While the year 2020 has been a chaotic whirlwind of prolonged economic uncertainty brought about by the COVID-19 pandemic, it has catalysed a quickening of the pace of digital transformation and the exponential growth of the digital economy.

Studies estimate that there are 31 billion Internet of Things (IoT) devices today, with 127 new devices added every second. This will grow to more than double to 75 billion connected devices by 2025.

“Greater connectivity also brings greater risks,” said Dr Janil Puthucheary, Senior Minister of State, Ministry of Communications and Information.

“The “Internet of Everything” represents a vulnerable conduit that expands our attack surface, and can impact our broader cyber landscape. The vast majority of IoT devices – baby monitors, home routers, even our fridges and cars – are optimised for functionality and cost, rather than security.”

To create a safer and more secure cyberspace in Singapore, the Cyber Security Agency of Singapore (CSA) developed Singapore’s Safer Cyberspace Masterplan 2020. The Masterplan, which aims to raise the general level of cybersecurity for individuals, communities, enterprises, and organisations was launched on 6 October 2020 by Deputy Prime Minister Heng Swee Keat.

Mr David Koh, Commissioner of Cybersecurity and Chief Executive, CSA, said: “Singapore’s digital transformation to achieve our Smart Nation goals in this post-COVID environment must be undergirded and enabled by robust cybersecurity. To leverage the opportunities, we must also mitigate the risks. To this end, the Safer Cyberspace Masterplan aims to raise the general level of cybersecurity in Singapore for Singaporeans, our enterprises and organisations. Cybersecurity is a collective responsibility, where all stakeholders can and must play a role to protect ourselves in the digital domain.”

The Masterplan comprises three strategic thrusts: securing our core digital infrastructure; safeguarding our cyberspace activities; and empowering our cyber-savvy population. The Masterplan also outlines 11 initiatives; one of which is the Cybersecurity Labelling Scheme (CLS) for consumer smart devices.

A first-of-its-kind in the Asia-Pacific region, the CLS scheme will see smart devices rated according to their levels of cybersecurity provisions. This will enable consumers to identify products with better cybersecurity provisions and make informed decisions, as well as help companies that produce secure IoT devices to distinguish themselves and raise the overall cyber hygiene in Singapore.

In the minds of many enterprise leaders, cybersecurity is seen as a business cost with no clear return on investment, instead of a competitive advantage. CSA recognises that “enterprise leaders, such as Board Directors and owners of SMEs, are key decision-makers on how cybersecurity risks are managed”. The agency cited a research conducted by McKinsey and the World Economic Forum, showing that management attention and time devoted to the issue is the single largest driver of better cybersecurity risk management. The CLS is one step towards incentivising enterprises to invest more in cybersecurity.

What is the Cybersecurity Labelling Scheme?
The Government will offer a Cybersecurity Labelling Scheme (CLS) that device manufacturers can voluntarily apply for, which provides different levels of cybersecurity ratings to help consumers easily assess the level of security offered by a smart device and make informed choices. These labels indicate the security provisions of the registered products, based on a series of assessments on:

• Meeting basic security requirements such as ensuring no universal default password;
• Adherence to the principles of Security-By-Design;
• Absence of common software vulnerabilities; and
• Resistance to common cyber-attacks.

Details of the Scheme
For a start, CSA will introduce the CLS to Wi-Fi routers and smart home hubs. These products are prioritised because of their wider usage, as well as the impact that a compromise of the products could have on users. It will progressively include other IoT devices, including web cameras.

The CLS is a voluntary scheme. The CLS takes reference from the European Standard EN 303 645 ‘Cyber Security for Consumer Internet of Things: Baseline Requirements’. To encourage adoption of the scheme, CSA will waive the application fees for the CLS for a year.

At the 5th ASEAN Ministerial Conference on Cybersecurity (AMCC), Mr S Iswaran, Minister for Communications and Information, Minister-in-charge of Cybersecurity, highlighted that CSA plans to work with ASEAN member states and other international partners to establish mutual recognition arrangements for the CLS to enhance security standards of the global IoT device market.

“This takes on added significance when we consider the potential of 5G and the proliferation of IoT devices,” he said.

At the International IoT Security Roundtable 2020, Dr Janil Puthucheary pointed out that the CLS will be aligned to international security standards for consumer IoT products. “Given the borderless and interconnected nature of cyberspace, a global approach is necessary…And it would be continuously improved, to nudge businesses to embrace higher security standards, based on market interests, as well as the industry’s acceptance and readiness. Through this, we hope to strike a balance between raising cyber hygiene and encouraging the advent of new and innovative products.”

Also included in the Singapore’s Safer Cyberspace Masterplan 2020 is the introduction of a voluntary SG Cyber Safe Trustmark by 2021. Enterprises with the Trustmark demonstrate to their clients that they have put in place certain pre-determined cybersecurity measures. CSA pointed out that while achieving the Trustmark does not mean that the enterprise is secure from all malicious cyber activities, clients can nevertheless be better assured of the cybersecurity measures of the enterprise, and enterprises are incentivised to invest in cybersecurity as it becomes a competitive advantage.