A small highly connected nation walks a fine line between risk and reward in cyberspace.
David Koh delivered an interesting an engaging morning keynote offering the perspective of Singapore, where he wears many hats: Commissioner of Cybersecurity for Singapore; Chief Executive, Cyber Security Agency of Singapore; Deputy Secretary (Special Projects); and Defense Cyber Chief, Ministry of Defense. (He sees an advantage in this. Should there be some catastrophe, he can appear in public, "resign in ignominy, and then quietly go back to work in a job I already have.")
High risk accompanies high reward.
Koh began by noting that Singapore had placed first in the most recent version of the ITU's cybersecurity index, but that this was no grounds at all for complacency. Cyber is for Singapore "an existential issue." It is a very highly connected city-state. It has the world's fastest broadband, and it has a very high degree of digital penetration, with two smartphones per citizen. Singapore hosts supranational infrastructure in both finance and transportation. The country depends upon trust for its future, and thus must manage cyber risk effectively and attentively.
Preparing to manage risk.
Although the country was relatively unscathed by NotPetya and other large-scale attacks, it has received the attentions of what Koh characterized as "sophisticated nation-state cyber operators."
He described the mission of Singapore's Cyber Security Authority (CSA), formed to provide dedicated and centralized oversight of cybersecurity for the country. "CSA's value proposition lies in its holistic approach." Responding to a question about the desirability of centralization, Koh noted that even a small country can (and does) suffer from stovepiping. The CSA coordinates among many agencies.
Singapore is also building a resilient infrastructure, developing a vibrant cybersecurity infrastructure, and strengthening international partnerships, especially with ASEAN. The country's recently enacted Cybersecurity Act of 2018 includes both guidelines and authorizations to improve the security and resilience of infrastructure.
Koh has seen the ways in which the attackers evolve in sophistication and cleverness. Defense must therefore constantly innovate to keep pace. "It's almost like a learning organization on the other side." This is a huge challenge for governments. "Bureaucracies aren't known for their innovation."
Addressing the labor market and ways of building capacity, Koh explained that in the long-run, Singapore wants to build up a core group of Singaporeans who can manage cyber from a national security perspective.
It also looks for international investment. But here Singapore wants real engineering capability, not corporate headquarters or marketing offices. When then seek to attract corporations, they look for IT and research and development capability.
Innovation and ambivalence.
A question about the controversy currently surrounding Facebook, and the prospect of increasing regulation, gave Koh an opportunity to address the problems innovation brings with it. "According to my children," he said, "Facebook is just for old people." But there are serious issues at stake concerning the potential harm that technology can bring with it. Users don't fully appreciate the dangers of the tech they use, especially to privacy.
"We have to get a better understanding of the risks and vulnerabilities of new technologies," Koh said. "We can't concentrate only on the upside of technology and disregard the downside. That's a recipe for disaster."
He concluded, "We exploit the technology, and run the risk of being exploited ourselves." Where the balance point will be found depends upon a nation's political culture, and it's not an easy balance to strike.