First, there was a masterplan for the country to create a safer cyberspace. Then, this past week, Singapore announced a new “strategy” that would build on that.
Going by the announcements out of Singapore International Cyber Week, this week’s big cybersecurity event, you would not underestimate the efforts the Republic is putting into safeguarding its digital assets and capabilities.
Among the big-picture plans in this new 2021 strategy put out by the Cyber Security Agency of Singapore are the building of resilient infrastructure and enhancing of international cyber cooperation.
How to do that? Two foundational enablers, according to the government agency, are a vibrant cybersecurity ecosystem and a robust talent pipeline.
There is no shortage of bootcamps and other programmes such as bug bounties to encourage people to step forward. Plus, Singapore is also boosting security in the Internet of Things and operational technology, which will be critical in digital organisations in the years ahead.
While these are important strategies and foundational elements to build on, what is unclear is the foundation of trust. In other words, whom does Singapore put its trust on in a so-called zero-trust world?
It is possible to set up a zero-trust environment, one where you would have to be authenticated whenever you access a digital asset like a file or database, but you still need to have a fundamental layer of trust in the people creating your digital infrastructure.
If you are constructing a building, you have to trust your steel supplier to build a solid foundation. You can put up barbed wire or heavy locks afterwards for security but things all come crumbling down if the building isn’t well built to begin with.
Supply chain cyberattacks of late have shaken this faith that many organisations have for their most fundamental digital tools. Yes, the same tools that are used to look for cyber threats.
Since Solarwinds, a company that makes software to monitor networks and servers, was penetrated by hackers last year, a cascade of attacks has followed.
At first, FireEye, a much-respected cybersecurity vendor, found that its cybersecurity tools were stolen late last year. At least, it discovered the hack at Solarwinds while probing its own hack.
Then, in August, Microsoft also found that its cloud services were affected and thousands of customers could potentially have their databases exposed.
It’s true the Internet was originally built to be distributed, but in recent years, it has become more centralised and often with singular points of failure.
Now, what does this tell government agencies that have been busily pushing their services onto the cloud, confident that they are better served through defence in depth? Some should be rightly concerned now.
To be clear, it is probably still safer to place your critical data with a big cloud player, such as Microsoft Azure, Amazon Web Services or Google Cloud, as the Singapore government does, but that means trusting these private companies to do their job well.
Once again, this is a question of trust. Whom in your supply chain, from your laptop supplier to cloud provider, can you place your trust on?
You cannot say you adopt a pure zero-trust model here unless you make your own laptops in-country, including the chips, or force a cloud provider to share server configurations and details for certain “super” or VIP customers, which they are (understandably) unwilling to.
Sure, some organisations go to extremes, say, by wiping the disks of any laptop that has travelled to a country known for cyber espionage. Or they don’t buy from certain hardware manufacturers.
But there still has to be a fundamental layer of your infocomm infrastructure – like the foundation of a building that is built first – that any country has to place its trust on.
That is the reason why the United States has tried so hard to prevent Huawei from leading the installations of 5G networks across the world. That is a foundational piece of any country’s digital infrastructure.
Not surprisingly too, there has been talk of deglobalisation and decoupling today. The US is looking to manufacture its own chips in-country and China is seeking the knowledge it lacks to design and manufacture the most high-end chips, which the US has banned the likes of Huawei from buying.
The calculus is different for a small country like Singapore. It cannot afford to take sides, or at least be seen to be doing so. It always has to hedge bets, in this case, on the right partner it can trust to build its critical infrastructure.
With that in mind, it is to the Singapore government’s credit that the country’s 5G network rollout kicked off rather uneventfully last year.
Neither Singtel nor the StarHub-M1 consortium decided to use Huawei gear in their core networks, even though the government had said this was not a political consideration.
Of course, trust is not monolithic. There are various levels, just like how a network can be segmented for security. Once trust is established at the foundational level, then there can be other levels where more partners can participate at.
Though Singapore hasn’t chosen Huawei to build its core 5G networks, nothing has stopped the government from partnering with the Chinese company to help train and educate businesses here on cybersecurity practices, as announced this week.
This is probably Singapore’s smartest game now. That is, balancing its cybersecurity needs and placing trust strategically, while hoping the chill between the two largest economies doesn’t get colder.