Speech by SMS Janil Puthucheary at the MCI Committee of Supply Debate 2020

03 MAR 2020

Securing our Digital Future Together

Securing Our Digital Infrastructure

  1. Mr Speaker, digitalisation can bring greater convenience, efficiency, participation and better services for all. A secure digital infrastructure will be important, to allow our citizens to live safely, work productively and enjoy themselves online. 

  2. Mr Cedric Foo, Mr Vikram Nair and Ms Sylvia Lim asked about the Government’s efforts on cybersecurity. The Cyber Security Agency of Singapore (CSA) has been working to protect our Critical Information Infrastructures (CIIs). This is the first pillar of Singapore’s Cybersecurity Strategy. These systems are critical for providing essential services, like energy and water. 

  3. Since the SingHealth Committee of Inquiry (COI) concluded a year ago, CSA has worked with CII sector leads to strengthen their defences and to implement the Committee’s recommendations. To date, the Energy, Infocomm, Security & Emergency sectors have fully implemented all the recommendations or compensating controls. Other sectors have made good progress and implemented measures for between 70 per cent and 90 per cent of their CIIs. We will continue to track that progress and enable the further implementation of these measures.

  4. It is crucial to strengthen our defences on Operational Technology (OT) systems as well. These are systems that control physical processes, industrial processes and manufacturing equipment. As many of the CIIs rely on this, attacks on OT systems can cause physical disruption. To address this, CSA has launched the Operational Technology (OT) Masterplan in October last year to raise awareness and competencies in OT cybersecurity.

  5. Mr Douglas Foo asked if Singapore has a cyber-response framework similar to the DORSCON Framework used to handle COVID-19. There are broad similarities in how we respond. CSA has a framework to calibrate the approach to mitigate potential threats. Should there be an incident of concern, this framework also helps us to coordinate an appropriate national response to secure our cyberspace - a response that will involve multiple stakeholders, multiple agencies, as well as private sector entities.

  6. Similar to containing COVID-19, in cybersecurity, we need processes to give us an early warning and a multi-stakeholder approach to mitigate any impact of a large-scale cyber-attack. We do this by ensuring timely information sharing from multiple sources. Under the Cybersecurity Act, CII owners are required to monitor systems and report incidents to CSA. CSA then works closely with industry and international partners to share cyber intelligence. 

  7. However, we must plan on the basis that we cannot prevent all cyber incidents. Determined attackers will always find new ways to breach our systems. So, we must be vigilant and be prepared to respond and recover quickly from any attack. To these ends, CSA conducts regular exercises, such as Exercise Cyber Star, to prepare the nation in the event of a widespread cyber-attack.

  8. As part of Singapore’s Cybersecurity Strategy, the Government also works with businesses and the general public to improve their cybersecurity. For example, SingCERT provides regular advisories about identifying vulnerabilities. Beyond the CIIs, CSA will continue to expand broad efforts to protect the cyberspace through the new Safer Cyberspace Masterplan. This aims to make Singapore one of the most cyber-secure countries in the world, benefitting all. The plan involves (a) securing Singapore’s digital core; (b) safeguarding activities in the cyberspace; and (c) empowering a cyber-savvy population. Details on the Safer Cyberspace Masterplan will be announced later in the year.

  9. A growing area of concern is the Internet of Things (IoT). This refers to devices, like home routers or smart home hubs, which many of us have in our homes and offices. We expect that the number of these devices will grow significantly, as they become more and more useful. This poses a challenge. These devices typically have weak security and can be exploited by attackers, for example, in a distributed denial-of-service attack to flood systems and disrupt operations. 

  10. IMDA and CSA have been working closely to address these challenges and to educate users about these risks and the precautions that they can take to secure their devices. Going forward, CSA will be launching the Cybersecurity Labelling Scheme (CLS) for home routers and smart home hubs. The scheme will raise consumer awareness on more secure products and aims to encourage manufacturers to adopt additional cybersecurity safeguards. 

  11. IMDA will be setting minimum security requirements for home routers. This will improve baseline standards for such devices and will be a pre-requisite to attaining the cybersecurity label. Together, IMDA and CSA will be launching a joint Public Consultation to seek feedback on this. In addition, IMDA will also be publishing an IoT Cyber Security Guide to offer enterprise users and their vendors’ better guidance on the deployment of IoT technology. 

  12. CSA has made good progress since the launch of the national cybersecurity strategy in 2016, but the Government alone cannot secure our cyberspace. CSA will continue to work with individuals and businesses to enhance Singapore’s cybersecurity.

  13. Ms Lim asked about CSA’s role in the Public Sector Data Security Review Committee. CSA works closely with other government agencies to enhance public sector data security. However, while related, data security and cybersecurity are different. Data security is concerned about the protection of data – whether this data is collected online or not. On the other hand, cybersecurity is concerned with the protection of systems, including for example train signalling. It extends beyond the data protection. Both are essential and complementary.

