SINGAPORE: The Government has set up an inter-agency counter-ransomware task force to pool representatives from different sectors and better tackle what has become a growing worry among businesses in Singapore.
The task force, set up earlier this year, will develop and make recommendations on possible policies, operational plans and capabilities to improve Singapore’s counter-ransomware efforts, the Cyber Security Agency of Singapore (CSA) said in a media release on Wednesday (Oct 19).
It comprises senior government representatives from the technology, cybersecurity, financial regulation and law enforcement domains.
Participating entities include CSA, the Government Technology Agency, the Infocomm Media Development Authority, the Monetary Authority of Singapore, the Singapore Armed Forces and the Singapore Police Force.
"Ransomware has become a growing concern for businesses in Singapore," CSA said, highlighting that the number of ransomware cases in Singapore has gone up by 54 per cent between 2020 and 2021.
"Around the world, ransomware attacks have also intensified in scale and impact, becoming threats to essential services and important infrastructure."
The task force is also looking at how to coordinate Singapore’s international engagement strategy in fighting ransomware, as well as push for greater international cooperation in cybersecurity, financial supervision and cross-border law enforcement operations.
"Ransomware is also a cross-border problem. Ransomware criminals are often based overseas and leverage jurisdictional boundaries to move illicit assets and evade legal consequences," CSA added.
Microsoft said in a blog post on Oct 14 that a newly discovered hacking group had attacked transportation and logistics companies in Ukraine and Poland with a novel kind of ransomware.
Researchers found that the hacks closely mirrored earlier attacks by a Russian government-linked cyber team that had disrupted Ukraine government agencies, Reuters reported.
Singapore's Coordinating Minister for National Security Teo Chee Hean cited how a ransomware attack on Costa Rica earlier this year crippled essential services in the country, forcing the Costa Rican government to declare a state of national emergency.
"Ransomware criminals can be opportunistic and highly sophisticated," he said in a speech at the opening ceremony of the Singapore International Cyber Week on Wednesday.
"They take advantage of poor cybersecurity practices to gain access to their victims’ systems and data. They bet on victimised organisations being more willing to pay the ransom and hide the attack than to report the crime. They take advantage of gaps between jurisdictions to evade law enforcement."
Mr Teo, who is also Senior Minister, said the task force will bring businesses, the Government and international partners together to counter ransomware attacks more effectively.
CSA said the task force will deliver a report recommending strategies that the Government can take to improve its counter-ransomware efforts. "The report will be published in due course," CSA said.
Businesses will also get an extra incentive to improve their cybersecurity practices, as the CSA plans to rate their Internet hygiene in a table published on a "regular basis".
"This is aimed at helping consumers make informed choices to better safeguard their digital transactions from cyber threats," CSA said.
CSA said it will start by rating the top 10 businesses in the e-commerce sector, a move that comes after the Ministry of Home Affairs published in May similar ratings for e-commerce platforms' anti-scam efforts.
The Internet hygiene rating is based on the average adoption of Internet security best practices, curated by CSA as common globally recognised baseline Internet standards and security controls, the agency said.
These include important Internet security protocols like HTTPS to secure website communications between parties, DNSSEC to prevent DNS spoofing, hijacking and cache poisoning, and DMARC to prevent email spoofing.
Businesses will be given a green tick, yellow tick or red cross, depending on how many Internet best practices they have implemented.
"Many enterprises, particularly small- and medium-sized enterprises, lack awareness and/or have low adoption of Internet security best practices to safeguard their domains, websites and email servers," CSA said.
"This puts customers of these companies at risk because their data and details of their transactions with the company may not be properly secured."
Mr Teo said the ratings will allow users to do "health checks" on whether the websites they visit have the necessary security protocols.
"Individuals need to be aware of cyber risks, be capable of protecting themselves, and be responsible for their own safety and security online," he said.
CSA said it will engage businesses in other sectors like banking and finance as well as healthcare, and similarly publish their ratings.
The ratings are part of an Internet hygiene portal, a new one-stop platform with resources and self-assessment tools to help businesses adopt Internet security best practices as they digitalise.
"As Singapore builds up its digital economy and more businesses go online, cyber threats such as ransomware and phishing will remain major concerns," CSA said.
