Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam

Ministry of Digital Development and Information
Parliament

Speech by SMS Tan Kiat How at the Committee of Supply Debate 2026

2 March 2026

  1. Sir, we have made major moves in the last decade to shore up our cybersecurity such as setting up the Cyber Security Agency of Singapore, and introducing the Cybersecurity Act to protect our critical information infrastructure.

  2. But there is no room for complacency. I agree with Mr Vikram Nair’s cut to the Ministry of Home Affairs (MHA) that threat actors – especially Advanced Persistent Threats, or APTs – will only get more sophisticated. 

  3. Mr Sharael Taha asked about the Government’s plan to protect our Critical Information Infrastructure, or CII.

 Strengthening Protection of Critical Information Infrastructure Owners

  1. Cybersecurity is a collective effort. CII owners must take responsibility of the systems they own and operate. The Government will also do our part.

  2. At this COS, I will speak about MDDI’s plans to:

    1. First, update the cybersecurity standards and obligations;

    2. Second, level up our CII Owners; and

    3. Third, strengthen capabilities in our cybersecurity workforce.

  3. Today, our CII Owners are held to higher standards and stringent obligations are imposed on their critical systems or CII systems. This was a calibrated approach to balance national security needs and business costs.

    1. We have observed that threat actors are also targeting non-CII systems because they may be less secured and can be entry points into CII systems.

    2. CSA is therefore reviewing the scope of the current cybersecurity standards and obligations, and may include non-CII systems, such as networks that are interconnected with the CII systems.

      1. We are mindful not to impose unnecessary costs on CII Owners, and will continue to take a risk-based, calibrated and pragmatic approach.

  4. Sector Leads may introduce additional sector-specific obligations that are adapted for their sector.

    1. For example, IMDA will be enhancing its cybersecurity regulations for the telecommunications operators, given the recent waves of attacks.

    2. IMDA intends to provide guidance for areas such as managing virtualisation of infrastructure and credential management.

  5. We expect CII Owners to comply with these requirements. 

    1. CII Owners currently engage third parties to conduct audits and regular penetration testing to verify their robustness of their defences. These reports are then submitted to CSA for review.

    2. In addition to relying on such 3rd party reports, CSA wants to ensure that the security controls implemented by CII Owners are not only tested and validated during audits, but continuously strengthened. One way to do so will be to partner CII Owners to do on-site reviews.

    3. CSA is currently discussing with the Sector Leads on the implementation plan. We will reach out to the identified CII Owners when ready.

  6. Sir, regulations and compliance can only go so far. We need our sectors and CII Owners to do their part to defend their systems, consistently every day.

  7. Over the last year, I have visited the CII sectors, taking time to speak with the sector leads and the key CII Owners. We have had closed-door, candid discussions.

    1. Our Sector Leads and CII Owners understand that the threat landscape has evolved and appreciate what is at stake.

    2. However, they shared with me that most CIIOs are private companies whose business is in the delivery of essential services. They are not specialists in cybersecurity. Yet, they are up against the best-in-class, state-backed cyber threat actors.

    3. One of the Chief Information Security Officer (CISO) told me that it is like he is bringing a knife to a gun fight. I empathise with his point of view.

  8. As I said, cybersecurity is a collective effort. We are on the same team. Therefore, the Government will lean in to help CII Owners strengthen their defences and better respond to incidents.

 Tools

  1. Typically, National Security is the exclusive domain of governments, such as developing cutting-edge technological systems and training skilled operators to deal with various threat scenarios.

  2. We have decided to avail some of the Government’s expertise to the private sector, to level the playing field between the defenders and the attackers. We will help our CIIOs “level up” and hold their own in a fight against APTs.

    1. First is intel. We will selectively share classified threat intelligence with our CIIOs so that they are better able to spot and respond swiftly to threats that are attacking their system.

    2. Second is tools. We will equip CIIOs with proprietary threat detection systems to strengthen their abilities to detect malicious activities in their networks, especially those of state-sponsored APTs.

      1. These proprietary tools complement commercial threat detection systems used by our CII Owners today.

      2. We have started deploying these tools in selected CII Owners and will progressively deploy them across the rest. CII Owners may need to incur cost to integrate these tools into their systems. We will consider funding support, if needed.

      3. Even with these measures in place, we must be prepared that some threats will go undetected. This is why defenders must remain vigilant and constantly enhance their capabilities.

    3. This brings me to my next point on innovation. Threat actors are also not standing still. As pointed out by Mr Sharael Taha, autonomous AI agents are emerging threats.

      1. We must similarly harness technology to defend our critical systems.

      2. CSA will partner with CII Owners to test the use of technologies such as AI, to help enhance their efficiency and effectiveness of their cybersecurity operations.

      3. We will share more details in due course.

 Capabilities

  1. The defenders will need to be competent in using these tools.

  2. CSA will work with training providers to design and curate courses that equip cybersecurity professionals with specialised knowledge and skills on how to deal with APT threats.

