Singapore’s Cybersecurity Consortium: On the frontline of today’s cyber battlefield
Ahead of her presentation at Cloud Expo Asia Singapore in October, Dr Vivy Suhendra, executive director at the Singapore Cybersecurity Consortium, dives deep into the consortium’s work to shore up Singapore’s cyber resilience
Cyber security is a constantly evolving field, and rapidly so. We need to not only keep pace with cyber threats in the present, but also build capabilities to tackle future challenges. The National Cybersecurity R&D (NCR) programme focuses on developing research and development (R&D) expertise and capabilities in cyber security that are critical to staying ahead of present and future threats.
This is a non-trivial effort involving multiple interdependent aspects. The programme currently comprises local and international grants for fundamental research as well as translational / applied research; shared national infrastructure to support research experimentation, validation and training; an engagement platform to drive conversations and collaboration among multiple stakeholders; and cyber security postgraduate scholarship to develop the workforce.
All these initiatives under the NCR programme contribute to growing an ecosystem with a strong cyber security posture and up-to-date capabilities in the face of the ever-evolving cyber threat landscape.Need to have, not nice to have
As the world increasingly undergoes digital transformation, technology is becoming intertwined with the economy and operations of nations and their citizens’ lives. The security of digital infrastructures may well be a matter of survival – as we found out in 2015 when an attack on Ukraine’s power grid in left people without electricity for a few hours. Branches that undermine key institutions could also drain a nation’s resources and weaken it considerably, such as in 2016 when the Bangladesh Bank was subject to a severe cyber heist.
Cyber security R&D is needed to resolve the many challenges that have arisen and will keep arising in tandem with technological advances, in the effort to ensure that nations’ infrastructure and information are resilient to malicious or unintended cyber acts. The importance is not so much in investing heavily, but in investing strategically and sustainably to address the most pertinent and relevant cyber problems that could differ from nation to nation depending on their digital posture.Top cyber threats
Advanced Persistent Threats (APT) are one of the main threats facing nations, as highlighted in Singapore Cyber Landscape 2018, published by the Cyber Security Agency of Singapore.
APTs are highly sophisticated attacks on specific targets, backed with a wealth of resources often associated with nation-states, with objectives such as disrupting operations, theft for financial gain, or espionage. These attacks may involve tactics, techniques and procedures (TTPs) such as phishing e-mails to gain access, stealth and misdirection techniques to evade detection, a suite of malware for privilege escalation and lateral movement, and so on.
The vulnerability of Internet of Things (IoT) devices is another significant threat due to rising IoT adoption, and the fact that many IoT devices are cheaply produced without security provision.
Insecurity of IoT devices may firstly lead to the leaking of sensitive information such as surveillance camera feeds (demonstrated by the device search engine Shodan), and secondly allow attackers to gain unauthorised control of the devices.
This control may then be abused to turn massive volumes of devices into botnets in a Distributed Denial of Service (DDoS) attacks (e.g., the Mirai botnet disrupting part of the U.S. networks in 2016), or as an entry point to access other systems connected to the same network (e.g., the hacking of a casino through its internet-connected fish tank, reported by Darktrace in 2017).Developing a strong cyber strategy
A fundamental ingredient to a robust cyber security strategy is the continual cyber security assessment and hardening of the nation’s critical infrastructures to ensure up-to-date resilience to cyber threats.
This may start from defining which infrastructures are critical, to establishing sector-specific cyber maintenance frameworks and policies, to R&D in future-ready cyber infrastructures in anticipation of emerging trends.
Workforce talent development is another key ingredient, as humans are central to cyber security as technology users, defenders, and innovators. This may range from efforts in cyber hygiene awareness for the public, to programmes nurturing a community of researchers and innovative start-ups.
All in all, it is crucial to identify the multiple stakeholders in the nation’s cyber ecosystem and enlist meaningful participation from every stakeholder for the cyber strategy to be a concerted effort. Government, industry, the research community, educational institutions, and also global and regional counterparts all have roles and impacts in the cyber space.
Research and development
In general, the NCR and programmes under NCR (such as the Singapore Cyber security Consortium) hold periodic grant calls, that is, calls for research proposals to be submitted for consideration.
Different programmes or grants may have different specific objectives, and thus different evaluation criteria, within the overarching goal of advancing technologies and capabilities to meet the cyber security needs of Singapore.
For example, the NCR Translational Grant Call 2018 highlighted a number of challenges from ministries and public agencies addressing specific national security, smart nation and critical information infrastructure needs. The evaluation emphasis was on translational research and deployability of the research results into technologies, methodologies, tools and services.
Meanwhile, grant calls from the three NCR-funded National Satellites of Excellence in 2019 focused on core research to advance state-of-the-art in their respective domains (e.g., Trustworthy Software Systems).
The Singapore Cybersecurity Consortium’s annual Seed Grant calls in particular seek to fund industry-academia research collaboration. The seed grant is of a leaner scale (one-year projects) compared to other NCR grants, to suit the objective of producing new technology proof-of-concepts or exploring forward-thinking ideas to demonstrate their value and potential for further development (possibly supported by other NCR grants), which may otherwise find it difficult to get off the ground.
Seed grant research proposals are evaluated based on their commercialization or deployment roadmap — aligned with the Consortium’s goal of driving research translation from the institutes to industry and agencies — in addition to technical merits and potential value added to the nation’s cyber security posture and capabilities.
To cite some examples, the NCR-funded research into trustworthy software systems produced a suite of technologies for vulnerability detection via “fuzzing” (in simplified terms, probing code for unexpected behaviors) and an automated program for repairing software — some of which have gone into mainstream industry use.
For modern systems, which on average have complex software including possibly third-party components with unclear security risk, this technology helps establish a level of security guarantees and minimises the software attack surface — a fundamental concern for all digital systems now and in the future.
Another seed grant project, recognising that not all IoT users may be equipped to stay secure, developed a technology for Internet Service Providers (ISPs) that detects vulnerable home IoT devices connected to their networks; a vital first step in preventing exploitation of such devices (e.g., as botnets).
The machine-learning-based detection works on NetFlow traffic collected outside the homes for to ensure the least intrusion into user privacy. When supported by ISPs for threat intelligence sharing, and user engagement to rectify device vulnerabilities, this technology is a potential enabler for nationwide network resilience, which is only going to get more important as “smart nation” initiatives take off worldwide.
The 5G question
Apart from ensuring 5G network infrastructure is securely deployed, we must prepare cyber security measures appropriate for emerging computing models and applications made viable by the faster speeds, lower latency, and higher bandwidth of 5G.
IoT is expected to grow more rapidly and expand more readily into application domains such as automotive and healthcare that have time-sensitive and high-throughput requirements. This means an exponential increase in the attack surface in addition to higher stakes and criticality of threat scenarios.
According to Gemalto, 5G may also drive certain computing architectures such as decentralized intelligent networks that are more reactive to individual users, and virtual instead of hardware servers. These would face more dynamic threat models than traditional computing, and accordingly require more dynamic approaches to cyber security.
Nations should engage all relevant sectors to assess cyber security risks from various perspectives, build up the necessary cyber security capacities, as well as establish regulatory frameworks where applicable, before making the jump.