Government's response to the report of the COI into the cyber attack on SingHealth

15 JAN 2019

Thank you Mr Speaker

Recap of the cyber-attack, convening and proceedings of the COI

  1. On 6 August 2018, I informed this House that I had convened a Committee of Inquiry (COI) into the cyber-attack on SingHealth’s database system.

  2. The scale of this cyber-attack was unprecedented; the personal particulars of about 1.5 million patients were illegally accessed and copied.  It was malicious; Prime Minister Lee Hsien Loong’s records were specifically and repeatedly targeted.  And, there were serious implications for public health and safety, as SingHealth’s database system is part of our Critical Information Infrastructure (CII).    

  3. Therefore, I convened this Committee of Inquiry - because the Government wanted a robust and transparent inquiry that would get to the bottom of this cyber-attack.  In particular, the COI was asked to: 

    • Firstly, establish the events and contributing factors, and evaluate the incident response by IHiS (Integrated Health Information Systems Pte Ltd) and SingHealth; and
    • Secondly, to recommend measures to safeguard public sector IT systems that contain large databases of personal data against similar cyber-attacks.

  4. The Committee conducted a rigorous and comprehensive inquiry over 5 months.  They included testimonies from 37 witnesses, including local and foreign experts, as well as 26 written representations from members of the public, professional associations, organisations and companies.  The COI conducted 22 days of hearings, which were open to the public, except when there were implications for national security or patient confidentiality.

  5. The COI submitted its classified report to me on 31 December 2018.  The COI also released a public version of the report on 10 January 2019, which my Ministry distributed to Members of this House.  The public report contains all recommendations and material findings from the full COI report; it only excludes highly sensitive information heard by the COI in closed-door sessions. 

  6. Mr Speaker, with your permission, may I ask the Clerk to distribute a note on the COI’s findings and recommendations?

    Thank the COI and supporting team

  7. At this juncture, on behalf of the Government, I would like to place on record our deep gratitude to the Committee for its hard work in undertaking a robust and transparent Inquiry.  I would also like to thank the Attorney-General’s Chambers, investigators from CSA and CID, and MCI officers who supported the COI; witnesses who gave evidence; as well as organisations, professionals and members of the public who contributed their views and suggestions in the course of the Inquiry.

    COI’s main findings

  8. Let me now highlight the main findings of the COI.    

  9. The COI has been candid in its report, which establishes the sophisticated nature of the attacker; but also gives a detailed and stark account of shortcomings at the staff and system level that contributed to the failure to prevent the attack or limit its impact.

  10. Specifically, the COI found that while SingHealth fell victim to an Advanced Persistent Threat (APT) group, the success of the attacker in obtaining and exfiltrating the data was not inevitable.  IHiS and SingHealth should have been better prepared and more robust in their actions.  If they had done so, the cyber-attack could have been limited or even stopped.  I will now go into the findings. 

  11. First, the COI found significant shortcomings at the staff level.  IHiS staff did not have adequate cybersecurity awareness, training, and resources, to appreciate the security implications of their observations, and to respond effectively to the attack.

  12. Also, certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate or timely action, even when there were clear signs of an ongoing attack.

  13. However, the COI also commended specific IHiS IT administrators who were vigilant, noticed the suspicious activity, and took the initiative to follow up. 

  14. Second, the COI found a number of vulnerabilities, weaknesses, and misconfigurations at the technical level in the SingHealth network and database system, which allowed the attacker to obtain and exfiltrate the data.  Many of these could have been remedied before the attack. 

  15. Third, the COI observed that although SingHealth was ultimately responsible, it had no management line of sight with regard to the assessment of cybersecurity risks.  SingHealth lacked the necessary expertise and resources, and was wholly dependent on IHiS, even at the management level. 

