Malware, ransomware, APTs (advanced persistent threats), and other attacks have all made headlines in global media. In response, Singapore’s Ministry of Communications and Information government has proposed a Cybersecurity Bill 2017 (PDF) intended to protect critical information infrastructure (CII) in Singapore including essential services such as governments, hospitals, public utilities, transportation, telecoms, and finance.
Punitive measures
The proposed Bill, open for public consultation gives powers to the CSA (Cyber Security Agency of Singapore), and places great responsibility on CII executives,with with punitive measures for non-compliance. It also proposes a licensing framework for penetration testing and managed security vendors.
Some analysts foresee challenges, including areas like cost and manpower. But how would the Bill, once ratified, affect vendors and service providers?
According to the draft Bill “Cyber-attacks are increasingly frequent, sophisticated and impactful.” What does that mean?
Let’s walk through that statement and take a look.
- Frequent
To most organizations frequent means daily. We see so many attacks we publish a top ten per month. In June, RoughTed - large scale malvertising, affected 28 percent of organizations globally. - Sophisticated
To most organizations this means the attacks are able to evade the traditional defenses in place like anti-virus. One way an attack accomplishes this is to create a unique version of itself for each attack. In the security industry, we call this an ‘unknown attack’.
Check Point has seen a 900 percent increase in unknown malware over the last year. Unknown is a term used to indicate that specific malware hasn’t been seen in that form before and therefore traditional security can’t stop it. WannaCry appeared as a form of zero-day ransomware (exploiting a vulnerability for the first time in the wild), and went on to infect nearly 8 percent of organizations globally - Impactful
By impactful we’re talking about large financial loss, as was the case with the Target breach or destructive as is the case with the most recent large attack called Petya or NotPetya NotPetya looked like earlier versions of Petya albeit with one big difference in this case there was no way to recover the data. This attack was called a “wiper” which means the aim was to destroy the computers it infected. That’s quite an impact.
The effect on data centers
So now that we know why the Bill was crafted let’s discuss what happens when more regulation is introduced. Put simply it is going to complicate the situation for any critical information infrastructure organizations (CIIs), providing essential services to Singapore. The initial list spans energy, info-communications, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, government, and media.
You can imagine critical infrastructure organizations outsourcing some or all of their security needs to a data center provider
The coverage is broad as are the powers granted CSA (Cyber Security Agency of Singapore) to investigate incidents. In addition, any company considered to be a CII will be required to report an incident and the senior management of those companies will be criminally responsible for any lack of compliance. Here’s the big one that needs more discussion “The Bill will require measures to be taken to enhance the cybersecurity of CIIs before cybersecurity threats and incidents happen…”
So the implications are clear; owners of CIIs will be required to inform on architecture, comply with directions, report incidents, audit, assess & test, and improve their security posture. There are real monetary and criminal penalties for non compliance. If you’re an owner of a CII system or organization, you’ll need to consider if you build the team and the system yourself or if you look to providers for help. Given the licensing of SOC (Security Operation Centers) and penetration testing service providers I believe that the latter will be the larger percentage over time.
This is where data center providers come in. The good news is that the security industry has been preparing for this eventuality for a while so companies and service providers, like data center owners, who consolidate the security controls and focus on prevention will not only be able to comply with the regulations, they will have new business opportunities to provide security as a service to CIIs.
You can imagine a CII looking to outsource some or all of the security needs to a data center provider. More and more we’re seeing hybrid deployments where certain services are outsourced to a specialty provider. In a hybrid deployment it’s important that all the controls are fed intelligence at the same time, are fully integrated so that they work together, and importantly all the data is collected in a central management system that provides all the reporting necessary for the Bill all in one place.
Meeting the challenges
Having to provide the commissioner information about your system is made easy by consolidation and central management. The duty to comply with directions is made easier with a consolidated system managed through a single pane of glass because there are fewer changes to be made when a direction is issued.
Prevention is preferable, because if you prevent an attack, there is no incident to report, no penalties to worry about, and no investigation to disrupt business operations. Prevention, full integration, consolidation, and central management will all help to pass audits under the Bill.
Organizations may see the Cybersecurity Bill as a challenge, but the vendor community is ready to help them overcome this. I applaud the CSA and Singapore for striving for better security for all citizens.
Evan Dumas is head of emerging technologies APAC, Middle East & Africa, for Check Point Software