Dr Lim Wee Kiak: To ask the Minister for Defence (a) in the past three years, from which countries did most of the cyber-attacks on the Ministry's military data systems originate; (b) how long did it take the Ministry to detect the breach of its system in the February 2017 attack; and (c) what steps have been taken to strengthen the Ministry's IT systems.
Mr Vikram Nair: To ask the Minister for Defence (a) if he can provide an update on the Ministry's investigations into the cyber-attack on its IT system that took place in February 2017; (b) whether the perpetrators have been uncovered; and (c) what steps may be taken to prevent or minimise the risk from such attacks in future.
Mr Ong Ye Kung: Because computer systems are designed to facilitate connectivity, they are inherently vulnerable to cyber-attackers from any location motivated by mischief, criminal theft or national interest, at varying levels of sophistication. This is a global phenomenon. Symantec, a global cyber-security company, recently reported more than 430 million new pieces of malware in just one year. The Ministry of Defence (MINDEF) and the Singapore Armed Forces (SAF) systems are no different, and on a daily level, experience hundreds of thousands of cyber-intrusion attempts ranging from simple probes to sophisticated cyber-espionage efforts. The latter include covert attacks by highly skilled operators who mask or obfuscate their actions by routing through multiple countries to hide their real point of origin.
MINDEF/SAF adopts a multi-layered, risk-based approach to cyber-defence which balances between connectivity and speed on one hand, and security on the other. On one extreme are networks which contain sensitive military information, which are physically separated from the Internet and further protected with encryption and access controls. On the other extreme are systems, like I-net, aimed to facilitate connectivity and ease of use with limited security features which require some personal information of users for access. The I-net system contains no classified information and is designed to allow NSmen on In-Camp Training to access the Internet for civilian work and personal matters when in camp. However, across all MINDEF/ SAF networks, multiple sensors, intrusion detection systems and firewalls are placed at critical nodes to detect intrusion attempts and activities.
Computer systems globally are updated consistently with new applications. Each new change can potentially introduce vulnerabilities. It takes about 120 days, on average, for industry players to develop a patch. Cyber-attackers exploit this window of vulnerability by evading the most commonly used commercial sensors and anti-virus signatures. Industry reports cite an average of about 150 days, five months, before a breach is discovered in any computer system. For example, the hacking into the US Government's Office of Personnel Management began in November 2013, but was only discovered in March 2014. That is about a four-month lapse. This breach resulted in the loss of up to 18 million personal data records. More recently, hackers breached the email servers of the Democratic National Committee in mid-2015, and this was detected only in April 2016, almost a year later and by which time, all of their emails and chats had been stolen.
The breach of MINDEF's I-net system was detected on 1 February 2017, and the affected server was taken offline. Forensic investigations on the I-net system showed that the breach had occurred weeks before detection. The modus operandi was consistent with a covert attack, with means used to mask the perpetrator's actions and intent. Our investigations are ongoing but findings will be kept confidential for security reasons. Other relevant Government agencies were also informed about the breach, and the 854 personnel, whose personal information were stolen, were contacted to take the necessary precautions.
As part of ongoing initiatives to strengthen our cyber-systems, MINDEF/SAF will develop better assessment tools, data analytics and content scanning engines to enhance our response to cyber-attacks. We will also review the storage of personal data on our Internet systems to minimise risks of cyber-theft.