  14. To Ms Lim’s point on vendor management, organisations are ultimately responsible for their obligations. These obligations continue when they decide to outsource certain functions. If they do so, they should perform due diligence to select the right third-party providers with proven track records and maintain sufficient oversight over this outsourcing of functions.

  15. I agree with Ms Tin Pei Ling that data is critical in this digital age. Data needs to be secure and interoperable to unlock its potential, to support innovation and to benefit consumers. The Trusted Data Sharing Framework introduced in June 2019 laid the groundwork for data interoperability, provided a common language as well as contractual templates to help organisations in Singapore share data in a trusted manner.

  16. Internationally, Singapore is contributing to common data protection principles for example, ASEAN Framework on Digital Data Governance as well as APEC Cross-Border Privacy Rules and Privacy Recognition for Processors Systems. This network of partnerships that Singapore has, and our Digital Economy Agreements, will also facilitate cross-border interoperability and collaboration. We will introduce a new Data Portability Obligation in the Personal Data Protection Act (PDPA) so individuals may have their data transmitted between organisations in a commonly-used format. This would also improve data interoperability. 

  17. On Ms Lim’s question on data centres, Singapore’s data centre market is expected to grow about 5 per cent annually until 2024, according to a 2019 report by Cushman and Wakefield. We are mindful about the environmental impact of these data centres. As part of our nation-wide efforts to combat climate change, IMDA is working with EDB to improve the efficiency of these data centres. 

    Protect Our Cohesive Society Online

  18. Mr Ong Teng Koon, Mr Yee Chia Hsing and Mr Foo asked about Singapore’s data protection regime. As we generate and store more data online, it is essential that our regulations enable the innovative, legitimate use of data, and simultaneously safeguard consumer interests. 

  19. The collection, use and disclosure of personal data is regulated by laws like the PDPA. This includes personal data shared between organisations and data collected through facial recognition technology. Personal data must be protected and used for reasonable purposes, like security, as mentioned by Mr Yee. Conversely, the example cited by Mr Ong of the sale of personal data to other organisations without individuals’ consent would be in breach of the PDPA. Organisations are responsible for expunging personal data when it no longer serves the purpose for which it was collected. Public agencies are held to similar standards under the Public Sector (Governance) Act. 

  20. In order to promote responsible use of facial recognition technology, the Personal Data Protection Commission (PDPC) and the Government Data Office will publish guides on the responsible use of biometric technology this year. The guides will include best practices and policies on the end-to-end management of data collected via such technology.

  21. For online consent agreements, the PDPA continues to apply. Organisations must ensure that online consent agreements are clear and spell out reasonable purposes for which the individuals’ consent is being sought. The PDPC also updated the Guide to Notification last year, providing organisations examples of how to utilise just-in-time notifications and obtain dynamic consent. This allows individuals to make informed decisions as and when relevant, instead of one-off lengthy consent agreements.

  22. As part of the effort to continually support data-driven innovation and to strengthen the accountability of these organisations and consumer trust, the Government is reviewing the PDPA. The key proposed amendments under this review include (a) obligating organisations to notify affected individuals and the PDPC of significant data breaches; (b) strengthening PDPC’s enforcement powers; and (c) instilling accountability practices like risk assessments for organisations. We plan to amend the PDPA later this year. 

  23. I announced on 28 February that the Government will be sharing more data with businesses and researchers to spur innovation. As we do so, the high standards of data protection that the Government imposes on itself must be extended to third parties using three guiding principles. First, the data is shared with non-Government entities (NGEs) only when there is a specified purpose that will benefit the public. Second, as a general rule, only de-identified data is shared. Third, access controls and safeguards should be spelt out in contracts with NGEs. 

  24. Protecting our citizens online includes shielding consumers from scam calls. IMDA has worked with the telcos to block international spammers from making their phone calls look like they are coming from commonly-spoofed numbers, such as 999 and 995. We will move on to introduce measures to stop international scammers from trying to spoof numbers that look like they are a local number, targeting our citizens, by introducing a requirement  to have the “+” symbol as a prefix for all overseas calls. We hope this will help consumers better identify international spoof calls and reject them. The Government will continue to develop additional measures to combat scams so that our citizens can be better protected. MCI will work closely with other agencies in the newly-formed Inter-Ministry Committee on Scams announced by the Ministry of Home Affairs to strengthen our collective efforts to tackle this problem. 