Mr Teo said COVID-19 has accelerated the adoption of digital technologies in everyday life, be it in digital payments, shopping, chatting with friends, travelling or business.
"Securing the digital domain and ensuring a trusted cyberspace will enable all of us to enjoy the fruits of the digital revolution, and its promise of economic progress and a better life," he said.
CSA also confirmed that it will rate medical devices according to the level of their cybersecurity provisions, in an extension of its cybersecurity labelling scheme.
The scheme was introduced in 2020 to help consumers make informed choices when buying increasingly pervasive network-connected smart devices, which hackers can exploit to steal personal data. Such devices include home routers and IP cameras.
Likewise, CSA said medical devices are now increasingly connected to hospitals and home networks, in the intranet and Internet.
"While these connected medical devices benefit patients and healthcare providers, particularly in real-time monitoring of health status, rising connectivity could also increase cybersecurity risks and compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes," the agency said.
Plans to include medical devices in the labelling scheme were announced as early as July, when tech website ZDNet quoted CSA chief executive David Koh as saying that medical devices needed to be secure as they could cause personal injury.
The ZDNet report, citing a CSA document, said medical devices would fall under the scheme if they handled sensitive data such as personal identifiable information and had the ability to "collect, store, process, or transfer data".
They would also be connected to other systems and services, with the ability to communicate using wired or wireless networks either autonomously or manually.
CSA said the rating of medical devices will incentivise manufacturers to adopt a security-by-design approach to develop more secure products for the medical device industry.
"This will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cybersecurity provisions," it said.
Medical devices will be rated one of four levels. Level 1 means the device meets baseline regulatory requirements, aligned with the Health Sciences Authority's current registration requirements for medical devices.
Each subsequent level represents an additional layer of testing to ensure the device meets improved cybersecurity requirements, such as device and data requirements.
"For the higher levels of the scheme, a formal consultation with the medical device industry and associations will be held in the coming month to seek feedback on their proposed requirements, including the timeline for implementation," CSA said.
"More details on the industry consultation and registration (for the medical device labelling scheme) will be announced in due course."
Continue reading...
The task force, set up earlier this year, will develop and make recommendations on possible policies, operational plans and capabilities to improve Singapore’s counter-ransomware efforts, the Cyber Security Agency of Singapore (CSA) said in a media release on Wednesday (Oct 19).
It comprises senior government representatives from the technology, cybersecurity, financial regulation and law enforcement domains.
Participating entities include CSA, the Government Technology Agency, the Infocomm Media Development Authority, the Monetary Authority of Singapore, the Singapore Armed Forces and the Singapore Police Force.
"Ransomware has become a growing concern for businesses in Singapore," CSA said, highlighting that the number of ransomware cases in Singapore has gone up by 54 per cent between 2020 and 2021.
"Around the world, ransomware attacks have also intensified in scale and impact, becoming threats to essential services and important infrastructure."
Related:
The task force is also looking at how to coordinate Singapore’s international engagement strategy in fighting ransomware, as well as push for greater international cooperation in cybersecurity, financial supervision and cross-border law enforcement operations.
"Ransomware is also a cross-border problem. Ransomware criminals are often based overseas and leverage jurisdictional boundaries to move illicit assets and evade legal consequences," CSA added.
Microsoft said in a blog post on Oct 14 that a newly discovered hacking group had attacked transportation and logistics companies in Ukraine and Poland with a novel kind of ransomware.
Researchers found that the hacks closely mirrored earlier attacks by a Russian government-linked cyber team that had disrupted Ukraine government agencies, Reuters reported.
Singapore's Coordinating Minister for National Security Teo Chee Hean cited how a ransomware attack on Costa Rica earlier this year crippled essential services in the country, forcing the Costa Rican government to declare a state of national emergency.
"Ransomware criminals can be opportunistic and highly sophisticated," he said in a speech at the opening ceremony of the Singapore International Cyber Week on Wednesday.
"They take advantage of poor cybersecurity practices to gain access to their victims’ systems and data. They bet on victimised organisations being more willing to pay the ransom and hide the attack than to report the crime. They take advantage of gaps between jurisdictions to evade law enforcement."