  3. The responsibility of securing our CII systems cannot just rest on the shoulders of our frontline cyber defenders. This is not just a technical matter.

  4. The Board members and CII Owners must also do their part. It is a leadership responsibility.

  5. We will equip them with the relevant knowledge.

    1. Since 2021, CSA has partnered the Singapore Management University to conduct the Cybersecurity Strategic Leadership Programme for C-suite leaders. The programme has trained 74 senior leaders thus far such as Ms Dewi Anggraini from SMRT, Mr Andre Shori from Schneider Electric and Mr Kang Seng Wei from DBS.

    2. In view of the participants’ positive feedback, CSA will conduct more runs of the Leadership Programme over the next few years.

      1. We intend to welcome the next batch of cybersecurity leaders by the second half of this year.

Building a Safer Cyberspace for Singapore

  1. Let me turn to how we are protecting our citizens.

    1. Just last year, Members may have seen articles stating that attackers gained unauthorised access to thousands of Internet of Thing (IoT) devices, including routers,  around the world.

    2. Singapore has not been spared. Last year, attackers infected over 2,700 devices such as baby monitors and routers. When such personal devices are hacked, citizens’ privacy can be compromised and their daily activities  disrupted. These devices can also be unknowingly hijacked to launch attacks against others.

  2. The Government will do more to protect our citizens against these malicious actors. 

  3. First, we will do more to ensure that the digital products that are sold in Singapore have baseline security safeguards in place. This will make these products harder to be compromised.

  4. Today, we require home routers to meet minimum cybersecurity requirements.

    1. This is because they are the gateways to networks and transmit sensitive information. They are currently required to meet Cyber Labelling Scheme, or CLS Level 1.

      1. CLS is like the energy efficiency tick label you see on household appliances, but instead of showing energy use, it tells you how cybersecure the device is.

      2. CLS ranges from Level 1 to Level 4, with Level 1 being the most basic standard.

    2. We have seen threat actors using more advanced techniques to exploit home routers.

    3. CSA and IMDA therefore intend to raise the minimum cybersecurity requirements for all routers sold in Singapore to the equivalent of CLS Level 2. 

  5. Besides routers, IP cameras are another common target for cyber threat actors. Threat actors exploit these cameras to spy on individuals. Exploited images are even uploaded onto pornographic websites, or used to blackmail individuals.

    1. To better protect citizens, CSA will explore requiring IP cameras to meet CLS Level 2, similar to home routers. 

  6. CSA will continue to monitor and review if more digital devices should be required to meet minimum cybersecurity standards.

  7. Second, for organisations which handle sensitive data, including personally identifiable information, we are considering to introduce more stringent cybersecurity and data protection obligations.

  8. The Government will take the lead in this:

    1. GovTech will require government vendors that manage critical systems and sensitive government data to meet Cyber Trust Mark requirements.

    2. CSA will also require the following three groups of entities who are operating, assessing or handling sensitive systems and data to meet Cyber Trust Mark Requirements. These are the CII Owners, auditors conducting cybersecurity audits on CII Systems, and CSA’s licensed Cybersecurity Service Providers providing penetration testing and managed security operations centre services.

  1. Consultations with relevant stakeholders are ongoing, and these measures will be implemented progressively over the next two years.

Ensuring the Future-Readiness of our Critical Infrastructure and Digital Economy

  1.  We are also looking ahead to prepare for tomorrow’s threats. Mr Kenneth Tiong sought to clarify Singapore's approach to quantum-safe migration.

  2. We have been monitoring this technological trend closely.  We also take the position that Post-Quantum Cryptography (PQC) will be the mainstream solution for quantum-safe migration. It is widely tested and internationally accepted. Singapore will take reference from the NIST standards as the baseline. As Mr Tiong pointed out, this is the position taken by many other countries.

  3. Quantum Key Distribution (QKD) is a complementary technology; it is more for niche applications like securing high assurance communications.

  4. Singapore takes a risk-oriented approach, when it comes to quantum-safe migration. Government is reviewing the practical steps we can take for quantum-safe migration, including the adoption of PQC and the appropriate role of QKD if needed. We have also started investing in capabilities to support businesses in quantum-safe migration.

  5. In Oct 2025, CSA released a Quantum-Safe Handbook and Quantum Readiness Index to raise awareness of the associated risks. We are working with industry experts to better support organisations in their efforts, including through training.

  6. We are also deploying two quantum-safe networks nationwide through the National Quantum Safe Network Plus initiative or NQSN+. This provides additional options for businesses to integrate quantum-safe solutions such as PQC and QKD into their networks and systems. By supporting the provision of NQSN+ infrastructure and services, we aim to reduce the technical and financial barriers for organisations looking to implement quantum-safe solutions.

  7. Quantum-related technology is an evolving field. We are closely monitoring developments and will release guidance on this in due course. We are prepared to adopt different technological solutions if they proof to be effective and able to meet our needs.

  8. Sir, our digital infrastructure underpins our economy and daily life of citizens.

  9. MDDI is committed to improve the resilience and security of our digital infrastructure.

Back to top