Task force set up to bolster S’pore’s tech resilience following CrowdStrike outage: Josephine Teo

A task force has been set up to look into new ways to enhance Singapore’s tech resilience in the wake of July’s global tech outage caused by cyber-security firm CrowdStrike.

Set up by the Ministry of Digital Development and Information (MDDI), the task force will engage relevant partners to gain insights into the incident, which disrupted banks, hospitals and emergency lines around the world.

The task force will also assess if further measures should be taken to improve Singapore’s resilience when such disruptions occur, Digital Development and Information Minister Josephine Teo told Parliament on Aug 7.

“IT systems may experience outages and disruptions from time to time. In this particular instance, it is not yet fully understood what caused a relatively routine software update to (create) such major disruptions around the world,” said Mrs Teo.

She was responding to questions from seven MPs about Singapore’s response to the incident.

Mr Alex Yam (Marsiling-Yew Tee GRC) asked what MDDI’s contingency plans were for such global tech outages that could impact Singapore’s socio-economic security. Mr Gerald Giam (Aljunied GRC) asked whether the Cyber Security Agency of Singapore had updated its threat and risk assessment protocols to cover similar supply chain risks.

On July 19, a faulty software update issued by CrowdStrike crashed about 8.5 million Windows devices worldwide, including in Singapore.

Mrs Teo noted that government services here, as well as most essential services, were unaffected by the outage.

The outage largely affected the staff of businesses here that use CrowdStrike’s Falcon Endpoint Detection and Response solution. Gantry operations at some HDB carparks and passenger check-in for some airlines at Changi Airport were also hit.

In a written reply to a parliamentary question on Aug 6, Transport Minister Chee Hong Tat said that 108 departing flights were delayed by more than half an hour on July 19. Additionally, one departing flight and its turnaround arriving flight were cancelled.

He added that business continuity plans – such as the use of manual check-in processes – put into effect by Changi Airport Group (CAG), affected airlines and ground handlers allowed the airport and airlines to continue operations, albeit less efficiently.

“CAG is working with affected airlines and ground handlers to review their business continuity plans, taking into account the learning points from this incident, including how back-up measures can be implemented more efficiently,” said Mr Chee.

Speaking in Parliament on Aug 7 about the outage, Mrs Teo said that as not all such disruptions can be prevented, system owners should have plans in place to help them quickly recover.

She encouraged businesses to conduct their own risk assessments and introduce appropriate business continuity plans to mitigate the risks of such disruptions, noting that the Singapore Cyber Emergency Response Team had recently published an advisory on building digital resilience.

In a supplementary question, Mr Yam asked if it could be made compulsory for certain businesses, such as those related to critical infrastructure, to introduce contingencies for such incidents.

Replying, Mrs Teo said that while such measures may be mandated in certain instances, in the majority of such cases, system owners should take responsibility to build up their own system’s resilience.

Ms Cheryl Chan (East Coast GRC) asked what was being done to ensure greater coordination with third-party vendors, to ensure that changes made on their end do not affect systems here.

Mrs Teo said government agencies are already required to make a number of efforts, such as putting in place quality assurance measures to ensure software updates will not introduce errors to critical systems.

“In addition, agencies with critical systems are required to review the change management processes of their software providers through regular independent audits. This ensures that software changes can be rolled out smoothly and securely,” she said.

For certain services, however, such matters may be beyond the control of users, and in such cases, the onus is on suppliers to ensure that software remains secure and available for use, she added.

Noting that July’s outage was not due to a cyber attack but rather a bug in a software update, Mr Giam asked if current legislature addressed the risks of such supply chain failures. He also asked if the authorities would consider mandating that operators of critical information infrastructure diversify their vendors, such that a single software error would not bring down the entire system.

Mrs Teo pointed out that the Cybersecurity Code of Practice requires critical information infrastructure operators to have a variety of vendors with different systems architectures to prevent a single attack from immobilising key components of their systems.

She noted that the proposed Digital Infrastructure Act, announced earlier in 2024, would also seek to improve resilience “over and above what needs to be done”. The proposed Act aims to introduce higher security and resilience standards for cloud services and data centre operators to avoid disruptions to Singapore’s economy and society. These operators power services ranging from online banking and payments to e-government services here.

“We are in the process of consulting with the various stakeholders, and I think, in due course, we will be able to say more about that,” she said.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

Eateries and charities can soon donate unsold food without worry if safety rules are met Lawyer struck off rolls for not declaring plagiarism committed as undergrad