A new era of cybersecurity threats has dawned. The first two quarters of 2017 saw the inordinate of cybersecurity meltdowns: viral, state-sponsored ransomware, leaks of spy tools from the US intelligence agencies, and full-on campaign hackings. This is the continuation of the cyber war from the early years.
Throughout the years, common cyberattacks that include viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorised access to confidential information, and taking control of systems, have evolved. The strongest of these malicious cyberattacks is Ransomware.
The first ransomware attack was reported in 1989. Cybercriminals had illegally planted ransomware in computers, IT systems and other devices to disable them until the owner or operator pays a sum of money to regain control or access to these devices.
Twenty-eight years later, ransomware is still creating chaos. It has since evolved into different forms, dressed in different names.
The diagram shows the percentage distribution of ransomware variants observed by Kaspersky Labs, 2015-2016. Image via SecureList.
Some of the newer variants discovered in 2017 include WannaCry, Petya/NotPetya/Nyetya/Goldeneye, Wikileaks and Cloudbleed. In Singapore, it was reported that one in three SMEs suffered a ransomware attack last year.
As cybercriminals get more intelligent, we must be more vigilant and conscientious than before in taking preventive measures. Basic security measures include the use of firewalls, anti-virus software, intrusion detection and prevention systems, unique encryption and login passwords, and casting cyber insurance policy as a safety net.
Another area we must consider is the cybersecurity regulation. In a nutshell, cybersecurity regulation is an act that gives an added push for companies to seek professional assistance in protecting their systems and information from cybercriminals. It is, therefore, imperative that we include cybersecurity in our regulatory examinations to make sure that our systems are safeguarded always.
On a national level, Singapore takes cybersecurity threats very seriously. As Singapore has the highest level of digital connectivity in the world, a cyberattack on our critical information infrastructures or CIIs will have a colossal impact countrywide.
Singapore’s current Computer Misuse and Cybersecurity Act focuses on cybercrime per se. However, CSA Chief Executive David Koh emphasized that we need a “more multi-faceted bill to oversee the evolving cybersecurity landscape.” That called for the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) to seek feedback on the proposed Cybersecurity Bill in 2016.
In the same year, our Prime Minister Lee Hsien Loong rolled out Singapore’s Cybersecurity Strategy to create a more resilient and trusted environment for our nation.
Four pillars underpin its strategy:
- Educate the public about internet security and online safety
- Step up the protection of Singapore’s essential services in key sectors such as emergency services, e-Government, banking and finance, utilities, transport and healthcare
- Establish a professional workforce for the cybersecurity sector and this includes creating opportunities for existing professionals (e.g. the Cyber Security Associates and Technologists (CSAT) program allows existing ICT professionals with three years of work experience to switch over to cybersecurity roles via a six-month training scheme)
- Build stronger international relationships with regard to cyber incident response and even prosecuting cybercrime that crosses national boundaries
In July of 2017, the MCI and the CSA released a new Singapore Cybersecurity Bill for public consultation. The draft bill aims to be a broader omnibus cybersecurity law, highlighting a coordinated national approach to cybersecurity with provisions applying equally to both public and private sectors.
The following are the key proposals under the draft Cybersecurity Bill:
1. Appointment of Commissioner of Cybersecurity
The Bill will vest in the CSA’s chief as Commissioner of Cybersecurity to investigate threats and incidents to ensure that essential services in key sectors – such as emergency services, e-Government, banking and finance, utilities, transport and healthcare – are not disrupted in the event of a cyberattack.
2. Critical Information Infrastructure
The Bill aims to protect critical information infrastructure (CII) across both public and private sectors, requiring all organisations to share information to support cybercrime headed by the CSA. Banking and privacy rules that forbid the sharing of confidential information will be superseded by the Cybersecurity Bill.
3. Measures to be Undertaken by CII Owners in Response to Cybersecurity Threats and Incidents
CII owners are required to:
– Notify the Commissioner of the CII suffering a cybersecurity attack;
– Conduct regular system audits by a Commissioner-approved third-party;
– Conduct regular risk assessments of the CII;
– Comply with directions issued by the Commissioner, including providing access to premises, computers or information during investigations.
4. CII Designation
The Commissioner may identify and designate new systems as CII during times of national emergency. The designation of a computer or computer system as a CII is an official secret under the Official Secrets Act.
5. Regulation of Cybersecurity Service Providers
Cybersecurity providers performing either investigative work (e.g. hacking and forensic examination) or non-investigative work (e.g. managed security operations) must meet basic requirements to qualify for a license. Investigative cybersecurity service practitioners such as hackers must also apply for individual licenses. Unlicensed providers will face a maximum fine of S$50,000, imprisonment of up to two years, or both.
CSA also reported that Singapore will collaborate with Germany to boost both countries’ cybersecurity.
The draft Cybersecurity Bill will undergo the legislative process and is expected to be passed into law in 2018. It would be interesting to see if there would be changes in the draft after the public consultation held in August 2017.
As we grow to be more reliant on information technology, with e-commerce becoming an important contributing sector to our economy, we must take cybersecurity very seriously before it’s too late. Cybersecurity is vital to our business operations, especially in safety-critical systems, such as emergency response, and to the protection of our infrastructure systems.
So, what have we done to combat cybercriminals, and in building a resilient and robust security system alongside our government’s anti-cyberattack initiatives? And how have we responded to Singapore’s cybersecurity regulation? The clock has started ticking.
My article was published on BBN Times on 1 December 2017
About the author
I am an Internet, Security, and Data Center Industry veteran and executive who has worked for several Internet startups to Fortune 150 in many different capacities from technical to business level roles.
Unless otherwise noted, opinions expressed are solely my own and do not express the views or opinions of my employer.