Parliament Sitting on 26 July 2021

QUESTION FOR ORAL ANSWER


17. Mr Mohd Fahmi Bin Aliman: To ask the Minister for Communications and Information in light of the recent global cyberattack that forced Swedish Coop supermarkets to close, whether there have been any attempts to attack Singapore’s supply chain software in the past three years.

Answer:

Mr Speaker, Swedish Coop supermarkets were forced to close earlier this month due to what is know as a supply chain attack. The Coop used the the Kaseya Virtual System Administrator (VSA), which is a software management platform designed to help organisations manage their IT services remotely. 

2. Similar attacks have occurred in recent months, such as the SolarWinds breach reported in December 2020 and the attack on the Microsoft Exchange Server reported in January 2021. How are these supply chain attacks orchestrated? Essentially, they take advantage of unsuspecting companies’ introduction of new software into their systems, that turn out to contain malicious elements or  ransomware . 

3. Usually, neither the companies nor their vendors that supplied the software were even aware that the software had been compromised. The same software that afflicted tens of thousands of organisations and businesses can also find their way into IT systems in Singapore.  To date, we have not observed any adverse effects on our Critical Information Infrastructure (CII) and Government systems. The Singapore Computer Emergency Response Team (SingCERT) has also not received reports of any Singaporean businesses falling victim to these attacks. 

4. Nevertheless, the Government continues to adopt a cautious stance, and the Cyber Security Agency (CSA) monitors global developments very closely. Whenever potential threats arise, CSA will immediately direct our CII sectors to check for any potential compromise in their networks. SingCERT issues alerts and advisories to the public on actionable steps to take, should they be affected. Given the global and transnational nature of such cyber-attacks, CSA also works closely with regional CERTs and its international counterparts to track developments and share information. 

5. The attack through the Kaseya VSA is yet another example of how cyber-attacks have spilled over into the physical realm, with real-world consequences. Attackers are clearly learning and evolving their tactics to maximise their gains from a single attack. We must expect that cyber attacks will become increasingly commonplace and sophisticated. They can strike any of us or our organisations, and we must assume that our systems will be breached at some point. 

6. As was mentioned in the response to a query on the SolarWinds attack in Parliament earlier this year, CSA is strengthening its engagements with CII sectors, enterprises and organisations to shift towards a “zero-trust” cybersecurity posture. This comprises  two key principles: first, do not trust any activity on your networks without first verifying it and second, ensure constant monitoring and vigilance for suspicious activities. 

7. Organisations should also implement simple steps not only to prevent breaches, but to detect incidents early and recover quickly from them. These include keeping systems and software updated, backing up data regularly and keeping the backup offline, and practising incident response and business continuity plans to ensure that employees are well-prepared when breaches happen. 

8. The Government is taking steps to reinforce this mindset and raise the national cybersecurity posture against this new normal. CSA will launch the CII Supply Chain Programme later this year, in partnership with  the owners of such infrastructure and their vendors,  to ensure that stakeholders adhere to international best practices and standards for supply chain risk management. At the same time, CSA is developing the SG Cyber Safe Programme to provide businesses with actionable cybersecurity toolkits and resources to bolster their cyber defences.

9. Mr Speaker, I would like to stress that everyone must play their part. Businesses and organisations are responsible for their own cybersecurity, and must take action to strengthen their posture. Conduct an assessment of the risks, contemplate in advance how you will mitigate them, and ensure that you have business continuity plans after an attack. It is in our own interest to stay vigilant against cyber threats, even as we leverage the opportunities of an increasingly digital world.
Speech by Dr Janil Puthucheary, Senior Minister of State for Communications and Information, at the MOU Signing between Singapore Women in Tech and Polytechnics and launch of Cross-Polytechnic Girls in Tech Committee, on 13 May 2022 Speeches Infocomm Media 13 May 22
Opening Address by Dr Janil Puthucheary, Senior Minister of State for Communications and Information, at Inaugural Association of Information Security Professionals (AISP) Internet-of-Things (IOT) Innovation Day 2022 Speeches Infocomm Media 11 May 22
MCI response to PQ on Tracking of Local Companies which Experienced Cyber Attacks over Past Two Years and Measure to Equip Companies with Capabilities to Enhance Cyber Resilience Parliament QAs Cyber Security 09 May 22
MCI response to PQ on Annual Projected Growth of Freelancers in Infocomms Technology and Media Industries from 2022 to 2025 Parliament QAs Infocomm Media 09 May 22
MCI response to PQ on Number of Overseas Scam Calls Reported in 2021 and 2022 and Viability of Call Blocking Option for Users Parliament QAs Cyber Security 09 May 22
MCI response to PQ on Response to Recent REACH Survey on Attitudes Towards LGBTQ and Considerations Behind Survey Questions Parliament QAs Others 09 May 22