Singapore sets up task force to look into impact of CrowdStrike incident
It will assess if further measures are needed to improve the Republic’s digital resilience
A TASK FORCE will look into the impact of the CrowdStrike IT outage to understand if further measures are needed to improve Singapore’s digital resiliency, said Minister for Digital Development and Information Josephine Teo in Parliament on Wednesday (Aug 7).
IT systems may experience outages and disruptions from time to time, but “it is not yet fully understood what caused a relatively routine software update to have created such major disruptions around the world”, said Teo, in response to questions from Members of Parliament (MPs).
The task force, set up by the Ministry of Digital Development and Information, will “engage relevant partners to gain insights into the incident and assess if further measures should be taken to improve Singapore’s resilience when such disruptions occur”.
Last month, a software update from cybersecurity firm CrowdStrike triggered a global tech outage that caused massive disruptions to businesses with Microsoft Windows-based computers.
The Republic’s businesses were hit too, with Singapore Airlines, Singtel and Singapore Post among the companies which reported disruptions to certain services.
Passenger check-in for some airlines at Changi Terminal 4 and gantry operations at some Housing and Development Board car parks were also affected.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
In her reply, Teo noted that government services and most essential services in Singapore were unaffected by the outage.
For the businesses that were hit, impact was largely limited to internal staff, she said. Customers were affected by service disruptions only in a “minority of cases”.
Business continuity plans also kicked in during the outage. For instance, airlines conducted flight ticketing and check-ins manually.
SEE ALSO
The Singapore Cyber Emergency Response Team of the Cyber Security Agency of Singapore also quickly issued an advisory to guide affected system administrators and users on how to manually recover their systems.
“Most of the affected IT systems had recovered within a day, and services returned to normal,” said Teo.
Even with the best efforts, not all disruptions can be prevented, said the minister. “System owners should therefore have plans in place to help them to recover quickly from unexpected disturbances.”
The government adopts a risk-based approach to ensure its critical systems and essential services are resilient, including subjecting all such services to stringent requirements and putting in place robust business continuity, disaster recovery and incident response plans.
The Cybersecurity Act and other sectoral regulations also hold service providers accountable for meeting baseline security and resilience requirements, said Teo.
Businesses must conduct their own risk assessments and put in place appropriate business continuity plans in the event of future disruptions, she added.
People’s Action Party MP Alex Yam and Workers’ Party MP Gerald Giam asked if the government will consider mandating businesses to adopt business contingency plans, review their IT procurement practices and diversify their sources of vendors.
Aside from the CrowdStrike incident, device management app Mobile Guardian wiped the devices of about 13,000 students earlier this week after a cybersecurity breach, noted Giam.
Responding, Teo said the government has to be “quite careful” about imposing compulsory requirements.
“If we attempt to prescribe the measures that businesses must take... it could take agency and sense of ownership away from the IT systems’ owners, because the thinking could be that if the government does not say so, then we don’t need to do so,” she said.
Such an approach is also unwise, as it is not possible for the government to fully understand all the components that go into systems resilience, and all the issues which could cause a major disruption, she added.
“We will, in certain instances, require measures to be mandated. But in the vast majority of cases, it is important to require the systems’ owners to take ownership.”
As for public service systems, Teo said critical functions have to cater for redundancy, such as having a failover for both hardware and software components, networks and databases, as well as “aspects of the physical environment”.
Giam also asked if current legislation adequately addresses the risks posed by supply chain failures in digital infrastructure.
To this, Teo replied that the Cybersecurity Act’s threat and risk assessment for critical information infrastructures already cover supply chain risks.
For instance, under the Cybersecurity Code of Practice, owners of critical information infrastructures must have a diversity of defences to guard against IT attacks.
Software systems must also be interoperable to ensure this diversity, said the minister. The threat and risk assessment is also reviewed at regular intervals to ensure they remain up to date.
Copyright SPH Media. All rights reserved.
