REACH 567 - What do you think about the Cybersecurity (Amendment) Bill? How can we safeguard Singapore's information infrastructure from cyber attacks?
(SK)
08 May 2024 (10am - 7pm)
REACH
8/5/24, 9:45 am - +REACH: *Dear contributors,*
Welcome back! 😊
⏰ We will be opening the chat from *10am to 7pm* today. ⏰
*House Rules (short version of our Terms of Use) to keep in mind:*
1. Be kind and respectful. We all want to be in a safe space to share our views.
2. Any and all threatening, abusive, vulgar or racially, religiously and ethnically objectionable content is prohibited.
3. Consider the quiet ones among us and give them a chance to comment.
4. No need to repeat your comment or in differnet forms (including caps) - we heard you loud and clear the first time.
5. Let's protect each other's privacy and keep contact details in this group what it should always be - confidential.
*Full set of Terms of Use: https://go.gov.sg/reach-whatsapp-terms*
We will strive to uphold these rules to ensure this is a safe space for all.
Please be assured that the points made by participants during the chat are aggregated and shared with relevant agencies.
The topic will be posted shortly.
Thank you.
Megan 😊
8/5/24, 10:00 am - +REACH: 📢 *Topic* 📢
Lawmakers on May 7 passed the Cybersecurity (Amendment) Bill that seeks to expand the oversight of Singapore’s cyber-security watchdog over any computer system that is critical to the nation and at high risk of cyber attacks.
Senior Minister of State for Communications and Information Janil Puthucheary said that the Act had to be updated to keep up with evolving tech and business models, which often rely on outsourced digital services that can also span across borders.
💬 *What do you think about the Cybersecurity (Amendment) Bill? How can we safeguard Singapore's information infrastructure from cyber attacks?*
The expanded oversight of the Cyber Security Agency of Singapore (CSA) comes as threats can often be obscured with increased digitalisation.
📌 _*CII owners must report cybersecurity outages and attacks*_
Under the amended Cybersecurity Act, Critical Information Infrastructure (CII) operators in Singapore will need to declare any cyber-security outage and attack faced on their premises or along their supply chain, as long as it affects their services. The proposed law will also add new categories of entities whose digital defences will be audited by the authorities, including autonomous universities, which may hold sensitive data or perform significant functions.
Bad actors are increasingly finding ways to target supply chains or adjacent systems. This is seen overseas, said SMS Janil. “More of us are now online for longer and online for more varied purposes,” he added. “This means that we are exposed to more cyber risks, as every digital technology we use, every transaction we make, every connection made between computers, is a possible route for attack.”
📌 _*Similar approaches adopted by other countries*_
Other nations are adopting a similar approach, said SMS Janil, referring to the European Union, Malaysia, the United Kingdom and the US, which have introduced cyber-security laws to address these concerns. “Our interest is in the computer or computer system that is necessary for the continuous delivery of the essential service, whether it is physical or virtual.”
The definition of “computers” will include virtual systems that are rising in usage.
📌 _*CII operators cannot outsource responsibilities to third party vendors*_
On the matter of third-party vendors, SMS Janil said that providers of essential services here must still be responsible for the cyber security of computer systems that they rely on. “They cannot outsource this responsibility, even if they rely on a third party’s computer system,” he said.
SMS Janil further clarified that CSA does not seek to regulate third-party vendors, but the providers of essential services must ensure that the systems they rely on meet the cyber-security standards mandated by Singapore.
CII operators in the essential services sectors remain answerable to CSA for any lapses. CSA will also create two new classes of regulated entities – entities of special cyber-security interest and foundational digital infrastructure, which will be subjected to “light touch” regulations as they are not critical information infrastructure.
👉 https://str.sg/rgFb
👉 https://www.channelnewsasia.com/cybersecurity-critical-services-csa-mci-parliament-4318321?cid=internal_sharetool_androidphone_07052024_cna
8/5/24, 10:00 am - ~ REACH Singapore changed this group's settings to allow all members to send messages to this group
8/5/24, 10:02 am - ~ REACH Singapore changed the group description
-----
8/5/24, 10:05 am - +Rama: Added costs for businesses to have IT qualified personnel!
