Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam

Ministry of Digital Development and Information
Speeches

Opening Address by SMS Tan Kiat How at STACK x Cybersecurity Conference 2026

17 April 2026

  1. Good morning. I am pleased to join you at the STACKx Cybersecurity conference today.

  1. This year, we are also marking the 10th anniversary of GovTech. GovTech has fundamentally shifted how citizens interact with the government.

    1. Today, 99% of citizens' transactions with the government are completed digitally, enabling more efficient and convenient services that benefit citizens and the public sector alike.

      1. Singpass has evolved into our national digital identity for safer and faster access to everyday services, supporting over 41 million transactions monthly, and effectively eliminating physical forms for most residents.

      2. LifeSG is another example, serving as a one-stop app consolidating over 130 government services, helping families and individuals interact with government services with greater ease.

  2. Well done to the entire GovTech team, and a big thank you to partners that have worked closely with them over the past 10 years! We look forward to many more milestones.

  3. As we celebrate our achievements, we recognise that the attack surface of our digital system has increased significantly, even as we need to navigate an increasingly complex cyber landscape.

    1. Firstly, we face many more adversaries, from cybercriminals to mercenary groups to state-backed actors.

      1. For example, recently, we have had to deal with an advanced persistent threat (APT), UNC3886 which targeted Singapore’s telecommunications infrastructure with sophisticated techniques.

    2. Secondly, AI is advancing rapidly. AI and cybersecurity are deeply intertwined. AI is a significant opportunity for cyber defenders but can also be misused for increasingly fast and sophisticated cyberattacks at scale.

      1. Anthropic’s recent report on Claude Mythos has created a stir within the cyber community. It is reportedly capable of autonomously identifying zero-day vulnerabilities and chaining these into working exploits. There is consensus among experts that these developments represent a step jump in the threat landscape. In the wrong hands, it will enable even the less skilled threat actors to conduct sophisticated attacks at scale and speed. You can imagine the harm that can be done in the hands of skilled operatives who are augmented by AI.

      2. Claude Mythos does not yet create fundamentally new classes of attacks. However, it is recognised that such AI tools reduce the time and resources required to conduct cyber-attacks. Organisations need to take proactive steps to strengthen their overall cyber defence posture against the risk of attacks from frontier AI models.

      3. Organisations will need a fundamental rethink on how they secure their digital systems. For example, the time that organisations have to patch vulnerabilities may shrink from days to minutes.

      4. In the past, organisations that have legacy systems with obscure source codes and Operational Technology systems could take comfort that specialised skillsets were required to compromise these systems. AI can now accelerate the identification and exploitation of vulnerabilities.

      5. Pandora’s box has been opened.

      6. As such, the Cyber Security Agency of Singapore (CSA) and GovTech have issued an alert to our Critical Information Infrastructure (CII) owners and government agencies. CSA has also published an advisory on frontier AI risks. This outlines immediate mitigation measures such as patching high-critical vulnerabilities, as well as other defence strategies like leveraging AI to proactively identify and address vulnerabilities.

  4. We have to take these threats seriously.

  5. Today, I would like to speak about three important elements needed to secure our cyberspace.

Reframing the role of the Government in securing cyberspace

  1. First, the role of the Government.

  1. Singapore formally organised its cybersecurity effort a little over a decade ago.

    1. We established CSA in 2015 to provide centralised oversight of Singapore’s cybersecurity, and launched the Cybersecurity Strategy.

    2. In 2016, we launched GovTech to drive our Smart Nation initiatives and gave it the responsibility of overseeing the cybersecurity of government systems.

    3. We also passed the Cybersecurity Act and established the legislative framework to secure essential services.

  2. These moves enabled us to put in place the foundations such as articulating the cybersecurity standards expected of our CII owners and the framework for audits and compliance.

  3. To deal with the cybersecurity threats in a different operating environment, organisations need to see cybersecurity as not just another box-checking exercise to meet requirements; it is also not enough to just uplift the cybersecurity posture of individual organisations.

  4. Consider this analogy: to keep your house safe, you must install strong locks on your house and not leave it to chance. That is the minimum and in the interest of each homeowner. At the same time, even if you have the strongest lock, if the rest of the neighbourhood remains unsafe, your risk of intrusion stays high. There needs to be a collective effort to create a secure environment for all.

  5. Hence, the Government is moving beyond the traditional regulator-regulatee relationship with CII owners, and is partnering more closely with organisations to combat cyber threats together.

  6. Our collective response to the UNC3886 attacks exemplifies this shift. When the telcos came under attack, the Government mobilised cyber defenders across different agencies under Operation Cyber Guardian and worked closely with the operators to tackle the threat.

