Key Lessons on Cyber Resilience in Singapore

In this article, Associate Research Fellow Eugene EG Tan from the S. Rajaratnam School of International Studies (RSIS) shares his insights into Singapore's history of cyber incidents, its stage of cyber resilience maturity, and the key lessons the nation can derive from. This article builds on the Tech For Good Institute’s latest research on Cyber Resilience.

By Eugene EG Tan, S. Rajaratnam School of International Studies (RSIS)

Broadly speaking, Singapore is considered a cyber-resilient nation. However, being cyber-resilient is distinct from achieving perfect cybersecurity and freedom from significant cyber incidents. Resilience, in its traditional sense, does not solely measure the strength of a state’s security posture but rather its ability to recover from a major security incident and adapt to emerging threats. This resilience extends beyond cyberspace and is evident in how society responds to adverse events, such as natural disasters or terrorist attacks.

While digital technologies have enhanced service accessibility in Singapore, there is a prevailing wariness of the associated risks. The government follows a “digital first” strategy, allowing access to services through non-digital means, enabling individuals to navigate disruptions with a degree of personal resilience. If banking and payment systems are offline on a weekend afternoon, consider alternative payment methods such as cash. If hospital websites are inaccessible for an entire workday, try using the telephone or visit the hospital in person.

The delicate balance between convenience and risk is a crucial consideration for states adopting digital services. Cyber resilience breakdowns can have physical consequences, potentially disrupting societal functioning. For instance, a banking system failure could trigger a panic run on banks.

Despite Singapore’s history of cyber incidents, including state-led data theft and system outages, none has severely tested the nation’s collective cyber resilience. In contrast, the cyberattack on ViaSat in Ukraine led to a complete severance of digital services, demonstrating the strain on the country’s cyber resilience, even though normalcy returned once services were restored.

The study of cyber resilience therefore focuses on reducing system impact and damage, along with minimising downtime through policy, mitigation, and transparency measures. Singapore consistently seeks improvements in its processes to keep pace with the evolving threat landscape. 

In this regard, I draw three valuable lessons from Singapore that could benefit other states aiming to enhance their cyber resilience posture.

Lesson 1: Think Strategically, Involve Everyone

Singapore’s cyber resilience strategy, outlined in its 2021 Cybersecurity Strategy, prioritises three immediate objectives and two longer-term initiatives. Immediate goals involve building resilient infrastructure, creating a safer cyberspace, and enhancing international cooperation. Long-term objectives focus on constructing an innovative ecosystem and nurturing the cyber talent pool.

In contrast to punitive measures seen elsewhere, Singapore’s Cybersecurity Strategy emphasises enhancing response capabilities for the state, organisations, and individuals. This approach includes educating individuals, businesses, and organisations about recent threats. The strategy promotes foreign cooperation through partnerships to address cyber threats, such as ransomware, and joint exercises with other states. In simpler terms, this holistic approach broadens responsibility for cybersecurity to all users in society, beyond the state or organisations.

Lesson 2: Build, Maintain, and Recover Trust

The second aspect of the cyber resilience equation in Singapore concerns how the government and organisations build, maintain, and restore trust among technology users in society. Trust primarily evolves through public inquiries and regulations imposing obligations on digital service providers. If trust is entirely lost in a cyber incident, the system’s value may diminish due to a lack of users.

Consider the use of personal data in Singapore as an example. The Personal Data Protection Act (PDPA) governs the protection of personal data, outlining requirements for its collection, use, disclosure, and care. The Personal Data Protection Commission (PDPC) administers the PDPA, publicly sharing decisions where organisations violate data protection provisions. This serves as both a learning point and a disclosure, reinforcing accountability and trust among digital users.

Moreover, the Singapore government takes data protection oversights in critical information infrastructure (CII) seriously. In 2018, SingHealth, Singapore’s largest public healthcare provider, experienced a significant data breach affecting about 1.5 million patients. In response, the government convened a Committee of Inquiry (CoI) to investigate the incident and derive lessons. The CoI allowed the government to reaffirm its commitment to maintaining citizens’ trust, particularly during the rollout of additional Smart Nation Initiatives.