8/5/24, 10:08 am - +Frankie Wee: CII from cloud data where its attack cybersecurity
8/5/24, 10:09 am - +Frankie Wee: Physical use of computer is unknown or unlicensed doing all sort of business.
8/5/24, 10:12 am - +Nic Freehold: What about those hosted on AWS and other cloud
8/5/24, 10:22 am - +Frankie Wee: Ai may not be 100% automatically because the future is uncertain anytime terror threat the system under attack. Ensure need human work Ai with lawful alway have to create new security when appear happen to happen.
8/5/24, 10:25 am - +Frankie Wee: https://www.straitstimes.com/tech/amazon-invests-12b-in-s-pore-operations-cloud-infrastructure-launches-ai-training-initiative?utm_campaign=stfb&utm_medium=social&utm_source=facebook&fbclid=IwZXh0bgNhZW0CMTEAAR2ZmG6xvF8tYVWNoYlGRkEbbuS-PcxjRiyDajOBP7_GUxsiC11Vph7XrXM_aem_AUKbK13PY7bCJV4Aw88SfZooFJTKreqiUJs5KSdmAXJacfuqV8QmxR-lNryaj95rjBik81UdVB_83ZD0Yn7XRLUX
8/5/24, 10:26 am - +Frankie Wee: Hopefully it’s help to have a job under training 😊
8/5/24, 11:35 am - +REACH: *Dear Contributors*
We want to *HEAR MORE* from you!
💬 *What do you think about the Cybersecurity (Amendment) Bill? How can we safeguard Singapore's information infrastructure from cyber attacks?*
We have had good feedback from this group, and we hope that we can keep the discussion robust and active!
Megan 😊
8/5/24, 11:49 am - +SL: Good Framework to make sure Security on Cloud and 3rd and 4th party service providers are safeguarded and cybersecurity risk was properly managed
8/5/24, 11:51 am - +SL: This message was deleted
8/5/24, 11:52 am - +SL: The cost and consequences of data loss may be bigger than the cost of preventing it from being stolen by cybercriminals, insider threat activities, hacker activities
8/5/24, 11:56 am - +SL: Investigation cost, legal cost, security process enhancement cost, govt fines, loss of reputation, PR cost, advertisement cost to gain trust from consumers > cost to make sure the cybersecurity for a system is appropriately set up. If AI and machine learning are better use to control some compliance control, why use humans for cybersecurity?
8/5/24, 12:42 pm - +SL: Trained AI is a good tools to monitor the network and blocked unauthorised transmission with more accurate. Eg ibm security qradar for hybrid cloud.
8/5/24, 12:53 pm - ☸️ Danny 心:
1. Al and Machine Learning do correlation on logs and traffic pattern across security and network devices across the entire network and IT system infrastructure to infer and determine if cybersecurity incidents has occurs.
2. It will be able to respond immediately to contain the attack and provide alerts.
3. But it cannot replace the roles of cybersecurity professionals.
4. For example making sure security policy and response align to organisation goals.
5. Identify where the threat is coming from and come out with solutions and policies to plug security loopholes, train AI and Machine Learning to prevent future further breaches, and if involve State Hackers perform the appropriate escalation procedures, make strategic decisions to determine appropriate response to safeguard our national security.
6. Threat hunting must be conducted in a professional and observing protocols without resulting in a diplomatic blowout.
7. And AI and Machine Learning security deployment is as good as how human deploy it - which humans are needed to further train AI and Machine Learning with appropriate dataset to ensure accuracy, context, biasness and accountability.
8. Finally, how top management response to any cybersecurity breaches will need advice from cybersecurity professionals input on continuous security monitoring, improving AI accuracy and effectiveness in closing loopholes (note, AI can also hallucinate and provide wrong response), and further strengthen security policies.
9. Top security management eg. Whether to pay ransom to ransomware, brief CSA, comply with security protocols, response to media report, make strategic decisions to mitigate business loss etc. - are all human decisions and cannot be left to AI.
8/5/24, 1:03 pm - ☸️ Danny 心:
1. In short, organisation cannot leave everything to AI and Machine Learning for cybersecurity protection.
2. Cybersecurity professionals play a vital role in an organisation to leverage on AI to speed up their responses to security attack. Without AI, their responses will be slower.
