Mr Speaker Sir,
Let me start by reiterating the key facts.
1. First, SingHealth’s IT system was the target of a deliberate and well-planned cyber-attack.
2. Second, this attack caused the most serious breach of personal data in Singapore’s experience.
3. Third, the personal particulars of 1.5 million patients, including the outpatient dispensed medication records of 160,000 patients, were illegally accessed and copied.
4. Fourth, Prime Minister Lee Hsien Loong’s records were specifically and repeatedly targeted.
5. SingHealth and Integrated Health Information Systems (IHiS) are private companies, not statutory boards. However, their patient databases are part of our Critical Information Infrastructure (CII). A cyber-attack on any CII can disrupt essential services and affect public welfare and confidence.
6. We have done a detailed analysis of this attack and have determined that it is the work of an Advanced Persistent Threat (APT) group. This refers to a class of sophisticated cyber attackers, typically state-linked, who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations. The APT group that attacked SingHealth was persistent in its efforts to penetrate and anchor itself in the network, bypass the security measures, and illegally access and exfiltrate data. The attack fits the profile of certain known APT groups, but for national security reasons we will not be making any specific public attribution.
7. Given the serious implications of this incident for public health and safety, I have convened a Committee of Inquiry (COI) to get to the bottom of this incident, learn from it and implement stronger safeguards.
8. We will do our utmost to strengthen our cybersecurity. But it is impossible to completely eliminate the risk of another cyber-attack. This is an ongoing battle with potential cyber attackers who are constantly developing their capabilities and seeking out new vulnerabilities.
9. We should not let this incident or any others like it derail our Smart Nation initiatives. In fact we must pursue these initiatives for they will bring benefits and opportunities for Singaporeans. What matters most is that our people and systems remain resilient, that we are able to respond swiftly and effectively to a cyber-attack, and that we strengthen our defences and harden our systems.
10. I want to thank members for raising a range of questions on the cyber-attack, our response and the COI, and I will now address them in detail..
Recap of incident
11. Let me start by adding CSA’s perspective to the Minister for Health’s detailed account of this incident and subsequent response.
12. On 10 July 2018, CSA was notified that an unauthorised network intrusion had occurred at SingHealth. CSA immediately deployed members of its National Incident Response Team to investigate the incident. The CSA team conducted forensic investigations on suspected compromised computers, and supported IHiS in implementing measures to contain the attack. This included blocking unauthorised connections to prevent access by the attacker, resetting servers, enforcing mandatory password resets for all SingHealth users, heightened monitoring across all public healthcare IT systems, and implementing Internet Surfing Separation.
13. CSA’s investigations ascertained that on 4 July 2018, IHiS system administrators had discovered unusual activity on one of SingHealth’s IT databases, which triggered follow-up investigations by IHiS’s IT team. CSA subsequently established that the attackers had obtained a foothold in SingHealth’s network by infecting a front-end computer with malicious software (malware). The attackers had evaded detection by the SingHealth network security tools, moved stealthily through the system, eventually gained access to the database servers storing SingHealth’s patient records, and copied the data to servers hosted overseas from 27 June to 4 July 2018. No further data loss has been detected since 4 July 2018.
14. Based on the logs, two types of data were illegally accessed: personal particulars, including the name, NRIC number, address, gender, race and date of birth of 1.5 million patients; and the outpatient dispensed medication records of 160,000 patients.
15. The attackers also repeatedly and specifically tried to steal the medical records and data of Prime Minister Lee Hsien Loong. PM Lee’s personal particulars and outpatient dispensed medication records were stolen.
16. However, to reinforce the point that Minister Gan made, no phone numbers, passwords or credit card information were accessed or stolen. Neither were other medical records – such as diagnoses, test results, or doctor’s notes – they were not illegally accessed. The data that was illegally copied was not tampered with, nor was it deleted.
17. CSA has done a detailed analysis of the SingHealth cyber-attack, and has determined that it is the work of an Advanced Persistent Threat (APT) group. An APT group refers to a class of sophisticated, usually state-linked, cyber attackers who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations. Some recent examples of cyber-attacks by APT groups include the hacking of the US Democratic National Committee in 2016, and the theft of more than 20 million personnel records from the United States Office of Personnel Management (OPM) in 2014. Singapore has also been the target of APT attacks, such as that on NUS and NTU last year.
18. The cyber-attack on SingHealth had characteristics that are typical of an APT attack. The attacker used advanced and sophisticated tools, including customised malware that was able to evade SingHealth’s anti-virus software and security tools. After establishing a foothold in the network, the attacker took steps to remain in the system undetected, before stealing the patients’ information.
19. The attack fits the profile of certain known APT groups, but for national security reasons, we will not be making any specific public attribution.
Committee of Inquiry
20. Let me now turn to the Committee of Inquiry. With your permission Mr Speaker, may I ask the Clerk to distribute a note on the COI’s composition and terms of reference? In summary, the COI will establish the events and contributing factors leading to the cyber-attack, and the incident response. It will also recommend measures to safeguard public sector IT systems containing large databases of personal data, including those in the public healthcare clusters, against similar cyber-attacks. The COI will submit its report by 31 Dec 2018.
21. The Chairman and Members of the Committee have the legal, technical and operational expertise to conduct a thorough and rigorous Inquiry.
• The Chairman Mr Richard Magnus was formerly the Senior (subsequently termed Chief) District Judge. He has chaired two other COIs before.
• Mr Lee Fook Sun is the former President of ST Electronics, and currently Executive Chairman of Quann World, a cybersecurity company.
• Mr T K Udairam was formerly CEO of Changi General Hospital, and he has decades of experience in healthcare administration.
