Cybersecurity and Digital Resilience

Reinforcing our cybersecurity and digital resilience

Singapore has benefitted considerably from digitalisation, with technology unlocking many new opportunities for our citizens. Besides contributing to Singapore’s economic growth, technology has improved citizens’ lives across areas like healthcare and education. Emerging technologies such as generative artificial intelligence (AI) present Singapore with greater opportunities to improve our productivity and strengthen the competitiveness of our industries. However, as digital technologies become more ubiquitous, Singapore must also tackle new risks and threats.

Reported cybersecurity incidents remained high. Cybersecurity threats have also grown more sophisticated, intensified by emerging technologies. For example, in Singapore, AI has been used to enhance phishing attacks and perpetuate scams.

Through the Singapore Cybersecurity Strategy, the Government remains committed to a multi-pronged approach to defend against cyber threats and build a safer digital domain.

Read more: External and Homeland Security | Government and Regulations

Developing a vibrant cybersecurity ecosystem and robust cyber talent pipeline

To protect Singapore from cyber and digital threats, we worked closely with industry and academia to develop a vibrant cybersecurity ecosystem and strong cybersecurity workforce.

• The National Cybersecurity Research and Development Programme (NCRP), continued to support cutting-edge cybersecurity research in Singapore. An example is the Trustworthy AI Centre (TAICeN) at Nanyang Technological University, where researchers worked to integrate AI with cybersecurity while ensuring system reliability. TAICeN’s innovations, such as Large Language Model-based fuzz drivers and critical vulnerability discoveries, were used to strengthen the security of a wide range of devices, from consumer electronics to industrial systems. Between August 2022 and August 2024, TAICeN published over 20 publications, won several international awards, and was globally recognised for its development of AI security technologies.
  

• We worked with Institutes of Higher Learning to commercialise and export advanced cybersecurity technologies. For example, in 2024, an NCRP-funded research team developed anomaly detection tools for protecting the operational technology systems of water treatment plants.

To enhance our cybersecurity talent pipeline:

• The Government launched the Talent, Innovation and Growth (TIG) plan and the CyberSG TIG Collaboration Centre in September 2023 to integrate and create programmes for industry and talent development in Singapore. As part of the plan, the SG Cyber Associates programme was launched in October 2023 to provide foundational and targeted cybersecurity training for non-cybersecurity professionals, with more than 350 individuals trained as at August 2024.

• Through the SG Cyber Youth programme, we have developed young talent in cybersecurity skills. As at June 2024, more than 2,100 secondary school students have been trained in the programme. In particular, the Youth Cyber Exploration Programme offers training and opportunities for students to hone their cybersecurity skills through Capture-The-Flag competitions. In 2023, a team of four youths who participated in the SG Cyber Olympians programme emerged as champions in the Cyber SEA Games.

Building resilient digital infrastructure

We depend on Critical Information Infrastructure (CIIs) to support the delivery of essential services such as telecommunications, energy, transport, banking and finance, and healthcare. However, with increasing digitalisation, such important computer systems are exposed to a wider range of cyber threats. To ensure that essential services are not disrupted, we strengthened the cybersecurity and resilience of CIIs.

• To enhance existing protections for CIIs, the Government amended the Cybersecurity Act 2018 in May 2024 to account for changes in the cyber threat landscape.

• While AI can drive efficiency and innovation across various sectors, it can also be misused by threat actors to increase the speed, scale, and sophistication of cyber attacks. To help system owners securely adopt AI, we rolled out the Guidelines and Companion Guide for Securing AI systems [PDF, 447 KB] in 2024, which provides best practices on the implementation of security controls to protect AI systems against cyber risks and attacks.

• Quantum computing has the potential to break the encryption algorithms that keep our systems secure today. To build resistance against quantum attacks, we have been developing a national approach to migrate our digital ecosystem to a quantum-safe environment. Through the National Quantum-Safe Network Plus introduced in 2023, businesses are offered easier access to a quantum-safe network that safeguards their critical data. As at September 2024, two network operators Singtel and SPTel, together with SpeQtral, have each built a nationwide, quantum-safe network to serve businesses.

We invested further in the cybersecurity of our public sector systems.

• Leveraging big data analytics and AI tools, the Government Cyber Security Operations Centre enhanced the Government info-communications technology infrastructure and its capabilities to detect and respond to attacks against government systems more quickly and accurately, while simplifying and speeding up the investigation of cyber incidents.

