Chan Chun Sing: MOE ensures rigorous testing and international standards before acquiring software services

SINGAPORE: Education Minister Chan Chun Sing assured that rigorous tests, including vulnerability assessments and penetration tests, are conducted before acquiring any software service.

During the parliamentary session on 10 September, Minister Chan responded to questions from Workers' Party Members of Parliament Gerald Giam and Dennis Tan, who scrutinised the extent of vulnerability assessments and penetration tests conducted on Mobile Guardian.

Mr Giam inquired whether all vulnerabilities discovered before the August cyberattack were addressed and whether such tests were conducted before the app was initially rolled out.

He expressed concern about the severe impact on students, especially those facing exams, due to the cyberattack.

He questioned whether the Ministry of Education (MOE) had backed up student data during the period Mobile Guardian was used.

Mr Dennis Tan, WP MP for Hougang SMC, uestioned whether vulnerability assessments and penetration testing were conducted on Mobile Guardian before its deployment and whether such tests will be carried out regularly in the future.

Following the cyberattack on Mobile Guardian in August, which affected 13,000 users across 26 secondary schools, the Ministry of Education has initiated legal action against the relevant contractors.

In response, Minister Chan confirmed that vulnerability assessments and penetration tests are carried out periodically, with patches applied as issues are discovered.

The tests conducted in June and July identified vulnerabilities that were addressed progressively.

However, he could not comment on whether these vulnerabilities contributed directly or indirectly to the subsequent cyberattack until the full forensic investigation is completed.

Minister Chan explained that before the government acquires any service, various tests are performed to ensure that the systems meet international standards.

This approach is consistent for all services, including Mobile Guardian.

He assured that regular assessments will be conducted moving forward and that lessons learned from the breach will inform future service provider assessments.

On the topic of backups, Chan explained that while MOE handles system-level backups, the responsibility for individual backups rests with users.

"it will not be possible for the system to back up the individual (data) all the time, because the individual you need to decide what you want to back up."

He noted that, similar to personal devices, students are expected to back up their own data.

Although most students had successfully backed up their information, a small percentage experienced data loss due to inadequate individual backups.

Non-Constituency Member of Parliament Hazel Poa from the Progress Singapore Party also asked about the learning points from this episode with respect to the service provider assessment process.

Minister Chan responded that agencies must choose between general, widely available services or highly customized solutions.

General services are more accessible and adaptable due to a larger subscriber base but may not fully meet specific needs.

Customized services can be tailored to exact requirements but might lack comprehensive support and updates.

He emphasized the importance of finding a balance between these options based on the agency’s specific needs and risk profiles.