3. But cybersecurity professionals threat analysis based on inputs from AI cannot be replaced by AI as there is a possibility of false positive or false negative - human brain are required to analyse and ensure accuracy.
4. Human intelligence are further require to prevent future threat - in which AI had yet to learn.
8/5/24, 1:10 pm - +D LwT: IRAS to claw back S$60 million from private property buyers who used '99-to-1' scheme to reduce ABSD https://www.channelnewsasia.com/singapore/99-1-property-tax-avoidance-absd-audit-iras-agents-lawyers-4319086
8/5/24, 1:10 pm - +SL: AI to control the change management and firewall rules management..
8/5/24, 1:10 pm - ☸️ Danny 心:
Yes.
Machine stuff, AI can do better.
8/5/24, 1:11 pm - +Frankie Wee: Ai need more compliance command data cyber security. There is one key core system to all cyber operations.
8/5/24, 1:11 pm - +SL: Agree that Cybersecutity professional is required, it can do more with less manpower resources as professional required during design, implementation and monitoring for some tasks.
8/5/24, 1:13 pm - +SL: Machine human partners is important in industry revolution 5.0.. Machine (AI) will free humans from reputation non-value-added jobs to highly critical jobs
8/5/24, 1:13 pm - ☸️ Danny 心:
It need cybersecurity human brainpower that AI cannot replace. <This message was edited>
8/5/24, 1:14 pm - +SL: AI helps humans regardless of age; seniors partners with AI = productivity uplifts?
8/5/24, 1:14 pm - +SL: Yes
8/5/24, 1:17 pm - +D LwT: Patients will be charged for upgrading from lower-class wards: Ong Ye Kung https://www.straitstimes.com/singapore/politics/patients-will-be-charged-for-upgrading-from-lower-class-wards-ong-ye-kung
8/5/24, 1:17 pm - +SL: Once the data security and pasta privacy concern is resolved, AI is a partner. The cybersecurity act's amendment does anticipate future changes in tech advances. Start with cii.
8/5/24, 1:20 pm - ☸️ Danny 心:
But firewall security personnel also need to scrutinize what firewall rule AI has changed to ensure it won't compromise the entire security system.
Eg. Tightening a firewall rule help to protect certain loopholes - but access could be needed by another system.
Then firewall rules could be tighten by the firewall.
Human intervention could be needed to insert an ACL (access control list) in the network switch to allow rules for the system to access.
Hence human inputs are required. Cannot solely leave to AI. <This message was edited>
8/5/24, 1:25 pm - +SL: Current Scenario:
- human change, human scrutinised
Future scenario:
1) human change, AI scrutinized
2) AI change, human scrutinized
3) AI 1 change, AI 2 scrutinized
8/5/24, 1:25 pm - ☸️ Danny 心:
Yes.
Mutual verification.
8/5/24, 1:26 pm - ☸️ Danny 心:
Hence AI cannot replace human.
Human cannot remove AI.
8/5/24, 1:27 pm - +SL: Partnership, team work for AI and human
8/5/24, 1:29 pm - ☸️ Danny 心:
Also human is always the 1st mover and the last decision maker.
Eg. Which security devices and network devices to be monitored and used by AI, human decides.
All actions taken by AI, human review.
Human can override some AI decisions and roll back some measures.
Humans can approve AI decisions.
8/5/24, 1:29 pm - +SL: Scenario 1, humans doing business as usual activities, AI on secured cloud monitors the change, endure only approved change allow to take effect in the system. No other unauthorized change or any unauthorized activity happens outside of the approved windows of change
8/5/24, 1:30 pm - ☸️ Danny 心:
Later I will relate a scary scenario if the above is not in place.
8/5/24, 1:42 pm - +Rama: Trying to hustle the government!
8/5/24, 1:51 pm - ☸️ Danny 心:
The following scenarios are not exactly human-AI cybersecurity.
Nevertheless it is human-AI security that lead to dire consequences.
1. AI are leave to make final targeting decisions and not humans:-
a. AI derive possible enemies location - AI direct missiles from drones fire at a group of children playing soccer.
If human make the last decision, AI decisions can be stopped.
b. Friendly fire on own soldiers.
c. Missiles fire at villages not military base.
d. AI direct air defense on 40% of drones that belongs to own forces.