• Through our cybersecurity programmes, such as the Crowdsourced Vulnerability Discovery Programme, Whole-of-Government Simulated Phishing, and various vulnerability scanning and penetration testing capabilities, we have tracked down infrastructure vulnerabilities upstream and prevented potential attackers from exploiting these vulnerabilities. We will continue to automate and strengthen these capabilities, leveraging the industry to scale our cyber defence efforts.

• CSA introduced the Cybersecurity Development Programme (CSDP) in July 2020 to address the increasing demand for trained cybersecurity professionals in the public sector. Fresh university graduates, recent graduates, and mid-career professionals who are successfully placed will first undergo a rigorous three-month classroom training at CSA Academy, Ngee Ann Polytechnic, and the Singapore University of Technology and Design, respectively. Subsequently, they will be deployed to a technical CSA division to gain hands-on cybersecurity experience. As at October 2024, about 200 CSDP officers have graduated from the programme, with over 50 deployed across 20 agencies.

Feature Story: Strengthening readiness against cyber threats

The Government conducted exercises such as Exercise Cyber Star, and the Critical Infrastructure Defence Exercise (CIDeX), an Operational Technology critical infrastructure defence exercise.

CIDeX 2023 was organised by CSA and the Digital and Intelligence Service (DIS), and involved over 200 participants from six government agencies and 18 commercial entities. It strengthened inter-agency collaborations and equipped agencies with the knowledge and skills to mount an effective response in the event of a cyber attack. The Singapore Armed Forces’ (SAF) Cyber Defence Test and Evaluation Centre built a large, simulated and realistic environment and applied a spectrum of cyber threat scenarios of varying intensity and complexity to test cyber defenders’ skills and responses.

The DIS will be establishing the SAF digital range in the next few years, which will be capable of simulating a wider set of sophisticated scenarios and environments to enable realistic training for a growing digital workforce. This will allow the SAF to train its forces, as well as host bilateral and multilateral exercises.

Enabling a safer cyberspace

Beyond CIIs, we have raised the cybersecurity posture of other digital systems and infrastructure that could impact businesses and Singaporeans’ lives and livelihoods. Through the Singapore Cyber Emergency Response Team (SingCERT), we facilitated the detection, resolution, and prevention of cybersecurity incidents in Singapore. In 2023, SingCERT published 168 alerts and 23 advisories, alerting organisations and members of the public about the latest cyber threats and recommending protective measures.

Strengthening the cybersecurity of enterprises and organisations

The Singapore Cybersecurity Health Report 2023 [PDF, 727 KB] showed that in 2023, eight in 10 organisations encountered a cybersecurity incident within a 12-month period. These attacks could cause significant disruption or financial damage, with the cost of a ransomware attack in Singapore estimated to be around $1.5 million on average in 2022.

To strengthen cybersecurity standards among businesses and organisations,

• We continued to support organisations in implementing cyber hygiene measures. As at September 2024, more than 370 businesses have been certified with Cyber Essentials and Cyber Trust marks.

• We also launched self-help resources such as the Internet Hygiene Portal in 2022, which would help businesses to assess their own security. As at September 2024, the security and hygiene levels of more than 28,000 unique websites and email domains had been scanned and assessed, with more than 8,000 unique domains implementing the recommendations.

• We introduced an online Cybersecurity Health Check tool in April 2024 for organisations to measure their own cyber hygiene implementation vis-a-vis other organisations in the same industry.

• As at September 2024, more than 500 devices have been labelled under the Cybersecurity Labelling Scheme, which rates the cybersecurity of consumers smart devices. This has enabled consumers to identify products with better cybersecurity provisions and make informed decisions. The scheme gained international traction and has been mutually recognised by other countries such as Germany, Finland, the Republic of Korea, and the Connectivity Standards Alliance’s cybersecurity labelling schemes. Such mutual recognition has helped facilitate manufacturers’ access to these markets and reduced their cost of compliance.

• Since June 2023, AI Verify Testing Framework and Toolkit has been open-sourced so that businesses can use it to test the performance of their AI systems against internationally-recognised governance principles, such as those from the EU and OECD. In May 2024, we expanded AI Verify to cover Generative AI through Project Moonshot. Project Moonshot can be used to conduct benchmarking and red teaming of Large Language Models (LLM) and LLM applications.

