Josephine Teo
The IT systems in Singapore organisations affected by the global outage are almost fully recovered.
Yet the incident has left many of us feeling vulnerable and questioning our heavy reliance on technology for everyday activities. These feelings are completely understandable and valid.
We should be concerned. The real question is what we can do about these concerns.
It’s highly unlikely that we can withdraw or even reduce our interactions with the digital world. Digitalisation is one of those mega trends worldwide we must learn to gain mastery over. Many people get that.
But we also dread being swept along by the inevitable and sometimes feel like we cannot avoid becoming victims.
Is there nothing we can do? Or are there, in fact, some concrete actions we can take to prepare and protect ourselves for such events?
How?
Preparation for an incident like that of the last few days often begins during “peacetime,” when nothing is going wrong, and when we might be lulled into a sense of mistaken comfort.
It is precisely when things are going reasonably well that we must take action to fortify our defences.
It starts with robust testing and putting in the right safeguards so that incidents are prevented in the first place. Testing and red-teaming must be prioritised and conducted across multiple levels so that appropriate safeguards can be put in place.
It also involves planning for suitable responses when things go very wrong, such as putting in place Business Continuity Plans (BCPs), which many organisations have.
It is vital that we update our Business Continuity Plans and practise them regularly, stress-testing ourselves through Tabletop Exercises (TTXs).
In Singapore, we take TTXs seriously. For instance, Exercise Cyber Star conducted by CSA last September involved 11 CII Sectors, including public and private organisations from Banking and Finance, Government (including Power and Water). In addition, the agencies in charge of various sectors run their own TTX to focus on their respective domains.
For the whole of government, yearly exercises are conducted. In the past 3 years, close to 100 Government agencies have exercised their crisis management responses as a team.
These exercises are helpful in refining our emergency responses, thus building confidence in our People, Processes, and Technology.
During each exercise, we ensure our technology is up-to-date and resilient against outages. We practise our incident responses and Business Continuity Plans, so that we know what to do and who to contact during crises. Our people demonstrate their dedication and hone their knowledge and capabilities to respond under stress.
The existence of BCPs and TTXs will not eradicate crises. In fact, they exist precisely because we know that outages will happen. It is not a matter of if, but when. Hence, we need to do as much as we can even before incidents happen so that we can recover and prevail over the disruptions.
Let's continue to learn as much as possible from the incident to strengthen our digital resilience. Only by doing so, can we emerge stronger together.
Gabrielle Andres
Correspondent
SINGAPORE – Preparations for crises like the recent global tech outage often start in peacetime, when things are going reasonably well, said Minister for Digital Development and Information Josephine Teo.
At such times, safeguards are put in place to prevent incidents from occurring, and plans are drawn up to respond when “things go very wrong”, she wrote in a Facebook post on July 21.
“It is precisely when things are going reasonably well that we must take action to fortify our defences,” Mrs Teo said, adding that the Government regularly stress-tests its systems through tabletop exercises.
The July 19 tech outage was related to a software update by cyber-security firm CrowdStrike. It affected nearly 8.5 million Microsoft devices, or less than 1 per cent of all Windows machines, according to a Microsoft blog post on July 20.
Companies worldwide, including airlines, banks and media outlets, reported disruptions to their services and operations. In Singapore, services at Changi Airport and Singapore Post were among those affected.
Government services in the Republic, as well as local banks, telcos and hospitals, were not affected by the outage, said the Ministry of Digital Development and Information on July 19.
Mrs Teo wrote in her post that IT systems in Singapore organisations affected by the outage are “almost fully recovered”.
“Yet the incident has left many of us feeling vulnerable and questioning our heavy reliance on technology for everyday activities,” she noted. “We should be concerned. The real question is what we can do about these concerns.”
Mrs Teo said fortifying Singapore’s defences starts with robust testing and putting in place safeguards to prevent such incidents from occurring.
“Testing and red-teaming must be prioritised and conducted across multiple levels so that appropriate safeguards can be put in place,” she said.
Red-teaming typically refers to a process where a system undergoes a series of rigorous tests to find gaps in safety.
“It also involves planning for suitable responses when things go very wrong, such as putting in place business continuity plans (BCPs), which many organisations have.”
Such plans should be updated and practised regularly, with stress tests carried out through tabletop exercises.
Singapore takes tabletop exercises seriously, Mrs Teo added.
The whole government also conducts yearly exercises, with nearly 100 government agencies having exercised their crisis management responses as a team in the past three years.
“These exercises are helpful in refining our emergency responses, thus building confidence in our people, processes and technology,” Mrs Teo said.
She added that the Government ensures that its technology is “up to date and resilient against outages” during each exercise.
“We practise our incident responses and BCPs, so that we know what to do and who to contact during crises,” she said. “Our people demonstrate their dedication and hone their knowledge and capabilities to respond under stress.”
However, she pointed out that the existence of BCPs and tabletop exercises “will not eradicate crises”. “In fact, they exist precisely because we know that outages will happen. It is not a matter of if, but when,” she said.
“Hence, we need to do as much as we can even before incidents happen so that we can recover and prevail over the disruptions.”
https://www.straitstimes.com/singap...ech-outages-starts-in-peacetime-josephine-teo
