Singapore to Open Cybersecurity AgencyExperts Weigh in on Mission, Viability of New CSA
As the Singapore government firms up its plan to set up a new agency to work closely with private-sector bodies in driving strategic cybersecurity initiatives, security experts question whether the agency can take a holistic approach and effectively coordinate with industry.
These reactions follow the announcement from Singapore's Prime Minister Lee Hsien Loong's office about the establishment of the new Cyber Security Agency of Singapore.
The Prime Minister's Office says CSA will start operations on April 1, with the objective of consolidating and centralizing overseeing of cybersecurity functions.
Government sources say Yaacob Ibrahim, minister for communications and Information, will be minister-in-charge of cybersecurity. The agency will work closely with the private sector to get involved in strategy and policy development matters, as well as build capacity of skilled InfoSec professionals.
The CSA, which will come under the purview of the prime minister's office, will replace the functions of the Singapore Infocomm Technology Security Authority and take over some roles currently undertaken by the Infocomm Development Authority and Singapore Emergency Response Team.
"There is a need to grow Singapore's pool of InfoSec experts and build their capabilities to defend network infrastructure from cyberthreats," Ibrahim says.
Ibrahim also says the city-state is upgrading its Cyber-Watch Centre, which would track malicious activities and respond swiftly to security breaches.
CSA will also work with Singapore's institutes of higher learning to include InfoSec courses and degree programmes in the curriculum, besides working with industry partners to attract and retain skilled professionals.
Experts on CSA's Mission
While commending the government's move, security experts say CSA should harness existing resources and collaborate effectively with private enterprises to fight the growing threat landscape.
Robert Sin Hock Poh, director of Singapore Programme at Financial Services Information Sharing and Analysis Center (Asia), feels the government is moving in the right direction.
"Earlier, there was not much co-ordination from the IDA with the private and public enterprises on the cybersecurity front, since it was seen as a broad phenomenon," Poh says. "But I'd expect CSA to work closely and be a good one-point contact on dealing with cybersecurity issues,"
Some issues Poh expects CSA to deal with are: making the cybersecurity policy that IDA came up with operational; giving impetus to the cyber intelligence framework of the country; building sufficient cyber skills; and building capacity within the state to fight growing cybercrime.
Singapore-based Dan Dinnar, vice president-Asia Pacific at Cyber Ark Software, says businesses have been facing more sophisticated, advanced targeted attacks -- especially organizations in the critical infrastructure or related market such as financial services, telecommunications, energy, and water supply.
Against this backdrop, he says, "CSA's role would be justified in striking the right chord between public and private sectors so they make efforts to protect national infrastructure, particularly in the energy, banking, power, transport and telecommunications sectors."
John Lim, president of ISACA in Singapore, points out that CSA's key mission should harness the combined resources existing in the industry, whether talent pool, security solutions, or technologies, in tackling emerging cyber-threats.
"CSA should take a holistic view and align with various parties in developing emergency response teams," says Lim.
Experts assume that CSA will rope in existing agencies under the ministry of home affairs and IDA in implementing the cybersecurity master plan to build relevant systems to monitor and respond to threats.
Beefing up Security
One challenge the government faces is lack of appropriately trained, qualified and certified cybersecurity professionals.
Lim emphasizes that a strategy for IT security capabilities must be in place for any organization seeking to improve its cybersecurity posture.
"CSA should consider how to increase knowledge and professionalism among cybersecurity professionals, and continuous education and awareness in harnessing new technologies," argues Lim.
The key issue, says CyberArk's Dinnar, is that though organizations have made investments in information security, they have primarily been reflective of compliance mandates. Today, there's a pressing need for dynamic security practices to help protect, detect, monitor and respond to potential threats.
"Many organizations are still using perimeter-based security strategies," he says. "A determined attacker will bypass the perimeter with ease."
He recalls a statement made by former United States FBI Director, Robert Mueller, in 2012: "There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again."
"Attackers are already inside the network, so organizations need to look at deploying defences that focus on preventing an attacker from moving around behind the perimeter, on the inside; for this, CSA must take up some educational program for citizens and enterprises," points out Dinnar.
However, Poh says that while the government has effective security measures and policies in place, the most desired action is to get the right message across to enterprises.
"Information sharing and finding a method to educate and create awareness among security practitioners across the private and public enterprises is vital in preventing cyberattacks or creating a cyber-secure eco-system," Poh says.