Practising good cyber hygiene

To encourage individuals to protect themselves against cyber threats, national cybersecurity campaigns were conducted to raise awareness and drive adoption of good cyber hygiene practices, such as the four Cyber Tips. CSA’s Public Awareness Survey 2022 found that compared to 2020, more Singaporeans were prepared to handle cyber incidents and agreed that they had a role to play in cybersecurity.

Recognising that cyber threats are ever-evolving, we have implemented preventive measures to enhance digital defences in the public domain and equip our citizens.

• Since 2023, we have progressively strengthened our authentication for high-risk transactions, reducing the risk of fraudulent, unauthorised transactions being conducted online. We implemented stronger identity authentication measures, such as facial verification, for high-risk Singpass transactions.

• To reduce phishing risk, we worked with major retail banks in Singapore to reduce reliance on SMS One-Time Passwords (OTPs) for authentication. For instance, since July 2024, the banks have progressively phased out the use of SMS OTPs for bank account login by customers who are digital token users

Feature Story: Sentinel Programme

In 2024, we expanded the Sentinel Programme to equip more youths with cybersecurity and digital skills such as Python programming, cryptography, and network forensics, to enable them to contribute to Singapore’s digital defence.

Since March 2024, programme activities have progressively begun for Year 1 students from secondary schools, junior colleges, polytechnics and Institutes of Technical Education.

Read more: External and Homeland Security

Growing public-private-people partnerships

We have grown our public-private-people partnerships to co-create a safer cyberspace.

• In February 2024, the Government worked with Google to roll out an Enhanced Fraud Protection feature to protect Android users registered in Singapore from likely malicious apps. This feature, the first-of-its kind globally, generated much international interest, with other countries following suit.

• Through the crowdsourced Vulnerability Disclosure Programme launched in 2018, we worked with the community to identify vulnerabilities in our systems. As at September 2024, over 3,000 white-hat hackers have tested government systems, and uncovered and patched 1,723 valid vulnerabilities. Such efforts ensure that government systems remain secure and resilient for businesses and citizens to use.

Read more: Government and Regulations

Enhancing international cyber cooperation

Cyber threats are international and cross-border. We continued to collaborate with regional and international partners to tackle transboundary threats, fostering an open, secure, and interoperable cyberspace for our businesses and citizens.

Bilaterally, we worked with key partners to enhance our operational readiness, stay abreast of evolving cyber developments and threats, and address common cybersecurity threats.

• In June and July 2024, we held bilateral cyber dialogues with the United Kingdom (UK) and Malaysia respectively.

• In July 2024, we hosted a delegation from the Cyberspace Administration of China.

• In October 2024, the Government hosted the 3^rd US-Singapore Cyber Dialogue.

These dialogues have facilitated information sharing and exchange of best practices among countries, to enhance our cyber resilience and foster cooperation to tackle common threats in cyberspace.

Multilaterally, we participated in international and regional fora to strengthen the rules-based international order.

• Singapore continued to chair the United Nations Open-Ended Working Group on Security of and in the use of Information and Communications Technologies (2021 – 2025) and convene the annual ASEAN Ministerial Conference on Cybersecurity to foster cooperation on rules and norms, confidence-building measures, and capacity building.

• As the ASEAN Voluntary Lead Shepherd on Cybercrime, Singapore organised several capacity-building initiatives. This included the 9^th ASEAN Senior Officials’ Roundtable on Cybercrime in October 2023 and the ASEAN Plus Three Cybercrime Conference in November 2023, to improve coordination among ASEAN member states and enhance ASEAN’s overall cybercrime response.

• Established since June 2021, the ASEAN Defence Ministers’ Meeting Cybersecurity and Information Centre of Excellence (ACICE) opened its physical centre in July 2023 to promote cooperation among ASEAN member states in the defence sector against cyber attacks, disinformation, and misinformation through information sharing and capacity building. ACICE co-organised the 2^nd Digital Defence Symposium in July 2024 with the S. Rajaratnam School of International Studies (RSIS).

• Since 2022, the Singapore Government and the UK Home Office have co-led the Policy Pillar under the International Counter Ransomware Initiative to counter threats by criminal ransomware groups, focusing on disrupting the ransomware ecosystem.

Read more: Legal and Diplomacy

Securing our digital future

While the Government continues to lead cybersecurity initiatives, building a safe and secure cyberspace requires a collective effort from businesses, the industry, and Singaporeans. This will allow Singaporeans to embrace opportunities offered by digitalisation with confidence, for a thriving digital future.

🡸 Previous Chapter: Infrastructure and Logistics