    1. At the Committee of Supply Debate last month, I shared how we are stepping up efforts with CII owners against APTs. The Government will lean in to help CII owners, selectively sharing classified threat intelligence and equipping them with proprietary threat detection systems to defend against well-resourced adversaries.

  7. This shared responsibility concept is similar with the approach Singapore takes for Total Defence where the Government, firms and individuals all play a role.

  8. Similarly, we need to foster this collective spirit for cybersecurity.

Strengthening public-private collaboration to uplift capabilities

  1. While the Government will do our best to protect cyberspace, we will not have all the answers. There is a wealth of expertise and capabilities in the private sector. This brings me to my second point on the importance of public-private collaboration.

  2. I am glad to see many attendees from the private sector today. I hope that this will be an occasion for all of us to learn together and build new relationships.

  3. Through collaboration and sharing experiences, we build a network that strengthens our defence.

    1. GovTech's Government Bug Bounty Programme is one such example. Since 2018, it has crowdsourced ethical hackers worldwide, working with over 60 agencies and uncovering more than 1000 security issues.

  4. These partnerships will become even more critical as AI adoption grows. Together, we must address three aspects of AI and cybersecurity:

    1. AI as a threat. Threat actors are using AI to increase the speed, scale and sophistication of their attacks. To counter this, we must shift toward a continuous monitoring and assurance model to detect and mitigate threats in real-time.

    2. AI as a tool. We will need to harness AI to counter sophisticated, AI-automated attack chains. AI can enable earlier threat detection and faster response times and reduce the asymmetry between attackers and defenders.

    3. Lastly, AI as a target. We must ensure enterprises adopt AI securely so it does not become a vulnerability. This means building capabilities in testing and establishing standards for safe and secure AI use.

  5. The AI space is evolving rapidly, and staying ahead requires close collaboration between government, industry and academia. We need to make full use of AI capabilities to defend and be a step ahead of those who wish us harm.

  6. The Government is prepared to take the lead in working with the private sector on these challenges. The sessions today will explore how we can collaborate on innovative AI and cybersecurity projects.

Developing cybersecurity talents and leaders

  1. Third, developing cybersecurity talents and leaders. While we talk about AI and automation, I firmly believe that the most important ingredient to secure our cyberspace is our people. Cybersecurity talent and leadership are critical in this aspect.

  2. We are developing multiple pathways to attract and nurture talent at all stages, from youths to experienced professionals. The demand is strong, with good jobs and career prospects ahead.

    1. Through programmes like CSA's SG Cyber Talent initiative, we provide comprehensive training focusing on real-world skills and practical readiness.

  3. AI’s transformative impact on cybersecurity demands building capabilities and competencies to use and guard against it. The Government is stepping up to lead by example.

    1. GovTech has provided its cybersecurity teams with training on AI applications in cybersecurity and the security of AI systems. Work is underway to develop specialised training pathways and expand these programmes across the rest of government.

  4. We work closely with industry, schools and the community to build up our workforce. Talent flows between government and the private sector, enabling knowledge transfer and strengthening capabilities across the ecosystem. Government is taking the lead and we are doing our part so I encourage all our partners in the private sector, as well as academia, to work together with us.

  5. But talent is only part of the equation. Good cybersecurity also requires good leadership. Leaders must be able to make responsible decisions that hold up not only on good days, but even more so on bad days.

  6. Cybersecurity leadership matters, and is as important as digital or AI transformation. You cannot say you want a fast car without putting in good brakes. Cybersecurity is not simply a technical issue for the CISO or IT department, but a leadership responsibility that the CEO and board must own.

  7. This is reflected in the governance of cybersecurity within the Singapore Government.

    1. The Government recognises that cyber resilience demands oversight at the highest levels. This is why the Prime Minister’s Office maintains direct stewardship over our national cybersecurity functions.

    2. The appointment of both a Coordinating Minister for National Security and a Minister for Cybersecurity further underscores the importance of leadership.

  8. This leadership mindset must take root in every organisation.

  9. In closing, Singapore remains committed to being a trusted partner in an increasingly globalised, AI-driven world.

  10. Standing still is not an option. Threat actors are moving fast, with AI redefining adversarial capabilities. We must rise to meet these challenges while driving innovation to harness these technologies to our advantage.

  11. The future of our cyberspace depends on the partnerships we forge today.

  12. I wish all of you a productive session and conference, and hope that you make new friends, build new relationships and continue to foster this community of practice to further secure our cyberspace. Thank you.

Back to top