Singapore Launches Review of Data SecurityCommittee to Devise Recommendations for Best Practices
Responding to the growth of data breaches in the region, Singapore Prime Minister Lee Hsien Loong has formed a committee to conduct a comprehensive review of data security practices and suggest recommendations for preventing data breaches that affect critical infrastructure.
The Public Sector Data Security Review Committee, chaired by Teo Chee Hean, deputy prime minister, coordinating minister for national security and minister-in-charge of public sector data governance, will examine how personal data of citizens is collected and protected by government agencies, vendors and authorized third parties, the prime minister said in a statement.
The committee will review how the government is securing and protecting citizens' data from end to end, including the role of vendors and other authorised third parties, the statement noted.
"The government acknowledges that recent data-related incidents have underlined the urgency to strengthen data security policies and practices in the public sector," the prime minister said.
Some security experts recommend that the committee should suggest a cybersecurity framework encompassing a detection-centric paradigm focusing on people, process and technology, along with a strong threat intelligence program.
Rising Breaches: A Concern
Some recent data security incidents in Singapore include:
- The data leakage of HIV-positive status of more than 14,000 patients;
- A SingHealth breach that exposed data on about 1.5 million patients, including the prime minister.
- The exposure on the internet of personal information of more than 800,000 blood donors for more than nine weeks.
Associate Professor Alan Chong of the S. Rajaratnam School of International Studies, a researcher on cybersecurity issues, told Singapore-based newspaper TNP: "The series of embarrassing leaks from the Ministry of Health and its affiliated agencies shows that Singapore's cyber defenses has this weak underbelly. It is a confidence issue and it has to be addressed urgently."
Chong says the new committee must come up with a thorough report that enforces a culture of cyber hygiene across the civil services.
Singapore-based Ken Soh, CIO and director of information security and e-strategies at BH Global, a supply chain management and design firm, says that three key pillars - people, process and technology - for data security in the public sector need to be improved.
"Specifically, on people, the culture of post-incident communication and the awareness of data security in general is lacking," he says. "On the process side, the focus is still very much on checkbox compliance and not operational security."
On the technology front, he says the primary focus is on detection, so there's a need for a cybersecurity framework that encompasses other aspects outside just detection mechanism but also work ways to protect the assets from attacks.
Singapore-based Steve Ledzian, vice president and CTO for Asia Pacific at FireEye, observes that one key challenge for public sector organizations is that the data they hold is of interest to cyber espionage actors as well as cybercriminals and vulnerable to attack.
"There isn't a quick fix to this challenge, and current data security practices fall short of these points," Ledzian says.
A Collaborative Framework
The new committee which will be supported by private sector representatives with expertise in data security and technology, as well as ministers involved in Singapore's Smart Nation efforts - Dr.Vivian Balakrishnan, S. Iswaran, Chan Chun Sing and Dr. Janil Puthucheary, according to the prime minister's statement.
Members will recommend technical measures, processes and capabilities to improve the government's protection of data, as well as incident response strategies. The panel will submit its recommendations by Nov. 30.
The committee will consult with international experts and industry officials from both the public and private sectors, supported by an inter-agency taskforce formed by public officers.
Meanwhile, the government has increased the number and types of internal IT audits to check on agencies' data access and data protection measures, according to the prime minister's statement.
The statement revealed that while individual agencies are investigating and taking action on specific incidents, the new committee will undertake a comprehensive review and incorporate industry and global best practices to strengthen data security across the public sector.
"This review will help to ensure that all public sector agencies maintain the highest standards of data governance," the statement notes. "This is essential to uphold public confidence and deliver a high quality of public service to our citizens through the use of data. The work of this committee will complement our efforts to achieve our Smart Nation vision."
A Culture of Information Sharing
The primary focus for the government, Soh says, should be establishing a culture of information sharing and encouraging service providers and enterprises to enhance vulnerability assessment practices by skilled personnel.
"Organizations' security groups must understand that most protection technologies are detection-based and they are no longer sufficient to guard data against especially advanced threats," Soh says. "Hence, they should start to explore and deploy detection-less based technologies in aid of network separation, which could work around content dis-arm and reconstruction and isolation and containment technologies.
Ledzian notes: "A holistic, centralized, end-to-end review of data security practices is a great step toward reducing risks posed by sophisticated actors."