  25. Mr Darryl David and Mr Vikram Nair asked about measures to guard against deliberate online falsehoods. These can threaten our multi-culturalism and the harmony of our society. We must protect our social cohesion in the real world and online, to uphold the shared values of Singapore. The Select Committee on Deliberate Online Falsehoods recommended for the Government to support fact-checking initiatives and strengthen public education to build an informed and discerning citizenry. We will do so, together with a range of partners.  

  26. One timely development is the National University of Singapore’s decision to establish a Centre for Trusted Internet and Community. The Centre will research how societies discern online harms and how to build responsible public discourse. MCI welcomes this effort. This will be an important academic complement to existing efforts that nurture healthy, well-informed and inclusive online activity.

    Supporting All Our Workers as Our Economy Digitalises

  27. Finally, Mr Speaker, we must support all workers as our economy digitalises. Technological disruptions have changed how we work, creating new roles, and new manpower demands. The Government will continue to support all Singaporeans to capitalise on these opportunities and to meet industry needs. Mr Ong and Ms Tin asked about tech talent in Singapore. We must work with stakeholders to expand our talent pool and strengthen career developmental pathways for emerging roles

  28. To grow our workforce, we have collaborations with the private sector. We are very glad that industry, for example Apple and Alibaba, collaborate with us. IMDA has been collaborating with them to develop programmes for secondary school students to help them develop some experience in marketing and pitching business ideas, as they develop their technological skills, applying some of these skills to problems that interest them, for example, waste identification and recyclable materials. These industry-led programmes allow young minds in Singapore to develop technological skills, contribute to causes that they find meaningful and prepare themselves for their future. 

  29. We will have to continue to make sure all Singaporeans, including those who did not learn tech skills in school, are supported as they take on these technology based roles. We will actively groom the innovation talent through mentorships, overseas attachments and structured trainings to position Singapore as a digital hub.

  30. Under SkillsFuture, the TechSkills Accelerator (TeSA) initiative supports professionals to upgrade their skills for the Digital Economy. These programmes include Company-Led Training (CLT) and the Cyber Security Associates and Technologists (CSAT) programme. These support the transition of both ICT professionals as well as non-ICT professionals into technology-based jobs. So, they provide the opportunity for people who are in a technology based profession to shift their skillset, shift their career focus, as well as people who have not had specific ICT training, to develop ICT skills and move into a technology-based job. 

  31. Not just the companies and Government, our trade associations are also actively contributing to these efforts. Under the Career Compass initiative, experienced ICT mentors from the Singapore Computer Society partnered Workforce Singapore to provide career guidance to aspiring technology professionals. SGTech also manages Professional Conversion Programmes with platform companies, like Salesforce, to train and place workers into new roles.  These new roles include examples such as data protection officers (or DPOs) and cybersecurity professionals. There are many new jobs and exciting opportunities that are being created, and we have to increase our effort to support the professional development in these new roles. 

  32. We agree with Mr Patrick Tay on the need to upskill DPOs. As he noted, PDPC’s DPO Competency Roadmap and Training Framework aims to support this. PDPC will collaborate with partners, such as NTUC, to roll out additional courses, and targets to train 500 DPOs in the first year. I encourage more workers to tap on such training to deepen their skills in data protection and seize opportunities in this growing field. 

  33. Other than Data Protection, cybersecurity, as we discussed, is a critical enabler for digitalisation, and we will need more cybersecurity professionals to protect our cyberspace. CSA is launching the SG Cyber Talent initiative to reach out to more than 20,000 individuals over three years through new and existing programmes. This will build a pipeline of cybersecurity professionals to support Singapore’s ambitions to be a cybersecurity hub.

  34. Under SG Cyber Talent programme, CSA will introduce two new programmes this year. First, CSA will work with the cybersecurity community and educators to nurture young Singaporeans with an aptitude in cybersecurity. This will provide participants with an arena for cyber sparring, mentorship, customised training, and some support to participate in overseas competitions. Secondly, CSA will build communities of practice, offering training in cybersecurity and connecting cybersecurity leadership to global best practices and technologies. This will equip these leaders to secure their organisations more effectively.

  35. Singapore’s cybersecurity workforce is important not just for the development of a competitive digital economy, but also for our national security. To Ms Lim’s query on how CSA ensures that it has the expertise and knowledge for its mission, CSA has a Cybersecurity Professional Scheme and a Cybersecurity Competency Framework. Together, these guide the professional development of our officers and allow CSA to attract and retain people with the right skillsets. CSA Academy has also been working with global partners to provide intermediate and advanced training for CSA as well as the CII sectors since 2018. To date, the Academy has trained about 200 cybersecurity professionals. 

    Conclusion

  36. Mr Speaker, I have spoken about MCI’s efforts to secure our digital infrastructure, to protect our cohesive society and to support all workers. With this approach, we can seize digital opportunities and embrace digitalisation with confidence together.