  16. The COI, having heard evidence from CSA, also established that the cyber-attack was the work of a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat (APT) group.  This finding was corroborated by international expert witnesses.  APT is a class of cyber-attackers, typically state-linked, who conduct extended cyber campaigns to steal information or disrupt operations.  The COI found that the attacker was well-resourced, and had used advanced techniques and tools to target the SingHealth patient database and illegally exfiltrate patient data.  The attacker was persistent, evaded detection for a long time, and even re-entered the network after being detected.

  17. Appropriate action has been taken, and we know the identity of the attacker.  But, for national security reasons, I will not comment further.  

  18. The detailed evidence for all of the COI’s findings are in the public report.  But, it does not include highly sensitive information – pertaining to SingHealth’s network architecture, technical vulnerabilities which were exploited in the attack, and the identity of the attacker – which is only in the classified COI report.  

    The COI’s recommendations 

  19. Let me now turn to the recommendations. The COI has made 16 recommendations to strengthen SingHealth’s patient database system, as well as public sector IT systems which contain large databases of personal data.  Seven are priority recommendations, which should be implemented immediately, and nine are additional recommendations, which are to be seriously considered.  The recommendations fall into four broad categories: People, Process, Technology, and Partnerships

  20. On People, the COI notes that front-end users are often the weakest link targeted by attackers, and that it is line staff who are often the first to notice a security incident and respond.  Hence, the recommendations include enhancing cyber hygiene practices, building a culture of cybersecurity across the entire organisation, and ensuring that IT staff are well-trained and equipped to respond to cybersecurity incidents.

  21. The COI also calls for strong institutional Processes.  In incident response, for example, there should be clear plans and SOPs, and regular exercises with realistic scenarios to test their effectiveness.  There also should be regular and comprehensive checks to identify vulnerabilities and high-risk areas, accompanied by audit and compliance checks to ensure that the identified gaps have been plugged.

  22. On Technology, the COI has proposed various measures to strengthen cybersecurity to better prevent, detect and respond to future attacks.  These include stronger encryption for data; heightened monitoring of database activity; and an integrated system to aggregate and analyse threat information in real-time, and rapidly isolate and contain the infected system.

  23. The COI has highlighted the need to build up collective security over our systems given that Singapore is highly connected and a high-value target.  This can be achieved by strengthening Partnerships between the Government, industry and international partners, in areas such as threat intelligence sharing.

  24. The COI has emphasised that, ultimately, cybersecurity must be an integral part of a broader risk management framework, and cannot be treated merely as a technical matter.  Organisations need to strike a balance between security considerations, operational requirements and cost – and these trade-offs and decisions must be made at the Board and CEO level, and not just by the Chief Information Security Officer (CISO) and the technical staff. 

    Government’s response to the COI 

    Government acceptance of COI’s recommendations

  25. Mr Speaker, the Government accepts all of the COI’s findings and recommendations. Cybersecurity is a critical enabler of our Smart Nation ambitions.  We will therefore fully adopt the COI’s recommendations and do our utmost to ensure that our IT and database systems are secure, and that personal data collected by Government systems is well-protected. 

  26. I will now elaborate on the Government’s efforts, ongoing and in response to the COI report, to strengthen cybersecurity at both the national level and across the public sector.  Minister Gan will cover the public healthcare sector’s efforts. 

  27. The Government’s approach to cybersecurity is underpinned by two key principles that have also been highlighted by the COI.  

    • First, we adopt a ‘defence-in-depth’ strategy, with multiple layers of cyber defences to impede an attacker.  These layers of defence cascade from the perimeter to within our systems, as we recognise that a sophisticated and determined attacker, given enough time and resources, may find a way through.  This is why we also have capabilities in our layered defence that enable swift detection of a breach, and decisive response. 

    • Second, we seek to enhance our system defences by strengthening our people, processes and technology. Our aim is not only to monitor and respond robustly to an incident, but also to ensure a quick recovery and resilience in our system.  