Human if make final decision will override such costly mistake. <This message was edited>
8/5/24, 2:00 pm - +REACH: 📢 *Topic* 📢
8/5/24, 2:01 pm - ☸️ Danny 心:
1. Hence why human will always play an important role even with proliferation of AI - because AI will never be at a human that possess the human consciousness - specifically the 5 mental aggregates of 5 senses, consciousness, feelings, perception and mental judgement that AI or robots are not possible to acquire being a machine.
2. Physics, math and science can give very precise, accurate and fast response.
3. But cannot master over mental aggregates. <This message was edited>
8/5/24, 2:12 pm - +~l or Smiley face: 8 May, 2024
"The Law and Order and The Coming Cyber Revolution of The World"
'Law and regulation are reactions to all crimes. Countermeasures are instantaneous reactions to a cyber crime or any cyber attack. Actuarial science, itself is to protect against all calculated risks of actions and reactions and lost of money."
-- anonymity
8/5/24, 2:37 pm - ☸️ Danny 心:
1. Give example why human need to be the 1st mover before AI is effective.
2. Human will determine which security devices need to be monitored and feed to AI for threat analysis.
3. Firewall, IPS, server security log, access log etc.
4. So AI will correlate all these security logs for threat monitoring, analysis and remediation.
5. But AI is as good as what human feed it.
6. What happens if threat attack internet routers, jump host to internal routers, network switches, go straight to database servers in which AI SIEM did not plant agent or agentless to monitor?
7. APT security pebetration will be missed.
8. Humans monitoring of network devices and database will be required to pick up anomalies to correlate what AI pick up in security devices.
9. Alternatively, network devices, database servers syslog, access logs will need to be monitored by AI - and then network professionals, database professionals and systems professionals will need to come in to make assessment.
10. Hence humans are always needed as 1st mover, continuous review and fine tuning of AI, and final decision makers.
11. And AI cannot replace humans.
12. Humans need AI to improve their productivity. <This message was edited>
8/5/24, 2:43 pm - +Frankie Wee: Singapore shop likely to sell used computer or laptop at risk those are outdated machines will it affected the cyber attack unknown.
8/5/24, 3:24 pm - ☸️ Danny 心:
1. For the 1st time, all the 11 CIIs (Critical Information Infrastructure) have been identified, namely :-
The sectors are: energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security and emergency services, and government.
2. Other than these 11 CIIs, I agree with the Minister that some organisations work or business - have national security, economic security or social security implications - and need to be protected from cybersecurity breaches such as one of the identified ones are Universities research.
E.g. quantum encryption research.
Biometric anti-spoofing security research.
Themonuclear - nuclear fusion research etc...
3. Thinking aloud, even some innocuous personal details - can also be of national security consideration.
Eg. read some article, WW2 an imperial power during peace time, business exchange systematically collect personal information such as names, address, telephone number.
Likewise, a recent modern power also have been collecting personal details about the population it rules through official source, social media, surveillance etc.
When war break out, all these personal details are feed into AI system - the name, address, location, place of visit etc into the targeting system - and person of interest are taken out by AI driven drones, fighter planes, GPS guided artillery, tank shell AI guided system.
4. So thinking aloud, I don't know how far the cybersecurity act should encompass business to be designated as Entities of Special Cybersecurity Interest (ESCIs). or Systems of Temporary Cybersecurity Concern (STCC) - for even innocuous personal details - will have national security implication.
8/5/24, 3:34 pm - +~l or Smiley face: Cyber Diplomacy and Alliances for Global Sustainability and Security.
8/5/24, 3:39 pm - ☸️ Danny 心:
Obviously all these strategic decisions cannot be made by AI.
It has to be decided by human's brains.
8/5/24, 3:40 pm - +Andy: Pardon me for my ignorance on this topic. My question is how does it impact the Singapore population?
1. Sounds like in future or now everyone (be it young or elderly) has to somehow know about cyber security and how it works.
2. Will business costs increase and pass it to consumers eventually?
3. With the latest mid career skill future credit of 4k, can anyone including me without any knowledge about AI and cyber security take the opportunity to learn more about it.
