Singapore Issues Public Sector Cybersecurity GuidanceOutlines Key Steps, Including Stronger Encryption, That Could Become Mandates
After recently issuing interim cybersecurity guidance for private enterprises, Singapore has issued similar guidance for public sector agencies and departments. The two moves are part of a broad effort to enhance data security in light of recent data breaches in the nation.
Singapore's government announced in June that it plans to amend the country's Personal Data Protection Act to create a tougher breach notification mandate and impose other security requirements on all private-sector organizations that handle personal data (see: Singapore Prepares for Mandatory Breach Reporting).
Singapore's Personal Data Protection Commission then issued interim data breach management guidelines to help organizations prepare for the new requirements under the amended act, which the Parliament is expected to approve soon.
In the latest move, the Public Sector Data Security Review Committee on Monday released interim recommendations for strengthening the country's infrastructure, targeting public sector agencies and departments.
Those recommendations call for better use of encryption to protect communications and digital files as well as the development of new ways to ensure data in transit is secure against malicious attacks, according to a committee statement.
The committee, chaired by Teo Chee Hean, a national security official with the government, plans to issues a final report to the prime minister's office on Nov. 30, according to the statement. The report then will be presented to Parliament, which likely will vote on legislation that would mandate that government agencies follow the guidelines.
The committee has been reviewing portions of the government's technology and security practices, including how various agencies protect citizens’ data, according to the statement.
"The current security regime has strong fundamentals," the statement notes. "However, there is a need to strengthen our data security regime for the future. This is in view of the increasing complexity of our systems, the greater demand for the use of data to provide convenient digital services to the public, and the need to use data for better policy making."
The committee’s final recommendations will form the core of what the government calls its Smart Nation ambitions, which includes a number of data and digital transformation initiatives, according to the statement.
While the government of Singapore already uses some security checks to ensure that citizen data is protected, the list of recommendations for government agencies urges the adoption more comprehensive measures to ensure the security of the infrastructure, especially as cyber-related incidents increase and citizens rely on more digital services.
The committee is reviewing data security measures undertaken by various government agencies. This includes a government wide check on public offices' data management practices and a detailed analysis of their IT systems.
According to report by the local news service CNA, the Ministry of Health, Health Sciences Authority Health Promotion Board, Central Provident Fund Board and the Inland Revenue Authority of Singapore are some of the public agencies that are currently being reviewed.
On the technical side, the committee recommends regular checking for malicious attacks during data transfer, automated detection of sensitive data contents within emails and enhanced encryption requirements for files, according to the committee’s statement.
In addition, the report notes that the government needs to do a better job of protecting its own data, especially when it's accessed by third parties. Besides new security capabilities, the report recommends creating a better security culture among public officers charged with protecting this data.
"This includes skills upgrading and initiatives to raise the level of data security awareness across the public service," the report notes.
String of Attacks
The government’s various cybersecurity initiatives come in the aftermath of two major healthcare breaches.
In 2018, 1.5 million patient records, reportedly including those of the prime minister, were hacked, according to various news reports.
And in March, a breach of the National Health Authority exposed the personal information of 800,000 blood donors.
According to the latest report from the Cyber Security Agency of Singapore, 6,179 cybercrime cases were reported in 2018, accounting for 19 percent of the overall crime in the country.