On July 20, the Singapore government officially confirmed that the city-state’s health system was the target of a cyberattack last month in what was characterized as the most serious breach of personal data in its history. The incident has one again spotlighted Singapore’s challenge in tackling growing cyber threats in spite of the efforts it has taken in recent years both on its own and in concert with key partners.
As I have noted before in these pages, Singapore has long been paying keen attention to the cyber domain, as a developed, highly networked country that relies on its reputation for security and stability to serve as a hub for businesses and talent. And with the Singapore government itself experiencing breaches over the past few years, the city-state has begun unveiling a series of initiatives to boost cybersecurity, including creating new institutions, training cybersecurity personnel, and collaborating more with the private sector and other regional actors as well. Singapore has also made cybersecurity a priority during its holding of the annually rotating chairmanship of the Association of Southeast Asian Nations (ASEAN) regional grouping (See: “ASEAN Cybersecurity in Focus Under Singapore’s Chairmanship”).
Yet Singapore’s cyber challenge nonetheless continues to be a serious one for policymakers, as evidenced by a string of attacks that have targeted government agencies and government-linked institutions, including the defense ministry back in 2017. Last month, Singapore’s Cyber Security Agency (CSA) released a report which warned that cyber threats within the country had shown no signs of abating, mirroring the global cyber landscape where threats continued to grow in frequency and impact, including a shift from profit-motivated attacks to more massive disruptions.
This week, another cyberattack reinforced the seriousness of Singapore’s cyber challenge. According to a government statement, a “deliberate, targeted, and well-planned cyberattack” occurred between late June and early July targeting Singapore’s health system SingHealth, resulting in the accessing and copying of 1.5 million patients’ records and 160,000 outpatient dispensed medicine records, including those of Prime Minister Lee Hsien Loong. The Singapore government appears to have established the perpetrator, but officials have so far not publicly disclosed this.
The implications of the attack are severe. The incident itself reinforces Singapore’s longstanding worries about how cyberattacks could target important infrastructure and services such as healthcare. The fact that Lee’s data was repeatedly and systematically targeted by the attackers only further adds to the seriousness.
Beyond the incident itself, while the Singapore government has already taken steps to address this, from tightening the security of SingHealth’s IT systems to convening a Committee of Inquiry on the matter, this will also likely shape the city-state’s ongoing plans on information technology and digitization. Indeed, Singapore officials have already suggested that certain IT-related projects that had been introduced may have to be paused pending the introduction of additional safeguards.
At the same time, Lee rightly emphasized in a statement on Facebook following the disclosure of the attack that while preventing attacks ought to be a “ceaseless effort,” and individual breaches dealt with quickly and firmly, fear should not get in the way of Singapore’s efforts to continue to become more technologically advanced.
“We cannot go back to paper records and files,” Lee said. “We have to go forward, to build a secure and smart nation.”