Singapore recognises that having a seat at the table to discuss on the dos and don’ts of state cyber activity, is critical for a small state.
When, in 2018, the United Nations Group of Government Experts (GGE) was undermined by disagreements between rival blocs, Singapore led ASEAN states to adopt the GGE’s voluntary norms of state behaviour in cyberspace. This took place during the Singapore International Cyber Week, which has itself become the key node for regional cyber discussions.
Singapore’s Ambassador to the United Nations, Burhan Gafoor, has garnered praise for his chairing of the UN’s Open-Ended Working Group on cybersecurity and information technology.
Singapore has also been a responsible stakeholder when it comes to cyber capacity building, establishing the ASEAN-Singapore Cybersecurity Centre of Excellence in 2019.
REALISTIC APPRAISAL OF THE ROAD AHEAD
In considering strategies Singapore can pursue, we should not be under any illusions about what can be done.
Some cyber practitioners have pushed for “attributing” cyberattacks, believing that calling out malicious conduct may prevent recurrences. For example, US lawmakers have blamed the Salt Typhoon attacks on US telecommunications infrastructure on Chinese groups.
While large states with well-resourced cyber offensive capabilities may take this view, Singapore’s position is somewhat different.
Observers would have noticed that there was no official attribution of the actor behind the cyberattacks against the Ministry of Foreign Affairs in 2014, nor on SingHealth in 2018. In the latter case, it was made known that a state-backed advanced persistent threat was most likely responsible, but this is as far as the authorities went.