• Ms Cham Hui Fong is a former Nominated Member of Parliament (NMP) and Assistant Secretary General at the National Trades Union Congress.
22. The COI has already started its work. The Committee has had preparatory meetings and will soon hold its first pre-inquiry conference. AGC will lead evidence and CSA will lead a team to conduct the investigations.
23. After receiving CSA’s investigation report, the COI will conduct the inquiry hearings. As some aspects of the inquiry have security implications, the COI will decide which part of its hearings can be held in public.
24. Some Members have asked whether the SingHealth cyber-attack could have been prevented, and what are the lessons learnt. As the COI will be addressing these issues, I seek Members’ understanding to allow the Committee to conduct a thorough investigation and to complete its work, without pre-empting its findings.
Government Measures to Strengthen Cybersecurity
25. Meanwhile, the Government has taken additional measures to strengthen our cybersecurity defences.
26. CSA’s forensic investigations team has analysed the compromised computers, and extracted Indicators of Compromise – these are pieces of forensic data used to identify malicious activity on a network. CSA then instructed owners and regulators of CII to scan for these Indicators, and advised on possible measures to mitigate a similar incident. CSA has also instructed CII sectors to strengthen the security around their network connectivity gateways.
27. In addition, the Cybersecurity Act passed by this House in February this year gives the Government additional levers to strengthen the protection of CII against cyber-attacks, and to respond to national cybersecurity threats and incidents. CSA is currently implementing the provisions of the Act, and will designate all CII by the end of 2018.
28. Notwithstanding these measures, we must recognise that a balance must be struck between cybersecurity on the one hand, and operational efficiency and service quality on the other. This is a dynamic balance that will change as the threat landscape evolves. CSA will direct CII owners on the essential security measures they must adopt to meet a required standard. Beyond this, CSA will also render its professional advice on what CII system owners could do to further strengthen their defences. Ultimately, owners and regulators of CII are responsible for ensuring the security and uninterrupted operations of the essential services they provide.
29. The Government had taken the added precaution of calling for a pause in the introduction of new ICT systems, although there was no evidence that Government ICT systems had been compromised in this cyber-attack. The Smart Nation and Digital Government Group (SNDGG) was directed to review the cybersecurity measures of all existing and upcoming Government systems. SNDGG has completed its review, and will implement additional security safeguards where necessary. The pause on new systems was lifted on 3 August 2018.
30. Cybersecurity is the foundation of our Smart Nation and Digital Government drive, and the Government is resolute in its commitment to strengthen our cyber defence, as well as our detection and response capabilities, in the face of the evolving cybersecurity threat.
How organisations and individuals can protect themselves
31. All organisations – not just CII operators – should take this incident as a warning to review their cybersecurity system, and ensure the protection of their IT systems and databases, including personal data.
32. There have been concerns that the data stolen through the SingHealth cyber-attack could be used for fraudulent transactions or identity theft. I would like to emphasise that there are multiple safeguards in place to mitigate such risks, especially for financial transactions and sensitive government e-transactions.
33. Let me elaborate:
• Financial institutions generally do not rely solely on personal information, like those stolen in the SingHealth cyber-attack, to verify customer identity.
• All banks and insurance companies in Singapore already have two-factor authentication (2FA) for online financial services, such as making fund transfers or accessing account details. To log in, the account holder has to input his/her PIN and a one-time-password (OTP), received via SMS or the bank’s authentication token. An additional authentication layer – commonly known as “transaction signing” – protects higher risk transactions, such as adding a third party payee or transferring large sums of money.
• Unless the attacker has access to all authentication information, it would not be possible for fraudulent transactions or identity theft to occur.
34. To address any residual risk, MAS has directed all financial institutions to take further measures, as announced in its press statement on 24 July.
35. Similarly, since July 2016, all sensitive government e-transactions have been protected by SingPass 2FA. The account holder would need to input his/her SingPass username and password, and an OTP. Since the SingHealth cyber-attack, agencies have taken further measures, such as heightened monitoring of their IT systems, and strengthening of the identity authentication process.
36. Individuals can also do their part by practising good personal data protection and cybersecurity habits. They should ensure that their passwords, user IDs and security questions are not based on personal data, use strong passwords, enable 2FA for online transactions, and watch out for fraudulent transactions and suspicious requests for their personal data. SingCERT has published online the precautions that individuals can take in view of the SingHealth incident. Individuals may also contact SingCERT to report a cybersecurity incident, and the Personal Data Protection Commission to lodge reports of personal data breaches under the Personal Data Protection Act.
37. Mr Speaker, to conclude, I would like to emphasise to Members that this was a well-planned and targeted cyber-attack by an Advanced Persistent Threat group. We will get to the bottom of this incident, learn from it and further strengthen Government IT systems. But I caution the House: We cannot completely eliminate the risk of another cyber-attack breaking through our defences.
38. Ensuring cybersecurity is a ceaseless battle, like our battle against terrorism. It involves changing technology and sophisticated perpetrators who are constantly developing new techniques and probing for fresh weaknesses. Therefore, even as we do our best to strengthen our IT systems, it is crucial that our people and systems remain resilient; that we are able to respond robustly and decisively to an incident; and that we constantly learn and reinforce our system.
39. Despite this incident, or any others like it, we must press on with our plans for a Smart Nation, after learning and applying the lessons from this incident. We must adapt ourselves to operate effectively and securely in the digital age, to deliver better public services, enhance our economic competitiveness, and create good jobs and opportunities for Singaporeans. The Government takes with utmost seriousness its responsibility of ensuring the security of public sector IT systems and databases. We will learn from this cyber-attack, implement measures to better secure our IT systems and databases, and uphold public trust in our systems.