• Home
  • About RSIS
    • Introduction
    • Building the Foundations
    • Welcome Message
    • Board of Governors
    • Staff Profiles
      • Executive Deputy Chairman’s Office
      • Dean’s Office
      • Management
      • Distinguished Fellows
      • Faculty and Research
      • Associate Research Fellows, Senior Analysts and Research Analysts
      • Visiting Fellows
      • Adjunct Fellows
      • Administrative Staff
    • Honours and Awards for RSIS Staff and Students
    • RSIS Endowment Fund
    • Endowed Professorships
    • Career Opportunities
    • Getting to RSIS
  • Research
    • Research Centres
      • Centre for Multilateralism Studies (CMS)
      • Centre for Non-Traditional Security Studies (NTS Centre)
      • Centre of Excellence for National Security (CENS)
      • Institute of Defence and Strategic Studies (IDSS)
      • International Centre for Political Violence and Terrorism Research (ICPVTR)
    • Research Programmes
      • National Security Studies Programme (NSSP)
      • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
    • [email protected] Newsletter
    • Other Research
      • Future Issues And Technology (FIT)
      • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
    • Graduate Programmes Office
    • Overview
    • MSc (Asian Studies)
    • MSc (International Political Economy)
    • MSc (International Relations)
    • MSc (Strategic Studies)
    • NTU-Warwick Double Masters Programme
    • PhD Programme
    • Exchange Partners and Programmes
    • How to Apply
    • Financial Assistance
    • Meet the Admissions Team: Information Sessions and other events
    • RSIS Alumni
  • Alumni & Networks
    • Alumni
    • Asia-Pacific Programme for Senior Military Officers (APPSMO)
    • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
    • SRP Executive Programme
    • Terrorism Analyst Training Course (TATC)
  • Publications
    • RSIS Publications
      • Annual Reviews
      • Books
      • Bulletins and Newsletters
      • Commentaries
      • Counter Terrorist Trends and Analyses
      • Commemorative / Event Reports
      • IDSS Paper
      • Interreligious Relations
      • Monographs
      • NTS Insight
      • Policy Reports
      • Working Papers
      • RSIS Publications for the Year
    • Glossary of Abbreviations
    • External Publications
      • Authored Books
      • Journal Articles
      • Edited Books
      • Chapters in Edited Books
      • Policy Reports
      • Working Papers
      • Op-Eds
      • External Publications for the Year
    • Policy-relevant Articles Given RSIS Award
  • Media
    • Great Powers
    • Sustainable Security
    • Other Resource Pages
    • Media Highlights
    • News Releases
    • Speeches
    • Vidcast Channel
    • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
Facebook
Twitter
YouTube
RSISVideoCast RSISVideoCast rsis.sg
Linkedin
instagram instagram rsis.sg
RSS
  • Home
  • About RSIS
      • Introduction
      • Building the Foundations
      • Welcome Message
      • Board of Governors
      • Staff Profiles
        • Executive Deputy Chairman’s Office
        • Dean’s Office
        • Management
        • Distinguished Fellows
        • Faculty and Research
        • Associate Research Fellows, Senior Analysts and Research Analysts
        • Visiting Fellows
        • Adjunct Fellows
        • Administrative Staff
      • Honours and Awards for RSIS Staff and Students
      • RSIS Endowment Fund
      • Endowed Professorships
      • Career Opportunities
      • Getting to RSIS
  • Research
      • Research Centres
        • Centre for Multilateralism Studies (CMS)
        • Centre for Non-Traditional Security Studies (NTS Centre)
        • Centre of Excellence for National Security (CENS)
        • Institute of Defence and Strategic Studies (IDSS)
        • International Centre for Political Violence and Terrorism Research (ICPVTR)
      • Research Programmes
        • National Security Studies Programme (NSSP)
        • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      • [email protected] Newsletter
      • Other Research
        • Future Issues And Technology (FIT)
        • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      • Graduate Programmes Office
      • Overview
      • MSc (Asian Studies)
      • MSc (International Political Economy)
      • MSc (International Relations)
      • MSc (Strategic Studies)
      • NTU-Warwick Double Masters Programme
      • PhD Programme
      • Exchange Partners and Programmes
      • How to Apply
      • Financial Assistance
      • Meet the Admissions Team: Information Sessions and other events
      • RSIS Alumni
  • Alumni & Networks
      • Alumni
      • Asia-Pacific Programme for Senior Military Officers (APPSMO)
      • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      • SRP Executive Programme
      • Terrorism Analyst Training Course (TATC)
  • Publications
      • RSIS Publications
        • Annual Reviews
        • Books
        • Bulletins and Newsletters
        • Commentaries
        • Counter Terrorist Trends and Analyses
        • Commemorative / Event Reports
        • IDSS Paper
        • Interreligious Relations
        • Monographs
        • NTS Insight
        • Policy Reports
        • Working Papers
        • RSIS Publications for the Year
      • Glossary of Abbreviations
      • External Publications
        • Authored Books
        • Journal Articles
        • Edited Books
        • Chapters in Edited Books
        • Policy Reports
        • Working Papers
        • Op-Eds
        • External Publications for the Year
      • Policy-relevant Articles Given RSIS Award
  • Media
      • Great Powers
      • Sustainable Security
      • Other Resource Pages
      • Media Highlights
      • News Releases
      • Speeches
      • Vidcast Channel
      • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
  • instagram instagram rsis.sg
Connect

