Preparations for crises such as the recent global tech outage often start in peacetime, when things are going reasonably well, said Minister for Digital Development and Information Josephine Teo.
At such times, safeguards are put in place to prevent incidents from occurring, and plans are drawn up to respond when “things go very wrong”, she wrote in a Facebook post on Jul 21.
“It is precisely when things are going reasonably well that we must take action to fortify our defences,” Teo said, adding that the government regularly stress-tests its systems through tabletop exercises.
The Jul 19 tech outage was related to a software update by cyber-security firm CrowdStrike. It affected nearly 8.5 million Microsoft devices, or less than 1 per cent of all Windows machines, according to a Microsoft blog post on Jul 20.
Companies worldwide, including airlines, banks and media outlets, reported disruptions to their services and operations. In Singapore, services at Changi Airport and Singapore Post were among those affected.
Government services in the Republic, as well as local banks, telcos and hospitals, were not affected by the outage, said the Ministry of Digital Development and Information on Jul 19.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
Teo wrote in her post that IT systems in Singapore organisations affected by the outage are “almost fully recovered”.
“Yet the incident has left many of us feeling vulnerable and questioning our heavy reliance on technology for everyday activities,” she noted. “We should be concerned. The real question is what we can do about these concerns.”
Teo said that fortifying Singapore’s defences starts with robust testing and putting in place safeguards to prevent such incidents from occurring.
“Testing and red-teaming must be prioritised and conducted across multiple levels so that appropriate safeguards can be put in place,” she said.
Red-teaming typically refers to a process where a system undergoes a series of rigorous tests to find gaps in safety.
“It also involves planning for suitable responses when things go very wrong, such as putting in place business continuity plans (BCPs), which many organisations have.”
Such plans should be updated and practised regularly, with stress tests carried out through tabletop exercises.
Singapore takes tabletop exercises seriously, Teo added.
She cited Exercise Cyber Star, a cyber-security exercise to prepare for attacks targeting key infrastructure that keeps the nation ticking, which was last conducted by the Cyber Security Agency of Singapore in September 2023.
The exercise involved 11 critical information infrastructure sectors, including public and private organisations from banking and finance, as well as the government.
In addition, agencies in charge of various sectors run their own tabletop exercises to focus on their respective domains, she said. The whole government also conducts yearly exercises, with nearly 100 government agencies having exercised their crisis management responses as a team in the past three years.
“These exercises are helpful in refining our emergency responses, thus building confidence in our people, processes and technology,” Teo said.
She added that the government ensures that its technology is “up to date and resilient against outages” during each exercise.
“We practise our incident responses and BCPs, so that we know what to do and who to contact during crises,” she said. “Our people demonstrate their dedication and hone their knowledge and capabilities to respond under stress.”
However, she pointed out that the existence of BCPs and tabletop exercises “will not eradicate crises”. “In fact, they exist precisely because we know that outages will happen. It is not a matter of if, but when,” she said.
“Hence, we need to do as much as we can even before incidents happen so that we can recover and prevail over the disruptions.” THE STRAITS TIMES
