In 2005, just over a decade ago, the majority of large internet user populations, certainly as a percentage of their total national population, were still to be found in North America and Europe. In 2025, less than a decade from now, many of the largest internet user populations will be in Asia. Asia will be a fulcrum of cyberspace and it will also be, inevitably, a fulcrum of both cybercrime and cybersecurity. As such, cybersecurity policy decisions being made today in Asia will significantly shape cyberspace in 2025 and beyond. Given the interconnected nature of cyberspace, their impact will be global.
While many analysts focus on Asia’s large political and economic players, such as Tokyo and Beijing, I will take a look at Singapore, whose smaller size has allowed it to be agile and power ahead in terms of online innovation. It is clear that the government realized that technology is central to both the country’s current economic success and its future prospects. Not only has it strived to make Singapore a hub for industries highly reliant on technology, such as financial services, it has focused its investments to ensure the country can become a true “Smart Nation”. That has meant being bold in adopting new technologies and, on occasion, facilitating experimentation, for example through the recently outlined a “big data sandbox” initiative.
Moreover, Singapore has also realized that it can only be successful in this space if it can adopt technology securely. Its approach, which is to give clear guidance to key parts of the economy and to cooperate closely with the private sector to help create, refine and enact that guidance with an eye to ensuring future innovation, is a worthwhile example for other Asian governments. Its early push in ensuring key industry sectors can move to the cloud securely through the adoption of the Multi-Tier Cloud Security standard, has been followed by complementary initiatives, such as the Cloud Implementation Guide, developed by the Association of Banks in Singapore (ABS). Central to the success of both of the documents has been a close partnership with those they intended to guide, i.e. both cloud providers and those adopting new technologies. This mirrors the positive model of public-private engagement that underpinned the successful NIST Cybersecurity Framework in the United States.
More recently, the Singaporean Cybersecurity Agency (CSA) has made cybersecurity even more of a priority for the country. The Cybersecurity Strategy, launched in October 2016, aims to build a resilient and trusted cyber environment by focusing on four pillars: i) Building a Resilient Infrastructure; ii) Creating a Safe Cyberspace; iii) Developing a Vibrant Cybersecurity Ecosystem; and iv) Strengthening International Partnerships. First outcomes can already be seen, with the revised Cybercrime Act adopted in April.
Moreover, the government has already begun consultations on its Cybersecurity Act, which we expect to be introduced by the end of the year. It will be interesting to observe whether Singapore follows models that have been put forward by the above-mentioned NIST Cybersecurity Framework, or takes an approach closer to that put forward by the European Union with the Network and Information Security Directive. On the other hand, it could put forward its own model. After all, frameworks for protecting critical infrastructure online are evolving. Countries are debating the benefits of regulatory vs. voluntary approaches, struggling to balance information sharing and incident reporting, and managing the role of regulators in an area that cuts across typical boundaries between industry sectors.
Singapore is not, however, only looking inwards. It is making an active contribution to regional cybersecurity, having launched an ASEAN Cyber Capacity Program (ACCP). As well as capacity-building activities, developing technical skills, and incident response capabilities, the ACCP will support discussion and consultancy work in areas such as the creation of national cybersecurity agencies, cybersecurity strategies, and even cybersecurity legislation. This initiative highlights an important understanding: that in an interconnected world, an individual, organisation or state is only as safe in cyberspace as its weakest link.
Although I remain concerned that Singapore’s approach to network separation could create problems for government, business and citizens, what distinguishes Singapore’s approach, overall, is its determination to tackle cybersecurity without cutting off its connections to the region and the world. Perhaps for an island nation that depends upon commerce the logic of putting up barriers is particularly inimical, but it nonetheless demonstrates that it can be done: governments can build cybersecurity without harming openness and innovation. Looking at Singapore, I would hope that other governments, not just in Asia but around the world, can see that infrastructure, businesses and citizens can all be protected without the loss of the interconnectedness and opportunities of cyberspace.