Singapore unveils implementation guides, forms industry committee to boost telecom security
The Singapore government has formed a committee and released guidelines that it says aim to beef up cybersecurity protection and capabilities in the telecommunications industry. These include implementation best practices for Internet of Things (IoT) systems and electronic Know Your Customer (eKYC) technology that allows mobile operators to digitally authenticate service registrations.
Industry regulator Infocomm Media Development Authority (IMDA) said a new “multi-year roadmap” was being planned to identify cyber threats and develop the capabilities and products needed to strengthen the country’s connectivity infrastructure. The long-term plan would recommend strategies and policies as well as highlight areas of improvement to boost cybersecurity in the local telecommunication sector, said Janil Puthucheary, Singapore’s Senior Minister of State for Communications and Information, at the Infocomm Media Cybersecurity Conference held Friday.
“Connectivity infrastructure is a key building block for Singapore’s economy. The changing needs of the digital economy will require trusted, secure, and resilient next-generation connectivity infrastructure, including 5G and narrowband IoT (NB-IoT) sensor networks,” said IMDA, adding that the roadmap would help the agency “strategically and systematically” invest in cybersecurity capabilities for the telecom industry over the next five years.
Led by a team of government officials and panel of industry experts, the first set of recommendations was expected to be published later this year, it said. The committee comprised, amongst others, Singapore’s Cyber Security Agency‘s chief David Koh; IMDA’s chair and Perm Sec of Defence Chan Yeng Kit; Team8’s co-founder and CEO Nadav Zafrir; and IronNet Cybersecurity’s founder and CEO Keith Alexander.
IMDA on Friday also unveiled a implementation guide that aimed to make it more convenient for consumers to register for mobile services online, securely, by enabling operators to digitally verify mobile services registrations without physical face-to-face transactions. eKYC technology allows mobile subscribers to sign up for new services and switch between operators over-the-air without changing their SIM card or going to a physical retail store. It also facilitates secured self-registration via kiosks, mobile apps, online portals, and trusted databases, IMDA said.
It added that the implementation guide outlined regulatory requirements to secure online verification as well as the performance of eKYC tools implemented by mobile operators. These included, for instance, fraud mitigation, identity theft preventive measures, and the need for biometric verification if facial recognition technology was applied.
IMDA also released a public consultation on a proposed cybersecurity guide for IoT systems, which it said looked to provide industry best practices–for companies keen to deploy such systems–that helped mitigate cybersecurity risks. The guide aimed to assist organisations in making better purchasing and deployment decisions for IoT systems, taking security designs into consideration, the agency said.
It included checklists to help businesses systematically assess the security state of their IoT systems to determine if sufficient protection from unintentional and malicious threats had been established. IMDA noted: “In particular, the threat modelling checklist assists organisations to identify and understand the potential vulnerabilities/threats in the systems and the vendor disclosure checklist helps organisations to ensure the IoT systems procured are adequately secured.”
In addition, the industry regulator also partnered the National University of Singapore’s Centre for Quantum Technologies to provide workshops and training for government agencies and the industry. The objective here was to build up capabilities in quantum technologies and carry out Quantum Key Distribution trials with local industry players to gain technical understanding on implementation.
IMDA Chief Executive Tan Kiat How said: “As we look towards deploying the next generation connectivity infrastructure to support Singapore’s digital economy, we will also need to be mindful of the increasingly complex and sophisticated cybersecurity risks that we face. [The] multi-year roadmap [will] guide our effort in systemically building a trusted, secure and resilient connectivity infrastructure.”
SingHealth and Singapore’s public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country’s personal data protection act. The fines are the highest dished out to date.
Two staff members have been fired for negligence and five senior management executives, including the CEO, were fined for their “collective leadership responsibility” in Singapore’s most serious security breach, which compromised personal data of 1.5 million SingHealth patients.
The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth’s network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.
Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a “value-add service”, and it’s time the Singapore government holds those that fail to do so accountable.
Singapore carrier points to “a software bug” as the cause of the breach that occurred when changes were made to its website, compromising personal data of 285 customers including seven whose passport details were exposed.