MDDI's response to PQ on CSA's Role in Investigating Mobile Guardian App's Hacking Incident

Parliament Sitting on 10 September 2024

QUESTION FOR ORAL ANSWER

*71. Ms Hazel Poa asked the Minister for Digital Development and Information (a) whether the Cyber Security Agency (CSA) is assisting the Ministry in investigating the Mobile Guardian hacking incident in August 2024; (b) what is CSA’s role in assisting other agencies in investigating security vulnerabilities in IT systems owned, operated, or otherwise used by the Government; and (c) whether the task force set up to bolster Singapore’s tech resilience following the CrowdStrike outage will also be assessing the Mobile Guardian incident in August 2024.

Answer:

The Cyber Security Agency (CSA) focuses on the higher risk systems that could affect our national security and delivery of essential services because of the widespread or systemic impact if disrupted. These are designated as Critical Information Infrastructure (CII) under the Cybersecurity Act, and held to high standards of cybersecurity and resilience. CSA also requires CII owners to conduct regular audits and testing on their CIIs so that vulnerabilities can be quickly identified and remediated. If they encounter cyber-attacks, CSA’s incident response teams will support CII owners to investigate, contain and remediate the attack.

But not all government information technology (IT) systems are designated as CIIs, nor should they be. Disruptions to non-CII IT systems cause varying degrees of impact. It is therefore only practical to take a risk-based approach in managing their cybersecurity and resilience. Their disruption may cause inconvenience and loss which should certainly be avoided. But, the consequences are generally localised or do not pose widespread or systemic disruptions compared to disruption to a CII. The owners of these non-CII systems, are in the best position to decide the resources to be put in to protect such systems against disruption, which should in general, be proportionate to their risks and impact. All systems must, however, maintain a baseline of cybersecurity and resilience measures that are appropriately stepped up according to their risk assessments. Defensive measures must also be complemented by business continuity plans that mitigate the impact of disruptions when they occur. Agencies that own IT systems are responsible for their cybersecurity and resilience. They can draw on the expertise of CSA and Government Technology Agency (GovTech), if needed, to investigate vulnerabilities and compromises that have been discovered.

A device management solution such as that provided by Mobile Guardian is not a CII. While the Ministry of Education has overall responsibility for its cybersecurity and resilience, CSA and GovTech provided various types of support such as forensic investigations when incidents happened. The Minister of Education has already covered the details in his earlier reply.

My Ministry has set up the Task Force to draw lessons from the CrowdStrike incident as the incident had the potential to cause disruptions to a wider set of systems. This is part of the effort to strengthen the overall security and resilience of our digital infrastructure.