Singapore has adopted Zero Trust in government

Lately there have been multiple instances of large-scale cyberattacks on government institutions. The Center for Strategic & International Studies reported several significant incidents over the last year, including:

• Taiwan's presidential office and foreign ministry were attacked with a DDoS attack.
• Montenegro witnessed a cyberattack on its state bodies.
• In Finland, the official website of the parliament was brought down with a DDoS attack.
• In the UK, social media accounts of the British Royal Army were taken over by hackers.

One of the most prominent reasons behind these global cyberattacks is cyber espionage and cyberwarfare. State-sponsored attackers conduct attacks on a rival country in an attempt to shake down its economy and infrastructure.

The digitization of governments has created more room for vulnerabilities, making them an easy target for cybercrimes. A recent HP study on nation state cyberattacks found more than 200 cybersecurity incidents against countries in the past 11 years.

To combat and survive in this cyberrisk-filled environment, it has become imperative for nations to reform their defense strategies. One such strategy is the Zero Trust model.

This model provides governments with flexibility and scalability to transition from a network-based defense model to a more comprehensive framework. Zero Trust facilitates governments to attain a state of cybersecurity maturity by addressing crucial questions such as:

• What are the user activities happening within a network?
• What endpoint devices and assets are accessing the enterprise network?
• What is the risk associated with each user and device within a network?
• Is there any unauthorized access and transfer of sensitive data via any medium (email, printers, USB devices, etc.)?
• Is a user request for a particular access to a resource trustworthy?
• For how long can a user access a requested service or resource?

One of the countries which has recently adopted a Zero Trust approach is Singapore. The city-state has put a strong stance forward by shifting its security paradigm from a perimeter-based approach and has blazed a trail for other countries to learn and follow. The Zero Trust architecture will apply to all of Singapore's government applications and information technology systems.

"We could no longer just depend on preventive measures. We were also looking at international developments to adopt a 'Zero-Trust' approach," said Josephine Teo, minister for communications and information, at the Tallinn Digital Summit in Estonia last year.

Teo, while addressing the attendees at the Summit, emphasized that it is the need of the hour for Singapore to migrate from a "threat prevention" to an "assume breach" approach.

The Zero Trust model aims to strengthen and armor organizations by helping them take a holistic approach towards a strong cybersecurity posture. This can be achieved when organizations follow the right techniques and strategies according to their infrastructure's requirements. Some of the guiding principles of Zero Trust are microsegmentation, single sign-on, multi-factor authentication, principle of least privilege, and continuous monitoring and auditing of user activities (we have discussed this in detail in our previous blog on Zero Trust).

One of the reasons that propelled Singapore towards the Zero Trust model was the data breach on the country's largest group of healthcare institutions, SingHealth. In this attack, the healthcare records and sensitive personal information of 1.5 million citizens, including Prime Minister Lee Hsien Loong, were compromised.

Here are a few of the many steps taken by the Singapore government in light of its new defense strategy:

• Testing government systems regularly to discover vulnerabilities before any compromise.
• Providing authenticated and authorized access to all the users and network resources through security methods like multi-factor authentication (MFA), where a minimum of three factors should be used for authenticating a user. These could include something the user knows (password), something the user owns (OTP on authenticator app), and something the user is (biometrics such as fingerprint).
• Forming a new Government Cybersecurity Operations Centre that will perform real-time online monitoring of actions in the public sector.
• Deploying chief information security officers across the public sector to concentrate squarely on the cyberhealth of the government.
• Implementing tailored measures to secure public-sector infocommunications and smart systems based on factors such as the criticality and sensitivity of the systems and the information residing in them.
• Upskilling government officials by providing cyber training through GovTech's Digital Academy.
• Guiding and facilitating the government cybersecurity teams on the appropriate cyber skills required by them for designing reference framework.

To complement this cyber initiative, Teo has signed a memorandum of understanding (MOU) with Andres Sutt, Estonia's minister of entrepreneurship and information technology.

Under this MOU, both the countries will share their knowledge in the cybersecurity space and help strengthen each other by formulating effective policies. In fact, Estonia has already delivered cyber training to Singapore's ministry of defense and the Singapore Armed Forces (SAF).

Singapore's undying commitment against cyber warfare is indeed an inspiration and also a signal for other countries to revisit their cyber defense strategies.