    Follow-ups by CSA

  28. The COI emphasised that the battle against today’s cyber threats must be based on networked defence across organisations and sectors.  The COI also recognised the Government’s commitment to such collective security, by establishing the Cyber Security Agency of Singapore (CSA) to coordinate our national cybersecurity efforts.  CSA leads our national level response to the cyber threat, including by reinforcing cybersecurity in all CII sectors. 

  29. Immediately after the cyber-attack, and even as the COI proceedings were underway, CSA instructed all CII sectors to strengthen network security by taking additional prescribed measures, such as removing non-essential connections to unsecured external networks, and implementing uni-directional gateways like data diodes to prevent data leakage.

  30. CSA also accelerated the implementation of the Cybersecurity Act, which provides the legislative framework for the oversight and maintenance of national cybersecurity.  The Act came into force on 31 August 2018, and CSA designated all CIIs by 31 December 2018.  All CII owners must now comply with their obligations under the Act.  These include adhering to essential cybersecurity measures set by CSA through the Cybersecurity Code of Practice, reporting cyber incidents to CSA within prescribed timeframes, and conducting regular risk assessments and audits of their CIIs. 

  31. In addition, CSA also instructed all CII owners through their sector leads to conduct thorough internal reviews of their cybersecurity posture against the gaps identified during the COI hearings.  These included reviews of their people, process, and technology measures, such as mandating cybersecurity training and awareness programmes; establishing a robust patch management process; and implementing access management solutions to manage privileged administrator accounts.  CSA has directed CII owners to implement plans to close any identified gaps, and report the results.  

  32. CSA will continue to actively work with the sector leads and CII owners to reinforce their cyber defences and cyber resilience, and safeguard the cybersecurity of our systems and networks.

    Measures by SNDGG

  33. I now turn to the cybersecurity of public sector systems, which is a key enabler for our Smart Nation initiatives to improve public services for our citizens and businesses.  SNDGG had already started enhancing the cybersecurity of Government systems before the cyber-attack. 

  34. Upon discovering the cyber-attack, SNDGG paused the rollout of new Government systems from 20 July to 3 August 2018.  During this pause,

    • First, SNDGG checked and confirmed that other systems were not breached by the same attacker, whether through the IHIS system or via a separate breach.
    • Second, SNDGG and CSA reviewed the Government’s cybersecurity posture, and introduced additional measures on critical Government systems to enable us to detect and respond more quickly to cybersecurity threats.

  35. The findings and recommendations of the COI give added impetus to our efforts to continuously review and enhance the cybersecurity of Government systems.  In particular, the findings re-affirmed the ‘defence-in-depth’ approach that the public sector had adopted towards cybersecurity. The public sector will also continue to strengthen our defences on all fronts – people, process, technology and partnerships, as informed by the COI recommendations. 

  36. In terms of people and processes, SNDGG will strengthen existing processes to prevent lapses and heighten vigilance. The public sector will use technology even more to support its IT staff and automate cybersecurity tasks such as patch management, so as to carry out these tasks more reliably.  SNDGG will further tighten internal checks and enhance security audits, for example, by increasing their frequency.  We will also instil a stronger cybersecurity culture across the public service.  This will be done by conducting more exercises to sharpen our officers’ readiness, and train all public servants in cyber-security.  Above all, we expect our officers at all levels to be aware of their responsibilities, to be accountable for their actions, and to perform their duties to the best of their ability. 

  37. On the technical front, SNDGG will continue to shore up defences at the perimeter of Government systems, while introducing measures to better detect and respond to intrusions within our systems.  Beyond the measures implemented during the pause in the rollout of new Government systems such as monitoring critical Government databases, SNDGG is also looking into improving the architecture of Government systems to enable more extensive monitoring and detection of abnormal activities.