Getting to RSIS

Map

Address

Nanyang Technological University
Block S4, Level B3,
50 Nanyang Avenue,
Singapore 639798

View location on Google maps Click here for directions to RSIS

Get in Touch

    Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
    RSISVideoCast RSISVideoCast rsisvideocast
      school/rsis-ntu
    instagram instagram rsis.sg
      RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    RSIS Intranet

    S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
    Nanyang Technological University Nanyang Technological University

    Skip to content

     
    • RSIS
    • Publication
    • RSIS Publications
    • SingHealth Cyber Attack: Learning from COI Findings
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    CO19020 | SingHealth Cyber Attack: Learning from COI Findings
    Shashi Jayakumar

    13 February 2019

    download pdf
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYPNOSIS

    How do we protect our critical information infrastructure from evolving threats?  What steps do we need to take to prepare for future adversaries who are continually refining their methods? How can these steps be applied to the health sector?

    COMMENTARY

    NOW THAT that the dust has settled, it is possible to draw some conclusions from the findings of the Committee of Inquiry (COI) into the SingHealth cyber attack. The overall impression that emerges from a deep reading of the COI report is that of a culture of complacency at SingHealth and Integrated Health Systems (IHiS), the Ministry of Health’s IT arm.

    There were multiple and egregious failures in awareness and incident reporting. But there was another form of complacency, not dealt with in depth in the COI report but worth remarking on. This was a basic lack of awareness as to what was going on in the wider world. Threat scanning of the most basic kind will show innumerable attacks against health systems elsewhere in recent years.

    They Should Have Seen It Coming

    Academics in Singapore had also on at least one occasion prior to the attack publicly warned of the risk of attacks against the healthcare system.

    Cyber criminals (some possibly working in concert with, or at the behest of larger actors like states) have found healthcare data extremely lucrative as a target. The well-known 2017 United Kingdom National Health Service Wannacry hack comes to mind, but there have been many attacks against healthcare providers in the United States as well.

    (According to a 2016 Accenture report, cyberattacks against US health systems alone will cost hospitals US$305 billion over the next five years, and one in thirteen patients will have their data compromised by a hack).

    In other words, SingHealth and IHiS should have seen this coming.

    “Defence-in-Depth”: The Only Option

    So where do we go from here?

    There is no option but to move towards the “Defence-in-Depth” approach which features prominently in the COI recommendations. This is a layered concept. It involves highly-trained defenders arming themselves with centrally-managed endpoint detection and response systems, layered with advanced behaviour-based analytics which gives real time and holistic (as opposed to historical) perspective on security within the system.

    As the COI report acknowledges, the move to Defence-in-Depth will not happen quickly, given the differing cyber security maturity levels in organisations and the trade-offs between operational requirements and costs. This is a key concern.

    How long do key sectors and critical information infrastructure (CII) have to move in positive directions, given not just the necessary changes in resourcing but also in organisational culture? Consider two major observations by the COI.

    Need to Build Internal Ecosystem of Expertise

    First, SingHealth was reliant on IHiS to manage its cyber security risks. The report notes that there should be appropriate cyber security expertise at SingHealth’s senior management level, rather than having this capability wholly outsourced. Key sectors and critical CII will likely have to move in these directions.

    The other critical aspect of Defence-in-Depth is a trained cadre of cyber professionals. As Prime Minister Lee Hsien Loong observed in relation to the attack: “We have to train up our people, institute robust processes, inculcate the right mindsets and enforce accountability.” This will take some time to materialise.

    While many government agencies have launched various schemes to beef up the pool of IT and cyber security experts here, creating an ecosystem of trained security professionals will be a multi-year effort.  In the SingHealth/IHiS cases, there were resourceful individuals who attempted to get to grips with the intrusions, although even those who displayed initiative during the hack were at times out of their depth against a skilled adversary.

