Woman using smartphone and laptop with icon graphic Cyber security network of connected devices and personal data security from Shutterstock.com

Rethinking total defence, in terms of cyber-security

by Lee Yew Tian James

I was having a conversation over dinner with some friends today and the topic chanced upon the SingHealth hacking incident. He lamented that the responsibility of cybersecurity was still very much up to each organisation, government or private to maintain. In comparison, for physical threats, the Singapore Armed Forces (SAF) is there as a deterrent to attackers. He wondered why there wasn’t such an organisation to counter such non-physical attacks.

I recalled that we had a Cyber-Security Agency (CSA) and promptly went to look up their portfolio. It reads as such: “ The CSA is the national agency overseeing cybersecurity strategy, operation, education, outreach, and ecosystem development. It is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information.”

To me, the mission statement sounded rather passive, and more about education, outreach and strategy development. That was all well and good, but it wasn’t what I was looking for. It seemed that my friend and perhaps even I, wanted an organisation whose mission statement is “to defend Singapore’s cyberspace from coordinated and targeted attacks, to deter attacks on Singapore’s government and private institutions etc.”

Thinking deeper and reflecting on our 5 pillars of Total Defence – Military, Economic, Social, Psychological and Civil that were taught to us as part of our national education, I realised that in this 21st century, there is one component missing from all this – Cyber Defence. In this day and age, we no longer deal merely with kinetic threats such as army attacks, terrorist bombings etc. We also deal with scams, virus attacks, trojans and in the latest saga, state-orchestrated coordinated attacks on our cyber systems. This cyber landscape is the one thread that weaves in-between all the 5 pillars. A cyber attack on our stock exchange can cripple our economy; a hacking attack on our medical records weakens our social and psychological defence; a cyber attack on our military systems disables our battle effectiveness; misinformation and online propaganda can cause problems for our civil institutions.

If the 5 pillars of defence are the fingers on our hand, Cyber defence is the palm from which all these defences project outwards. If you cut off one finger, I still can use the rest of my fingers and my hand, but if you stab a knife through my palm, I lose total control of my hand – the entire defence system collapses. If there is one lesson we should learn out of this, maybe our concept of total defence is outdated. Should we have another pillar of defence – Cyber defence?

If so, this defence should not be left to each government or private organisation to manage on their own. It can be decentralised to each organisation, but it needs to be part of a larger cyber bubble that acts as the first layer of shielding against cyber attacks from outside. There is this joke about the Great Firewall of China. But if we consider the openness of our economy and how susceptible we are to such attacks, it might be worth considering establishing this first line of defence. Some of the principles of defence are immediately relevant here – defence in depth and mutual support. My assessment of our current cyber defence is that each organisation is mounting their own defence, with no mutual support. Worse, there is no depth. If an attack succeeds, the attacker immediately gains access, as is demonstrated by the SingHealth hacking.

Cyber warfare is set to become more prevalent to come – in fact, it will be the future of warfare. Cripple a nation from the inside without boots on the ground with low costs and zero lives lost – all you need are some computers and internet access. Those Hollywood movies do have some truth to them. If we know this but ignore this, we are only doing ourselves and our country a disservice. However, there will be a sacrifice needed. We might have to contend with more stringent restrictions on content etc. The question is whether such sacrifices are necessary to protect our cyberspace and if so, what is that balance?

Since Parliament is sitting now, perhaps it is timely to ask such questions. Maybe Louis Ng Kok Kwang or Pritam Singh can do so. Some of my friends who read my posts are regulars, so this is something that I hope can generate some food for thought for those in the service.