  38. We also recognise that the Government cannot strengthen its cybersecurity alone.  Therefore, Government will enlist the expertise of the larger cybersecurity community, including ethical hackers, to help us surface and detect vulnerabilities in our ICT systems.  The Government Technology Agency (GovTech) and CSA have launched a Government Bug Bounty Programme, and have invited local and international white-hat hackers to search for and uncover vulnerabilities on five Internet-facing Government systems and websites1.  This will help us draw in a wide range of expertise to help identify cyber blind spots and benchmark our defences against skilled global hackers.

    Tracking the implementation of the COI recommendations

  39. In terms of tracking the follow-up, CSA will oversee the follow-up on the COI’s recommendations across all 11 CII sectors, which includes the public sector.  To do this, CSA will work through the sector leads of the 11 CII sectors, who are responsible to monitor implementation for their respective sectors and to report progress to CSA as the national cybersecurity authority.  SNDGG, as sector lead for the Government sector, will monitor implementation for Government systems. We will then track overall progress via regular updates at the relevant Ministerial committees.  

    Personal Data Protection Commission’s findings

  40. The Personal Data Protection Commission (PDPC) has also completed its investigations of the data breach incident.  Both IHiS and SingHealth have been found to be in breach of the Personal Data Protection Act.  PDPC has imposed a total financial penalty of S$1 million, comprising S$750,000 and S$250,000 on IHiS and SingHealth respectively; these are the highest penalties meted out by PDPC to date.  

    Government’s position on malicious cyber activities 

  41. The measures recommended by the COI will help us defend ourselves better against malicious cyber activities, including from international attackers.  This was not the first instance where we were targeted and it will not be the last.  Our networks are continually probed for weaknesses, and regularly attacked.

  42. A cyber-attack of the scale and sophistication that was launched against SingHealth could also be mounted on any one of our major IT systems, threatening the safety and security of Singapore and Singaporeans which are of paramount importance. Singapore is firmly committed to the establishment of a rules-based international order in cyberspace.  We condemn all malicious cyber activity that seeks to undermine the integrity of the international political and economic system, and violates the norms of behaviour in cyberspace as set out in the 2015 UN Group of Governmental Experts consensus report.  This includes the cyber-enabled theft of sensitive data.  Such activities can have a disruptive impact on Singapore, and internationally, in our highly interconnected world. 

  43. Singapore has consistently advocated that the international community come together to build consensus and develop a rules- and norms-based international order in cyberspace – a cyberspace that fosters trust and confidence, and one where its users can remain safe and secure.  This is consistent with Singapore’s fundamental stand that a rules-based multilateral system is indispensable to secure peace and stability in the international arena. To this end, Singapore has been actively hosting and supporting regional and international discussions and cybersecurity programmes aimed at building consensus on the rules of behaviour in cyberspace.  Singapore stands ready to work with all parties toward closer international cooperation in the cyber and digital sphere.

    Conclusion 

  44. Mr Speaker, to conclude, the Government takes very seriously its responsibility of ensuring the cybersecurity of our systems that are vital to the provision of essential services.  The findings and recommendations of the Committee of Inquiry into the SingHealth cyber-attack have helped to sharpen our focus, and given further impetus to our efforts to secure our systems and databases, especially against a sophisticated cyber attacker.

  45. But, there is no permanent fix nor absolute cybersecurity.  It is a constant battle – against cunning adversaries with advanced capabilities.  And we cannot let incidents like this derail our Smart Nation initiatives that can enhance our economic competitiveness and deliver better public services.   

  46. We will do our utmost to strengthen Singapore’s cyber defence capabilities and prevent cybersecurity breaches.  However, if a breach occurs despite our best efforts, we must have the capability to detect it quickly and respond robustly to minimise the damage.  Our people must stay resilient in the face of such a continuing threat while doing their part for our cyber defence.  We will learn from this incident, emerge stronger and uphold the trust of Singaporeans.

  1.  These systems are: gov.sg website; REACH website; Ministry of Communications & Information’s Press Accreditation Card (PAC) Online; Ministry of Foreign Affairs (MFA) website; and MFA eRegister.