Singaporeans should look at the totality of the Government's response to the SingHealth cyber attack, rather than focus on the fact that the attacker's identity has not been made public, Minister-in-charge of Cyber Security S. Iswaran said yesterday.
He told Parliament that the Government knows the identity of the attacker and has taken the appropriate action. He would not comment further, citing national security reasons.
Integrated Health Information Systems (IHiS), the IT agency at the centre of the attack, and SingHealth, which owns the patient database that was breached, were fined a total of $1 million by the Personal Data Protection Commission yesterday. (See report on Page 2)
Five Members of Parliament had sought clarifications from Mr Iswaran yesterday, with Mr Cedric Foo (Pioneer SMC) asking about the reasoning behind the decision to not reveal the perpetrator's identity.
The chairman of the Communications and Information Government Parliamentary Committee said: "There seems to be a vacuum as far as the sense of justice (is concerned)."
Mr Vikram Nair (Sembawang GRC) said the attacker's identity was an elephant in the room and asked what actions could be taken against the perpetrators of such attacks.
The Committee of Inquiry (COI) appointed to look into the data breach last June found that the attacker was skilled and sophisticated, and had the characteristics typical of an advanced persistent threat group, usually state-linked.
Replying to the questions, Mr Iswaran said: "I can understand that members have a desire, and on behalf of constituents, to know this.
"But I think we have to exercise judgment - what is in our national interest and whether a public attribution serves our best interests."
He added that this is not because the Government lacks the legislative capacity to take action if the attacker is indeed within Singapore's jurisdiction.
He also revealed that the police investigation into the attack has been closed without any further action.
In terms of its response, Singapore can hold itself up to the best practices and standards, Mr Iswaran said.
He cited the appointment of the COI, the fact that the attack had been made public just days after it was brought to the attention of the Cyber Security Agency of Singapore (CSA), the punitive actions taken against the individuals and organisations involved, as well as the measures being taken to strengthen cyber security.
"We want to ensure that all Singaporeans understand that we've got nothing to hide here, we want to get to the bottom of it as much as Singaporeans do," Mr Iswaran added.
"If you look at the public COI report... the only part that's been held back are those that pertain to sensitive national security matters and also patient confidentiality.
"Everything else is out there, unvarnished, stark, but very clear on what we need to get done."
Mr Iswaran said the Government has accepted the COI's 16 recommendations and will fully adopt them.
Among measures that the public sector will implement to strengthen its defences are:
Automating cyber security tasks like patch management;
Tightening internal checks and enhancing security audits;
Training all public servants in cyber security and conducting more exercises;
Improving the architecture of government systems; and
Enlisting the expertise of the cyber security community, including ethical hackers.
The CSA will oversee implementation across all 11 Critical Information Infrastructure sectors, which includes the public sector, with the Smart Nation and Digital Government Group monitoring implementation for government systems.
Mr Iswaran said: "This was not the first instance where we were targeted, and it will not be the last. Our networks are continually probed for weaknesses and regularly attacked."
Condemning malicious cyber activity, he added: "Singapore is firmly committed to the establishment of a rules-based international order in cyberspace."