    This, however, should be counted as something of a bright spot. States which have faced kinetic threats have made it a habit to quickly promote resourceful individuals, even if they may be junior in years or rank. We should do the same in cyber security.

    Future Threats and Our Approach

    In some ways, Singapore continues to be lucky. We have not yet had a cyber attack that causes actual damage – for example to Industrial Control Systems or Supervisory Control and Data Acquisition systems. We cannot rule out future attacks targeting critical infrastructure or the vast attack surface of the nascent Smart Nation, in order to try to exfiltrate information and data of the type which tells of a society’s core vulnerabilities. This in turn can be used for fake news or disinformation campaigns.

    How do we drill for these bewildering new threats and adversaries who are continually honing their methods? This is difficult, but possible. Relevant agencies should take a leaf from the way terrorism drills over the years have become increasingly realistic, drawing in greater number of agencies and greater swathes of the mass public at all ages (think for example school lockdowns). We need the same kind of mass readiness for cyber, to prepare us for a digital Pearl Harbour.

    Some CII operators in Singapore have been proactive. The Maritime and Port Authority established a Maritime Cyber Security Operations Centre in November 2018 to monitor cyber threats against CIIs. It has also tapped the confidence and trust it had built up with partners overseas to recently establish a network of ports in Asia and Europe to foster closer collaboration and exchange of information on cybersecurity issues.

    The health sector and for that matter all CII operators (including energy and aviation, which might feel somewhat removed from the threat) should consider similar networked approaches with counterparts overseas.

    Need For New Thinking

    Separately, a vulnerability audit should be conducted, starting with CII operators, in order to have an in-depth, holistic perspective of which operators are reluctant or slow to update their cyber security and more importantly their culture. Following this, sectors that are not technically part of Singapore’s cyber CII, such as universities (in particular those parts which work with government and do sensitive research work) should be subject to scrutiny.

    It is not clear how long it will take CIIs and other key sectors to fully digest the implications of the SingHealth hack (and also, now, the HIV data leak). Likewise, can the stakeholders fully absorb the full import of the COI recommendations?

    Can they understand the essential dictum put forward by the Chief Executive of the Cyber Security Agency, David Koh, at the COI: That cyber security should be a key feature rather than “slapped on as an afterthought”, with business efficiency privileged above it, as is often the case now.

    If new thinking permeates at all levels, then some good would have come out of an otherwise disturbing saga.

    About the Author

    Shashi Jayakumar is Head, Centre of Excellence for National Security (CENS) and Executive Coordinator, Future Issues and Technology at the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. This commentary first appeared in TODAY, 7 February 2019.

    Categories: Commentaries / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / International Politics and Security / East Asia and Asia Pacific / Global / South Asia / Southeast Asia and ASEAN

    Last updated on 13/02/2019

    comments powered by Disqus
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYPNOSIS

    How do we protect our critical information infrastructure from evolving threats?  What steps do we need to take to prepare for future adversaries who are continually refining their methods? How can these steps be applied to the health sector?

    COMMENTARY

    NOW THAT that the dust has settled, it is possible to draw some conclusions from the findings of the Committee of Inquiry (COI) into the SingHealth cyber attack. The overall impression that emerges from a deep reading of the COI report is that of a culture of complacency at SingHealth and Integrated Health Systems (IHiS), the Ministry of Health’s IT arm.

    There were multiple and egregious failures in awareness and incident reporting. But there was another form of complacency, not dealt with in depth in the COI report but worth remarking on. This was a basic lack of awareness as to what was going on in the wider world. Threat scanning of the most basic kind will show innumerable attacks against health systems elsewhere in recent years.

    They Should Have Seen It Coming

    Academics in Singapore had also on at least one occasion prior to the attack publicly warned of the risk of attacks against the healthcare system.

    Cyber criminals (some possibly working in concert with, or at the behest of larger actors like states) have found healthcare data extremely lucrative as a target. The well-known 2017 United Kingdom National Health Service Wannacry hack comes to mind, but there have been many attacks against healthcare providers in the United States as well.

    (According to a 2016 Accenture report, cyberattacks against US health systems alone will cost hospitals US$305 billion over the next five years, and one in thirteen patients will have their data compromised by a hack).

    In other words, SingHealth and IHiS should have seen this coming.

    “Defence-in-Depth”: The Only Option

    So where do we go from here?

