Mr Speaker,
In my speech today, I will be focusing on the amendments to the Singapore Armed Forces Act to establish a new Digital and Intelligence Service (DIS). MINDEF plans to establish a DIS, which will be a fourth armed service, alongside the Army, Navy and Air Force. This is timely, given the growing
importance of cyber warfare and cyber defence.
Importance of cyber capabilities
Cyber warfare involves attacks on critical infrastructure systems of an adversary. These could include “soft kills” that damage key operating software or hardware without kinetic action, such through hacking. The objective is to weaken the target country by compromising its core systems.
Cyber warfare takes many forms. Cyber attackers may conduct espionage using spear-phishing attacks to gain remote access to an adversary’s computer to extract sensitive information. They may hack critical infrastructure like the electrical power grid, which will disrupt communications and even cause deaths if, say, life-supporting medical equipment is shut down. Or they may crash modern economic facilities
like banks and payment systems.
Propaganda attacks may be employed to control the hearts and minds of the people living in the targeted country, or make them lose faith in their own country and sympathise with the enemy.
These are not hypothetical scenarios. They have been employed by nation-states for many years. With the digitalisation of almost everything, the cyber threat is increasing by the day. Up until recently, a war was usually
fought by sending in the air force to bomb the target nation’s critical infrastructure and defence installations, before any ground troops were sent it. In modern warfare, cyber-attacks are likely to be one of the first modes of attack, because they can be employed so easily without detection. The Gerasimov doctrine, which the Minister alluded to earlier in his speech.
All armed services are digital
The DIS aims to bolster the SAF’s capability to defend Singapore in the digital battlefield. With the establishment of the DIS, the other armed services must be careful not to develop a mindset that the DIS alone is responsible for all things digital in the SAF.
In the commercial world, there is now much less distinction between tech companies and non-tech companies. The Fourth Industrial Revolution has forced all companies to become technology companies in some shape or form. Those that do not digitalise will find themselves losing customers to
more digital-savvy competitors, and may even go out of business.
Similarly, in the military realm, every armed service — the army, navy, airforce and DIS — will need to use digital capabilities to keep ahead of our nation’s potential adversaries. Digitalisation, cyber defence and cyber security cannot be left to the DIS alone to handle.
Could the Minister share the broad parameters regarding which digital responsibilities fall under the purview of the DIS and which do not?
Inter-agency digital cooperation
The DIS will not be the first technology-focused agency to be set up within the Government.
How will the role of the DIS be different from that of the Cyber Security Agency (CSA) and the Home Team Science and Technology Agency (HTX) in countering cyber threats to Singapore?
How will these agencies, together with the Government Technology Agency (GovTech), work together so that knowledge and information is shared, where appropriate, and duplication of work is avoided?
I hope the DIS, CSA, HTX and GovTech plan to establish a common communication platform so as to not only share information occasionally but actively work together on a regular basis to counter the cyber threats that Singapore faces. I note that a Digital Ops-Tech Centre will be established as a centre of excellence for SAF’s digital expertise,
partnering the Defence Tech Community, Whole-of-Government digital agencies, academia and the industry, to remain innovative in its approaches and culture. Could the Minister elaborate more on how this
partnership will work in practice?
Legal safeguards and oversight
The DIS will likely have significant capabilities and powers to intrude in the private space of the functionaries of would-be adversaries.
What protections are in place to make sure that such capabilities are not turned on citizens or abused? It is necessary, in any developed democracy, to put in place legal safeguards and channels for recourse to prevent the abuse of power by current and future governments.
One form of oversight would be for MINDEF to provide confidential reports to a cross-party Parliamentary Select Committee for Defence, which can scrutinise those reports and ask questions in a confidential setting.
Digital manpower
I note that DIS will focus efforts to attract and develop both military and non-uniformed digital experts to grow the SAF’s digital workforce.
Will the need for a high level of security clearance mean that the DIS will hire only Singapore citizens?
Will the DIS be engaging technology contractors to supplement their own manpower? If so, how will it ensure that contractors and their employees, who may be reporting to foreign managers based in other countries, will not leak sensitive information?
Members will recall how Edward Snowden, who leaked highly classified information from the US National Security Agency(NSA), was not an NSA employee but a contractor with a consulting firm hired by the agency.
The need for security clearance will naturally limit the pool of manpower available to the DIS, in what is already a very competitive labour market for tech talent. This will make it a challenge to find sufficient local tech talent to join the DIS. In fact, the introduction of the DIS could further draw talent away from the private sector, as many Singaporean tech workers are likely to be attracted to the pay, benefits and job stability that the DIS has to offer.
In order to expand the pool of tech manpower, our polytechnics and local universities must urgently increase enrolment in IT and technology-related majors. This is a point I raised before in this House. More funding should be provided to our local institutions to achieve this. This will benefit the recruitment pipeline of both the DIS and the private sector.
