By Eugene EG Tan, S. Rajaratnam School of International Studies (RSIS)
Broadly speaking, Singapore is considered a cyber-resilient nation. However, being cyber-resilient is distinct from achieving perfect cybersecurity and freedom from significant cyber incidents. Resilience, in its traditional sense, does not solely measure the strength of a state’s security posture but rather its ability to recover from a major security incident and adapt to emerging threats. This resilience extends beyond cyberspace and is evident in how society responds to adverse events, such as natural disasters or terrorist attacks.
While digital technologies have enhanced service accessibility in Singapore, there is a prevailing wariness of the associated risks. The government follows a “digital first” strategy, allowing access to services through non-digital means, enabling individuals to navigate disruptions with a degree of personal resilience. If banking and payment systems are offline on a weekend afternoon, consider alternative payment methods such as cash. If hospital websites are inaccessible for an entire workday, try using the telephone or visit the hospital in person.
The delicate balance between convenience and risk is a crucial consideration for states adopting digital services. Cyber resilience breakdowns can have physical consequences, potentially disrupting societal functioning. For instance, a banking system failure could trigger a panic run on banks.
Despite Singapore’s history of cyber incidents, including state-led data theft and system outages, none has severely tested the nation’s collective cyber resilience. In contrast, the cyberattack on ViaSat in Ukraine led to a complete severance of digital services, demonstrating the strain on the country’s cyber resilience, even though normalcy returned once services were restored.
The study of cyber resilience therefore focuses on reducing system impact and damage, along with minimising downtime through policy, mitigation, and transparency measures. Singapore consistently seeks improvements in its processes to keep pace with the evolving threat landscape.
In this regard, I draw three valuable lessons from Singapore that could benefit other states aiming to enhance their cyber resilience posture.
Lesson 1: Think Strategically, Involve Everyone
Singapore’s cyber resilience strategy, outlined in its 2021 Cybersecurity Strategy, prioritises three immediate objectives and two longer-term initiatives. Immediate goals involve building resilient infrastructure, creating a safer cyberspace, and enhancing international cooperation. Long-term objectives focus on constructing an innovative ecosystem and nurturing the cyber talent pool.
In contrast to punitive measures seen elsewhere, Singapore’s Cybersecurity Strategy emphasises enhancing response capabilities for the state, organisations, and individuals. This approach includes educating individuals, businesses, and organisations about recent threats. The strategy promotes foreign cooperation through partnerships to address cyber threats, such as ransomware, and joint exercises with other states. In simpler terms, this holistic approach broadens responsibility for cybersecurity to all users in society, beyond the state or organisations.
Lesson 2: Build, Maintain, and Recover Trust
The second aspect of the cyber resilience equation in Singapore concerns how the government and organisations build, maintain, and restore trust among technology users in society. Trust primarily evolves through public inquiries and regulations imposing obligations on digital service providers. If trust is entirely lost in a cyber incident, the system’s value may diminish due to a lack of users.
Consider the use of personal data in Singapore as an example. The Personal Data Protection Act (PDPA) governs the protection of personal data, outlining requirements for its collection, use, disclosure, and care. The Personal Data Protection Commission (PDPC) administers the PDPA, publicly sharing decisions where organisations violate data protection provisions. This serves as both a learning point and a disclosure, reinforcing accountability and trust among digital users.
Moreover, the Singapore government takes data protection oversights in critical information infrastructure (CII) seriously. In 2018, SingHealth, Singapore’s largest public healthcare provider, experienced a significant data breach affecting about 1.5 million patients. In response, the government convened a Committee of Inquiry (CoI) to investigate the incident and derive lessons. The CoI allowed the government to reaffirm its commitment to maintaining citizens’ trust, particularly during the rollout of additional Smart Nation Initiatives.
Lesson 3: Cyber Resilience Beyond Cyberspace
Related to building trust, the third observation I will make is that a society’s cyber resilience can also be reinforced by non-cyber related regulation. Not all solutions to cyber resilience are cyber in nature—by and large, most of them actually are not cyber in nature. For example, I would argue that building the resilience of and trust in Singapore’s banking system following the outage of both DBS and Citibank’s digital payment systems in October 2023 is actually done by the Monetary Authority of Singapore (MAS) as the financial sector regulator. DBS, Singapore’s largest lender, had repeatedly suffered outages in 2023, and there was a critical need to strengthen the resilience of its digital services. MAS had previously imposed additional capital requirements on DBS as a confidence-building measure following service outages. After the October 2023 outages, DBS is further required to maintain the size of its physical branch and ATM networks in the event of further disruptions and directed to focus its efforts on upgrading its essential IT systems while at the same time barring it from entering into other business ventures.
In conclusion, states need to understand that cyber resilience is not just an issue residing in cyberspace but is, rather, a society-wide concern that demands trust in the services being utilised, whether by state or private-sector entities. Regulations and processes should be established to foster trust and, consequently, build resilience in the use of digital services. States and organisations cannot take the user’s trust in digital platforms for granted, and more effort is needed to safeguard that trust, thereby promoting a broader adoption of digital services.
About the writer
Eugene EG Tan is an Associate Research Fellow at the Centre of Excellence for National Security (CENS), a constituent unit of the S. Rajaratnam School of International Studies (RSIS) at Nanyang Technological University (NTU), Singapore.
The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.