Lesson 3: Cyber Resilience Beyond Cyberspace

Related to building trust, the third observation I will make is that a society’s cyber resilience can also be reinforced by non-cyber related regulation. Not all solutions to cyber resilience are cyber in nature—by and large, most of them actually are not cyber in nature. For example, I would argue that building the resilience of and trust in Singapore’s banking system following the outage of both DBS and Citibank’s digital payment systems in October 2023 is actually done by the Monetary Authority of Singapore (MAS) as the financial sector regulator. DBS, Singapore’s largest lender, had repeatedly suffered outages in 2023, and there was a critical need to strengthen the resilience of its digital services. MAS had previously imposed additional capital requirements on DBS as a confidence-building measure following service outages. After the October 2023 outages, DBS is further required to maintain the size of its physical branch and ATM networks in the event of further disruptions and directed to focus its efforts on upgrading its essential IT systems while at the same time barring it from entering into other business ventures.

In conclusion, states need to understand that cyber resilience is not just an issue residing in cyberspace but is, rather, a society-wide concern that demands trust in the services being utilised, whether by state or private-sector entities. Regulations and processes should be established to foster trust and, consequently, build resilience in the use of digital services. States and organisations cannot take the user’s trust in digital platforms for granted, and more effort is needed to safeguard that trust, thereby promoting a broader adoption of digital services.

About the writer

Eugene EG Tan  is an Associate Research Fellow at the Centre of Excellence for National Security (CENS), a constituent unit of the S. Rajaratnam School of International Studies (RSIS) at Nanyang Technological University (NTU), Singapore.

The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.

Download Report

Download Report

Latest Updates

Latest Updates​

Keep pace with the digital pulse of Southeast Asia!

Never miss an update or event!

Mouna Aouri

Programme Fellow

Mouna Aouri is an Institute Fellow at the Tech For Good Institute. As a social entrepreneur, impact investor, and engineer, her experience spans over two decades in the MENA region, South East Asia, and Japan. She is founder of Woomentum, a Singapore-based platform dedicated to supporting women entrepreneurs in APAC through skill development and access to growth capital through strategic collaborations with corporate entities, investors and government partners.

Dr Ming Tan

Founding Executive Director

Dr Ming Tan is founding Executive Director for the Tech for Good Institute, a non-profit founded to catalyse research and collaboration on social, economic and policy trends accelerated by the digital economy in Southeast Asia. She is concurrently a Senior Fellow at the Centre for Governance and Sustainability at the National University of Singapore and Advisor to the Founder of the COMO Group, a Singaporean portfolio of lifestyle companies operating in 15 countries worldwide.  Her research interests lie at the intersection of technology, business and society, including sustainability and innovation.

 

Ming was previously Managing Director of IPOS International, part of the Intellectual Property Office of Singapore, which supports Singapore’s future growth as a global innovation hub for intellectual property creation, commercialisation and management. Prior to joining the public sector, she was Head of Stewardship of the COMO Group and the founding Executive Director of COMO Foundation, a grantmaker focused on gender equity that has served over 47 million women and girls since 2003.

 

As a company director, she lends brand and strategic guidance to several companies within the COMO Group. Ming also serves as a Council Member of the Council for Board Diversity, on the boards of COMO Foundation and Singapore Network Information Centre (SGNIC), and on the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

In the non-profit, educational and government spheres, Ming is a director of COMO Foundation and Singapore Network Information Centre (SGNIC) and chairs the Asia Advisory board for Swiss hospitality business and management school EHL. She also serves on  the Council for Board Diversity and the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

Ming was educated in Singapore, the United States, and England. She obtained her bachelor’s and master’s degrees from Stanford University and her doctorate from Oxford.