The assistant chief executive of Singapore’s Cyber Security Agency, Brigadier General Gaurav Keerthi, says the island nation now considers providing a secure environment to citizens and businesses the equivalent of providing fresh water and sewerage services, and will next week improve digital hygiene with a voluntary scheme that will rate the security consumer broadband gateways.
Speaking at the Black Hat Asia conference in Singapore today, Keerthi explained that it’s his job to defend Singapore from cyber-threats. To explain his approach he started with a little history lesson in which he recounted how in the 1800s securing a fresh water supply and disposing of waste water were seen as personal responsibilities. Once it was realised that public health crises were the result of that attitude, widespread rollout of a universal fresh water supply and sewerage quickly became seen as a public good that governments needed to provide.
Keerthi said government thinking about information security is mired in that 1800s mentality of hoping citizens will do the right thing, or can be scolded into better behaviour. But with everyday life increasingly dependent on online services, he said Singapore has decided it is time to provide the infosec equivalent of clean tap water to all.
One way the nation is doing so is with services that the private sector can – pardon the pun – tap into. To that end the country offers “SingPass”, a national identity scheme that links citizens to services and is also offered to private enterprise such as banks as a free-to-use alternative to developing their own authentication schemes.
“We want to make the secure process the easier process,” Keerthi explained, promising the announcement of more such services for developers next week.
Also to be revealed next week is a “Consumer labelling service” for connected devices.
Business top brass are terrified their companies will simply be collateral damage in a future cyber-war
The scheme will initially see gateways provided by ISPs and smart hubs rated with a four-star assessment of their security. Keerthi likened the ratings to nutrition advice on food packaging and said the aim of the scheme is to have vendors aspire to winning good ratings and make investments that will make their products, and therefore Singapore, more secure.
Singapore has form in this field, he said, with energy efficiency ratings for air conditioners. Before the advent of those ratings, Keerthi said, consumers bought on price and manufacturers raced to the bottom. Today he says manufacturers even claim they would achieve a six-star rating if Singapore’s scheme did not max out at five stars.
Keerthi said the scheme will not be mandatory, but over time he thinks it will become natural for vendors to participate.
The Register asked how Singapore plans to secure participation in the scheme given the sheer quantity of connected devices on offer. Keerthi’s answer was “one at a time”, starting with devices that have the greatest potential for harm.
Details of how devices will be rated will be revealed during Singapore International Cyber Week 2020, which starts on October 5th.
Keerthi also said that Singapore hopes to share its consumer tech labelling scheme with other nations, as it believes the notion of infosec as a public good will become widespread to safeguard increasing dependence on national services and therefore improve national security. ®