How the government chief information security officer keeps cyberspace secure

06 OCT 2019

Mr Chai Chin Loon, government chief information security officer on the importance of cybersecurity

The Singapore government is crafting policy, tapping on technology and engaging with the community to strengthen the defence of government IT assets and citizen data, says Mr Chai Chin Loon, government chief information security officer.

If you had all the resources in the world, how would you protect your home against an intruder? You might put up CCTV cameras, install motion sensors along the walkways leading to your apartment, use multiple locks on the gates, employ a guard to patrol the surrounding premises—and, for extra measure, keep a guard dog. Even then, determined and intelligent thieves could find their way in and leave with your precious personal items.

Such a scenario has its parallels in the digital realm. No matter how robust one’s cyber defences are, a chink in the metaphorical ‘armour’ can always be found and exploited, given enough time. What this means is that cybersecurity systems deployed by individuals and organisations need to be dynamic—constantly evolving with emerging technologies and threats.

Mr Chai Chin Loon, government chief information security officer and senior director at the Government Technology Agency of Singapore (GovTech), knows this all too well. On the frontlines of the cybersecurity arms race, his daily challenge is to keep government digital assets and citizen data safe from malicious actors.

“From the government’s perspective, we have to cover the whole spectrum of cyber defence, from protecting against lone-wolf hackers all the way up to highly sophisticated and well-resourced state actors,” he said.

A lesson in trade-offs

When it comes to cybersecurity, “throwing” all security controls the problem won’t work, in Mr Chai’s opinion. Instead, he advocates a balance among three key parameters: security, costs and functionalities.

“Historically, cybersecurity has been focused on protection. The higher the ‘walls’ you put in place, the more layers you have, the more secure you are. But security has a cost,” he emphasised, referring not only to the financial cost of implementing cybersecurity measures but also to the cost in terms of missed opportunities to provide greater value to users.

“If we keep increasing the security we put around the three groups of our core users—our citizens, our businesses and our public servants—it will affect their productivity and their ease-of-use,” he said. “So we have to find the right balance to achieve security without overly inconveniencing users to the point they stop using the services that are provided to them, and end up finding alternative that may be non-sanctioned ways of doing things.”

What’s needed, then, is a calibrated framework whereby protections in cyberspace are pegged to the level of sensitivity of activities being carried out or data being accessed. One useful way to do this is to segregate information into different tiers—for example, ‘secret’, ‘confidential’, ‘restricted’ and ‘unclassified’. Each tier will then be subjected to different levels of access restrictions, activity logging and so on. This approach advocates a risk-based security approach, said Mr Chai, and will help organisations better prioritise their cybersecurity efforts.

Giving guidance

Often, the deployment of a calibrated cybersecurity framework requires leadership at the level of policy setting. But where do policymakers take reference from to craft such frameworks?

Mr Chai highlighted that the Singapore government references relevant international cybersecurity standards and best practices such as those published by the US’ National Institute of Standards and Technology and the European Telecommunications Standards Institute’s Cybersecurity Technical Committee. This has resulted in the security portion of IM8 document, which consists of government policies, standards and guidelines for IT security.

Yet, simply putting out a policy document is not enough, said Mr Chai. “After crafting the policy, we need to help the system implementers understand how to comply with it because otherwise, there may be different interpretations of the policy,” he noted, adding that within the government, a group of cybersecurity consultants exists to advise the various agencies on IM8 compliance matters and take on a risk-based approach to secure their system. Regular consultations are also important because of the fast-moving frontier of cybersecurity—policy cannot remain static and will need to be updated frequently.