Mr Teo, who is also Senior Minister, said the task force will bring businesses, the Government and international partners together to counter ransomware attacks more effectively.
CSA said the task force will deliver a report recommending strategies that the Government can take to improve its counter-ransomware efforts. "The report will be published in due course," CSA said.
RATING INTERNET HYGIENE OF E-COMMERCE COMPANIES
Businesses will also get an extra incentive to improve their cybersecurity practices, as the CSA plans to rate their Internet hygiene in a table published on a "regular basis".
"This is aimed at helping consumers make informed choices to better safeguard their digital transactions from cyber threats," CSA said.
CSA said it will start by rating the top 10 businesses in the e-commerce sector, a move that comes after the Ministry of Home Affairs published in May similar ratings for e-commerce platforms' anti-scam efforts.
The Internet hygiene rating is based on the average adoption of Internet security best practices, curated by CSA as common globally recognised baseline Internet standards and security controls, the agency said.
These include important Internet security protocols like HTTPS to secure website communications between parties, DNSSEC to prevent DNS spoofing, hijacking and cache poisoning, and DMARC to prevent email spoofing.
Businesses will be given a green tick, yellow tick or red cross, depending on how many Internet best practices they have implemented.
Related:
"Many enterprises, particularly small- and medium-sized enterprises, lack awareness and/or have low adoption of Internet security best practices to safeguard their domains, websites and email servers," CSA said.
"This puts customers of these companies at risk because their data and details of their transactions with the company may not be properly secured."
Mr Teo said the ratings will allow users to do "health checks" on whether the websites they visit have the necessary security protocols.
"Individuals need to be aware of cyber risks, be capable of protecting themselves, and be responsible for their own safety and security online," he said.
CSA said it will engage businesses in other sectors like banking and finance as well as healthcare, and similarly publish their ratings.
The ratings are part of an Internet hygiene portal, a new one-stop platform with resources and self-assessment tools to help businesses adopt Internet security best practices as they digitalise.
"As Singapore builds up its digital economy and more businesses go online, cyber threats such as ransomware and phishing will remain major concerns," CSA said.
Mr Teo said COVID-19 has accelerated the adoption of digital technologies in everyday life, be it in digital payments, shopping, chatting with friends, travelling or business.
"Securing the digital domain and ensuring a trusted cyberspace will enable all of us to enjoy the fruits of the digital revolution, and its promise of economic progress and a better life," he said.
RATING CYBERSECURITY OF MEDICAL DEVICES
CSA also confirmed that it will rate medical devices according to the level of their cybersecurity provisions, in an extension of its cybersecurity labelling scheme.
The scheme was introduced in 2020 to help consumers make informed choices when buying increasingly pervasive network-connected smart devices, which hackers can exploit to steal personal data. Such devices include home routers and IP cameras.
Likewise, CSA said medical devices are now increasingly connected to hospitals and home networks, in the intranet and Internet.
"While these connected medical devices benefit patients and healthcare providers, particularly in real-time monitoring of health status, rising connectivity could also increase cybersecurity risks and compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes," the agency said.
Plans to include medical devices in the labelling scheme were announced as early as July, when tech website ZDNet quoted CSA chief executive David Koh as saying that medical devices needed to be secure as they could cause personal injury.
The ZDNet report, citing a CSA document, said medical devices would fall under the scheme if they handled sensitive data such as personal identifiable information and had the ability to "collect, store, process, or transfer data".
They would also be connected to other systems and services, with the ability to communicate using wired or wireless networks either autonomously or manually.
CSA said the rating of medical devices will incentivise manufacturers to adopt a security-by-design approach to develop more secure products for the medical device industry.
"This will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cybersecurity provisions," it said.
Medical devices will be rated one of four levels. Level 1 means the device meets baseline regulatory requirements, aligned with the Health Sciences Authority's current registration requirements for medical devices.
Each subsequent level represents an additional layer of testing to ensure the device meets improved cybersecurity requirements, such as device and data requirements.
"For the higher levels of the scheme, a formal consultation with the medical device industry and associations will be held in the coming month to seek feedback on their proposed requirements, including the timeline for implementation," CSA said.
"More details on the industry consultation and registration (for the medical device labelling scheme) will be announced in due course."
Continue reading...