to develop competencies, evaluation techniques and most importantly, a pipeline of professional practitioners that we need in order to deliver this, not just today or tomorrow, but for the sustainable future. A pipeline of practitioners supported by a community of practice which will see a sustainable ecosystem for product evaluation and certification here in Singapore. 

  10. As the scale and sophistication of cyber-attacks increase, the demand for cybersecurity services and certified products will also increase in tandem. We have to build up our local ecosystem. We have to develop product labs and also need to attract global reputable evaluation laboratories to anchor their operations here to allow regional companies to have access to world-class product evaluation experts. 

  11. The CC process is internationally-recognised. Hopefully, as we grow this ecosystem, there is no longer a need to send products across the world for evaluation. Thus, we hope to be able to shorten the development costs around the world. As part of this process, CSA and Enterprise Singapore, our national standards body, have formed a new Coordinating Committee for Cybersecurity (CCCY) under the Singapore Standards Council to coordinate and facilitate the sharing of cybersecurity information and to formulate a cybersecurity standards roadmap here in Singapore. This reflects the close partnership between the public service, industry as well as academia in cybersecurity. We need this kind of partnership to explore boundaries and create opportunities, to engage with partners around the world. This roadmap will address standards for building resilient infrastructure, create a safer cyber space, as well as raise quality of cybersecurity products and services. It will address areas like advanced manufacturing, smart healthcare, smart mobility and autonomous vehicles. The CCCY aims to raise the level of cybersecurity resilience across our eco-system, allowing Singapore to help the global push to make smart products more secure. 

  12. As part of this year’s ICCC conference, we will also hold the 4th edition of the International IoT Security Roundtable to share ideas, shape technologies, steer standards, and speed-up growth of smart cities.  We are marking this 4th edition by launching a Joint IoT Security Landscape Study Report commissioned together by Singapore and the Netherlands. The landscape report aims to encourage countries to adopt security initiatives to assess challenge areas, drive standards and seed innovations to secure IoT systems. This study will be launched concurrently during the Roundtable in Singapore and the One Conference in the Netherlands later today.  Cyber threats are cross-domain and transboundary. We need to bring together partners from across the world, to play a part in galvanising and coordinating efforts across the globe, for a more safe and secure cyberspace and a cyberspace of things.

  13. In addition to these collaborations with the Netherlands, Singapore and the UK have also agreed to adopt best practices to secure IoT devices which are in line with industry standards. By working with our partners, including the industry and consumer groups to exchange knowledge, smart devices produced will be less susceptible to these attacks.

    Conclusion

  14. I am glad to see the strong support for the ICCC and the number of activities that we have packaged into the week. The participation at SICW continues to grow year-on-year - in number and the type of organisations and the breadth of expertise that come to the shore, to share your knowledge, ideas and challenges. 

  15. Thank you for joining us in making the cyberspace safer for all of you, for us, and for our future. I wish you all a very fruitful conference.