4. Since the future is AI, shouldn't it be a compulsory topic for our secondary schools and beyond?
8/5/24, 3:49 pm - ☸️ Danny 心:
Cybersecurity and AI will permeate every facets of human work life and social life.
I think picking up some lifelong courses on cyber security and AI are helpful.
But cybersecurity and AI are very specialised and requires learning through IHL.
Even computer science students not specialised in cybersecurity or AI - will not have a full grasp on the topics - and they keep evolving and need to keep up.
AI in particular requires very strong grounding in mathematics.
8/5/24, 3:53 pm - ☸️ Danny 心:
Eg. Autonomous driverless cars will need strong cybersecurity and AI infuse in the system that uses 5G as communication medium.
Likewise, ERP 2.0 that uses gnss satellite GPS - also need strong cybersecurity protection.
Else hackers can hack 5G network and cloud for driverless cars.
Hackers can jam GPS system.
Then anti-GPS jammers need to come in.
8/5/24, 3:54 pm - ☸️ Danny 心:
And of course, business cost will go up - because cybersecurity is not cheap.
8/5/24, 3:59 pm - ☸️ Danny 心:
Having say so, some whizkid who don't attend universities can pick up hacking skills - to hack systems.
But shouldn't do this because he/she will eventually be caught - as digital traces will be left behind - and digital forensics can trace the hackers.
Hackers hacking internally has no way to escape detection - no matter how skilful that person is - because no way to wipe out all digital traces. <This message was edited>
8/5/24, 4:00 pm - +REACH: 📢 *Topic* 📢
8/5/24, 4:03 pm - ☸️ Danny 心:
Even APT state hackers trace and signatures can be track - even though they are extremely skilful to hide their traces. <This message was edited>
8/5/24, 5:14 pm - +REACH: *Dear Contributors*
We want to *HEAR MORE* from you!
💬 *What do you think about the Cybersecurity (Amendment) Bill? How can we safeguard Singapore's information infrastructure from cyber attacks?*
We have had good feedback from this group, and we hope that we can keep the discussion robust and active!
Megan 😊
8/5/24, 5:50 pm - ☸️ Danny 心:
Also read a yahoo smart alec reporter that say why install the ERP 2.0 display unit, use his smartphone.
Smartphone do come with GPU chip that access US satellite GPS.
But ERP 2.0 uses gnss satellite - a constellation of US, China beidou, EU gallieo etc satellite - that give more accurate computation as the satellite coverage are more compact and can effectively track the car in fast motion.
Smartphone GPS only use US GPS satellite with lesser coverage and further apart - hence less accurate and may miss the car in motion if the car go out of the satellite coverage.
So don't be too smart alec and try to beat the system.
I will prefer to have all the 3 pieces install in the car rather than try to be smart - because the 3 pieces are always on, always tracking the car motion.
Those who use smartphone may end up paying more summons and inaccurate charging.
8/5/24, 5:52 pm - +WenHao: My opinion about this is that the problem isn't because of a person skill but rather more on the money issue a company is viewing from. With AI the company can have better cost saving/budget and better efficiency than a human, where a human are more likely to induce human errors.
8/5/24, 5:54 pm - ☸️ Danny 心:
And if totally rely on AI with no human input, the company management may make wrong business decisions and suffer bigger loss.
8/5/24, 5:56 pm - ☸️ Danny 心:
Eg. A lawyer depend on generative AI to churn out his defences.
When presented in court, the judge discover that all the AI generated precedent cases are falsified by the AI.
The lawyer was strike off the roll, lose his case and close shops - his law firm.
8/5/24, 5:57 pm - +WenHao: I think this will be good, because this will make it a mandatory by law to declare breaches where some company might “hide” the attacks in order not to take responsibility for the public or it's customers.
8/5/24, 5:58 pm - ☸️ Danny 心: https://www.forbes.com/sites/mollybohannon/2023/06/08/lawyer-used-chatgpt-in-court-and-cited-fake-cases-a-judge-is-considering-sanctions/?sh=1423c8857c7f
8/5/24, 5:58 pm - +WenHao: Lol I did not say totally use AI, I am just stating the fact that these company chooses AI because it's more financially benefiting. Therefore in my opinion it isn't a person with skill problem. <This message was edited>
8/5/24, 6:00 pm - +REACH: 📢 *Topic* 📢
8/5/24, 6:15 pm - ☸️ Danny 心:
In addition, smartphone:-
1. Affected by its model and specifications. Some work some don't due to os problem, memory, chips, etc.
2. So if smartphone got problem, no one to fall back on to troubleshoot - end up paying summon when ERP charges cannot go through.