I am glad to know that NSFs and NSmen with tech talents will be leveraged to support the SAF’s digital core. The CentralManpower Base should identify such talents early, even before enlistment, so that they can be drafted into the DIS during their Full-time National Service and later during their
Operationally-ready NS cycles.
Zero-day vulnerabilities
Zero-day vulnerabilities are software or hardware bugs in systems that have yet to be discovered or patched by the developer or manufacturer. When governments or individuals discover these “zero-days”, they can create software code to exploit the vulnerabilities, known as “zero-day exploits”.
Zero-day exploits can potentially enable their owner to access sensitive information in other computer systems or take control of those systems remotely, often undetected. One of the most well-known zero-day exploits is Stuxnet, a cyber operation that sabotaged Iranian nuclear centrifuges.
I would assume — but will not ask the Minister to confirm — that the role of the DIS will include building capabilities to conduct offensive cyber operations.
In the course of this, the DIS may discover and stockpile zero-day vulnerabilities in operating systems that run critical infrastructure and the military networks of potential adversaries. It would be natural for the DIS to want to keep the knowledge of these exploits secret, so that our potential adversaries do not patch their systems and the DIS maintains its offensive capability.
However, there is an offence-defence tradeoff between stockpiling zero-day exploits and helping other local government agencies and private organisations patch these vulnerabilities so our own critical infrastructure does not get hacked by others.
In 2016, a group of hackers calling themselves the Shadow Brokers released a cache of top secret cyber spying capabilities that likely belonged to the NSA. Some of these included zero-day exploits, which could be used to exploit vulnerabilities in products, produced by companies like Cisco, Juniper and Fortinet, that protect US companies and critical infrastructure. The existence of these zero-days raised questions about whether the NSA should have told the vendors about these vulnerabilities, so that the vendors could patch them.
The US Government has a policy whereby any agency that wishes to keep a zero-day exploit has to argue their case through what is known as a Vulnerability Equities Process (or VEP). The VEP comprises an Equities Review Board chaired by the National Security Council and attended by senior officials from agencies concerned with the security of critical
infrastructure, like the Department of Homeland Security and Department of Commerce. This Board reportedly meets quite regularly.
The Singapore Government should consider developing a VEP process of its own for determining whether to retain or disclose vulnerabilities to vendors, so that our own critical infrastructure is protected from hacking attempts.
Commercialising defence technology
The last point I wish to raise concerns the potential for commercialising defence technologies to benefit Singapore.
Many technologies that we use every day originated from military technology. The US Defense Advanced Research Projects Agency (or DARPA) invented TCP/IP, which is the plumbing that makes the Internet possible. The Global Positioning System (or GPS) was originally developed by the US Department of Defense, and is now used in almost all our mobile phones. Israel is widely recognised as a “start-up nation”. Many of Israel’s high-tech companies were founded by soldiers who completed their National Service in Unit 8200, the Intelligence Corps of the Israel Defense Forces.
In Singapore, we hardly hear of commercial technology or tech start-ups originating from the Defence Tech Community. I can understand why MINDEF would rather not share any defence technology discoveries publicly, because that may cause us to lose our edge over our adversaries.
With the establishment of the DIS, there is likely going to be billions of dollars from the public purse spent on developing digital capabilities within the SAF. There should be some scope for allowing some limited commercialisation of defence technologies that would benefit our nation,
economy or society.
MINDEF should develop a framework for allowing some of these technologies to be commercialised without compromising national security. This framework should also have safeguards in place to ensure that the
commercialised products are not abused by private organisations or foreign governments for nefarious purposes, as this could have a negative effect on Singapore’s international reputation.
The interaction between defence and commercial technologists could also spark ideas, innovations and discoveries within the DIS and the wider Defence Tech Community, and help the SAF improve its technological edge.
Summary
In summary, I support the establishment of a DIS within the SAF and hope the Minister will consider the points I raised.
First, the DIS must not operate in a silo. All armed services need to continually digitalise in order to maintain their edge in the battlefield. The DIS should work closely with other digital government agencies to jointly counter the cyber threats that Singapore faces.
Second, the significant technological capabilities of the DIS must be balanced with adequate checks and balances, legal safeguards and oversight to prevent the abuse of power and violations of citizens’ right to privacy, especially during peacetime.
Third, the establishment of the DIS will create a greater demand for local tech talent. Local higher education institutions must increase the intake of Singaporeans in IT-related majors to meet this demand.
Fourth, to safeguard Singapore’s critical infrastructure from being hacked, the Government should consider implementinga Vulnerability Equities Process to decide whether to retain or disclose to vendors any vulnerabilities that its agencies, including the DIS, discover.
And fifth, MINDEF should develop a framework for allowing some defence technologies to be commercialised to benefit our nation, but without compromising national security or allowing the technologies to be abused.
Mr Speaker, I support the Bill.