    There is no option but to move towards the “Defence-in-Depth” approach which features prominently in the COI recommendations. This is a layered concept. It involves highly-trained defenders arming themselves with centrally-managed endpoint detection and response systems, layered with advanced behaviour-based analytics which gives real time and holistic (as opposed to historical) perspective on security within the system.

    As the COI report acknowledges, the move to Defence-in-Depth will not happen quickly, given the differing cyber security maturity levels in organisations and the trade-offs between operational requirements and costs. This is a key concern.

    How long do key sectors and critical information infrastructure (CII) have to move in positive directions, given not just the necessary changes in resourcing but also in organisational culture? Consider two major observations by the COI.

    Need to Build Internal Ecosystem of Expertise

    First, SingHealth was reliant on IHiS to manage its cyber security risks. The report notes that there should be appropriate cyber security expertise at SingHealth’s senior management level, rather than having this capability wholly outsourced. Key sectors and critical CII will likely have to move in these directions.

    The other critical aspect of Defence-in-Depth is a trained cadre of cyber professionals. As Prime Minister Lee Hsien Loong observed in relation to the attack: “We have to train up our people, institute robust processes, inculcate the right mindsets and enforce accountability.” This will take some time to materialise.

    While many government agencies have launched various schemes to beef up the pool of IT and cyber security experts here, creating an ecosystem of trained security professionals will be a multi-year effort.  In the SingHealth/IHiS cases, there were resourceful individuals who attempted to get to grips with the intrusions, although even those who displayed initiative during the hack were at times out of their depth against a skilled adversary.

    This, however, should be counted as something of a bright spot. States which have faced kinetic threats have made it a habit to quickly promote resourceful individuals, even if they may be junior in years or rank. We should do the same in cyber security.

    Future Threats and Our Approach

    In some ways, Singapore continues to be lucky. We have not yet had a cyber attack that causes actual damage – for example to Industrial Control Systems or Supervisory Control and Data Acquisition systems. We cannot rule out future attacks targeting critical infrastructure or the vast attack surface of the nascent Smart Nation, in order to try to exfiltrate information and data of the type which tells of a society’s core vulnerabilities. This in turn can be used for fake news or disinformation campaigns.

    How do we drill for these bewildering new threats and adversaries who are continually honing their methods? This is difficult, but possible. Relevant agencies should take a leaf from the way terrorism drills over the years have become increasingly realistic, drawing in greater number of agencies and greater swathes of the mass public at all ages (think for example school lockdowns). We need the same kind of mass readiness for cyber, to prepare us for a digital Pearl Harbour.

    Some CII operators in Singapore have been proactive. The Maritime and Port Authority established a Maritime Cyber Security Operations Centre in November 2018 to monitor cyber threats against CIIs. It has also tapped the confidence and trust it had built up with partners overseas to recently establish a network of ports in Asia and Europe to foster closer collaboration and exchange of information on cybersecurity issues.

    The health sector and for that matter all CII operators (including energy and aviation, which might feel somewhat removed from the threat) should consider similar networked approaches with counterparts overseas.

    Need For New Thinking

    Separately, a vulnerability audit should be conducted, starting with CII operators, in order to have an in-depth, holistic perspective of which operators are reluctant or slow to update their cyber security and more importantly their culture. Following this, sectors that are not technically part of Singapore’s cyber CII, such as universities (in particular those parts which work with government and do sensitive research work) should be subject to scrutiny.

    It is not clear how long it will take CIIs and other key sectors to fully digest the implications of the SingHealth hack (and also, now, the HIV data leak). Likewise, can the stakeholders fully absorb the full import of the COI recommendations?

    Can they understand the essential dictum put forward by the Chief Executive of the Cyber Security Agency, David Koh, at the COI: That cyber security should be a key feature rather than “slapped on as an afterthought”, with business efficiency privileged above it, as is often the case now.

    If new thinking permeates at all levels, then some good would have come out of an otherwise disturbing saga.

    About the Author

    Shashi Jayakumar is Head, Centre of Excellence for National Security (CENS) and Executive Coordinator, Future Issues and Technology at the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. This commentary first appeared in TODAY, 7 February 2019.

    Categories: Commentaries / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / International Politics and Security

    Last updated on 13/02/2019

    Back to top

    Terms of Use | Privacy Statement
    Copyright © S. Rajaratnam School of International Studies. All rights reserved.
    This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
    OK
    Latest Book
    SingHealth Cyber Attack: Learning from COI Findings

    SYPNOSIS

    How do we protect our critical information infrastructure from evolving threats?  What steps do we need to take to prepare for future adversaries who a ...
    more info