3. Also people make calls, send messages, surf net, see videos, do transactions - all affecting ERP 2.0 operations - and chances of smartphone not working well is very high.
4. Smartphone also need battery and what happen if batteries weak?
5. The 3 pieces obu draw power from the car, always on and dedicated purpose for ERP 2.0.
6. Who are brave enough to try their own experimentation - and then run into problem - who to blame except ourselves.
7. Hence reporter need to hear more - before suggesting something to public that will trigger more problem down the road.
8. The reporter will simply say - oh got problem ah, government help.
I don't know.
8/5/24, 6:20 pm - ☸️ Danny 心:
"LTA's 'new' ERP 2.0 is a bad idea, and the sooner that is acknowledged and accepted, the better.
It's not too late to backtrack with ERP 2.0, but everyone needs to acknowledge that the current 'new' system doesn't work, says contributing editor Aloysius Low."
https://sg.news.yahoo.com/ltas-new-erp-20-is-a-bad-idea-and-the-sooner-that-is-acknowledged-and-accepted-the-better-085008638.html#:~:text=LTA%27s%20%27new%27%20ERP,editor%20Aloysius%20Low.
8/5/24, 6:21 pm - ☸️ Danny 心: <Media omitted>
8/5/24, 6:25 pm - +Rama: Weren't motorists consulted prior!?
8/5/24, 6:31 pm - ☸️ Danny 心:
Motorists should be consulted for aesthetics reason and ease of use.
The current consultation is a good one except before implementation, user views should be consulted earlier - less rework. <This message was edited>
8/5/24, 6:38 pm - ☸️ Danny 心: <Media omitted>
8/5/24, 6:39 pm - ☸️ Danny 心:
Reporter using insulting words "stupid system".
Now the question is, is the reporter more stupid or the system more stupid?
8/5/24, 6:40 pm - +Nic Freehold: How many people use auto top up cards? W the larger display, I don’t understand why we can’t hide the cards
8/5/24, 6:41 pm - +Nic Freehold: It’s shocking no one voice the location of the cashcard could be problematic
8/5/24, 6:41 pm - +Nic Freehold: emperors new clothes
8/5/24, 6:45 pm - +Rama: I believe the system is!
8/5/24, 6:45 pm - ☸️ Danny 心:
So is his recommendation of smartphone a better solution?
8/5/24, 6:46 pm - +REACH: *Dear Contributors,*
⏰ We will be closing the chat in *15 minutes* ⏰
Thank you very much for being part of our WhatsApp chat and participating actively.
Goodnight!
Megan 😊 <This message was edited>
8/5/24, 6:48 pm - +Rama: 🤷♂️
8/5/24, 6:50 pm - ☸️ Danny 心:
Obviously not.
Parliament Chee Hong tat just say smartphone method has been thoroughly studied and find that it will pose alot of technical problem.
The one piece OBU also don't work well in a car.
8/5/24, 6:51 pm - ☸️ Danny 心:
The Minister say that those who are currently using the installed 3 piece OBU has good feedback - because they get alot of timely information on the road.
8/5/24, 6:52 pm - ☸️ Danny 心:
Imagine using smartphone - and drivers need to constantly peep into the small screen - the car will get into accident.
8/5/24, 6:57 pm - +m6dm6n: Again I wonder the accuracy of their studies. Ezlink studies, bus studies, hmmm... I wonder
8/5/24, 6:59 pm - +BP: People didn't understand why the same one piece for a motorcycle doesn't work for vehicles with more than two wheels. They desire to have one piece instead of three.
8/5/24, 7:00 pm - +REACH: *Dear Contributors,*
We will be closing the chat for today.
Thank you very much for being part of our WhatsApp chat and participating actively.
Goodnight!
Megan 😊
8/5/24, 7:00 pm - ~ REACH Singapore changed this group's settings to allow only admins to send messages to this group
===
No comments:
Post a Comment