Ladies and Gentlemen,
(I) A trusted, secure, and resilient connectivity infrastructure
1. Thank you for inviting me to the inaugural Infocomm Media Cybersecurity Conference.
2. Singapore aims to be a Smart Nation and a leading digital economy. A secure, trusted and resilient space for digital connectivity and creating opportunities.
3. This push for technology as an enabler is important to our ambition in terms of where we want to grow our economy, how we create opportunities for our society and create jobs for our people. Whatever technology, enabler, and platform or product we want to use, they are exciting, innovative, disruptive and potentially transformative to the way we work, play and live. All of this rests on connectivity. The single computer, without connectivity, is not going to create a lot of opportunities in this space. It is the networks and platforms that interlinks products, services and computers that create the kind of new products, opportunities, platforms and businesses that we want to drive.
4. The way for progress has not just been about new computer powers or technologies. It has been about increasing acceleration around our connectivity infrastructure and technologies that we have. There is more coming – 5G, narrowband Internet-of-Things (NB-IoT) sensor networks, among others.
5. With all these connectivity, comes a need for cybersecurity. A single, isolated computer is easy to secure. But as soon as you have that connection, your threat surface increases, and opportunities for vulnerabilities and penetration also increase. Cybersecurity, in a way, is a consequence of how connectivity drives these waves of transformation. The telecomm industry is key and is fundamental to secure our telco infrastructure and services, and the business that telco operators provide.
(II) A collaborative effort between government and industry to better secure connectivity infrastructure
6. Collaboration between government and telecommunication industry players is important. We have made some important progress on this arena.
7. In 2015, IMDA launched the Infocomm Singapore Computer Emergency Response Team (ISG-CERT) to respond to cybersecurity threats within the telecommunication and media sectors.
8. In 2018, IMDA revised the Telecommunications Cybersecurity Code of Practice (TCS-CoP) to ensure that we can apply best practices from the industry to the telco space.
9. Today, we need to consider the future, as these risks are magnified by new technologies, products and platforms. Advancements in cyber threats are ever present, such as Ransomware-as-a-service, and the weaponisation of AI and use of machine learning. The pace of acceleration and the threat around cybersecurity is just as rampant. Opportunities are also created by disruption and transformation of businesses. Everything is evolving at a pace in which technology needs to keep up through deeper, richer connectivity networks and new technologies.
10. IMDA will play its role and will develop a multi-year roadmap to build the cybersecurity capabilities of Singapore’s telecommunication operators through the formation of the Telecom Cybersecurity Strategic Committee, or TCSC.
11. This Strategic Committee is a partnership between government and the industry to better secure our connectivity infrastructure, involving global cybersecurity experts and key telecommunication operators in Singapore.
12. The TCSC will identify challenges, as well as key telecommunication technologies and market developments that will shape the cyber threat landscape. This will ensure that we are always updated on global, technological and industry trends.
13. The Strategic Committee will publish a strategy report and outline a roadmap for our telecommunication operators to develop cybersecurity capabilities. It will include recommendations for new initiatives such as capability development, technology innovation, regulation, and international partnerships.
14. IMDA has a role in this space as both a regulator as well as playing a significant role in industry and capability development. We have to make sure that we have the right balance to both drive innovation and have the correct, appropriate regulations to protect our interests and services.
15. IMDA has also introduced new reference resources to help telecommunications operators address immediate cybersecurity risks on two fronts.
16. The electronic Know Your Customer guide or eKYC, specifies IMDA’s regulatory requirements to help ensure the secured online verification and performance of eKYC solutions deployed by mobile operators. eKYC solutions are products or solutions which acts as the interface between different business models as one customer moves from bank, to telco, to insurance company; from government. to retail. There are different products, platforms, and businesses, but the same customer. eKYC solutions help to stitch all these various products together and generate a relationship for the customer and also a relationship between the businesses.
17. Increasing connectivity increases the threat and opportunity for cybersecurity risks. The more we use eKYC, the more we need to have a right kind of protection so that consumers have an assurance as they navigate through this space.
18. The aim is to drive digitalisation by helping to facilitate the transition from face-to-face verification to the use of eKYC technologies via kiosks, mobile applications, online web portals and trusted databases.
19. A second planned resource – the IoT Cyber Security Guide – will help instil greater confidence in the use of IoT systems. This guide will list baseline recommendations provide checklists, assisting users to secure IoT systems against unintentional and malicious threats for the acquisition, operation and maintenance of the systems. IMDA will launch a public consultation on the IoT Cyber Security Guide to ensure that the recommendations in the guide are useful and comprehensive.
20. Adopting an IoT approach will result in more devices in our ecosystem such as power sensors and power environmental infrastructure. The problem is going to be firstly, a multiplication of the number of devices. The opportunity for cybersecurity penetration will increase, but also the behaviour of these devices – we expect them to run autonomously for months, if not years. The usual behavioural ways in which we know something is wrong with our computers and networks – these types of assurances are not there if we have a broad, rich and deep IoT device network. We need to rethink what is our regulatory approach and what is the way in which we can assure customers and users of the security of our IoT systems. We need these types of resources, and we need to think about this in a different way.
21. IMDA is also exploring possible trials using quantum key distribution technology with industry partners to help foster a greater understanding on the implementation of more advanced forms of encryption.
22. Just as cybersecurity risks evolve to match the opportunities presented by more complicated networks – encryption technologies are evolving, such as advancements to quantum key encryption – we need to think what are the capabilities we need to think about these problems. What are the technical skills we need to develop, and what are the technological capabilities in terms of investments to put in place to keep pace with these types of opportunities. These risks are always changing and evolving.
23. Collective responsibility is key in order for us to stay ahead. Government, as the regulator, has a very important role to establish the standards, maintain oversight, and provide some directions. The private sector has just as much responsibility because they are a key component – telecommunications operators are the backbone of connectivity, but also, it is their business. If there is a significant risk, part of that risk is directly to their business model and to their business opportunities. So collective ownership is necessary between the public and private sector.
24. But we as individuals need to play our part as well and participate in that collective responsibility. Often, some of the risks and threats associated with cybersecurity are not about the technology software or hardware, but is about human behaviours and vulnerabilities that we bring – as users, employees or participants – in this space. We also have to play our part to secure our technological platforms and networks to make sure that cybersecurity is something that we are actively maintaining.
25. I would like to invite all of you to actively participate, share ideas, shape plans and work together in developing a trusted, secure, and resilient connectivity infrastructure, which is always going to be a key enabler of our Smart Nation drive and the ambition that we have to transform Singapore.
26. Congratulations on this inaugural Infocomm Media Cybersecurity Conference and I hope you have a fruitful time today.
27. Thank you very much.