Speech by by Mr Gaurav Keerthi, Deputy Chief Executive (Development) at the ATxSG Cybersecurity Summit on 1 June 2022

"Protecting What We Own: The Complicated Shared Responsibility of Cybersecurity” by Mr. Gaurav Keerthi, Deputy Chief Executive (Development) from the Cyber Security Agency of Singapore. Keynote address delivered at ATxSG Cybersecurity Summit on 01 June, 2022. 

Good afternoon, everyone. Thank you for coming down to the first physical ATxSG conference in the year 22 AD.  I divided the world into BC and AD before COVID, and hopefully after the disease, I hope that we are done with all this. The period in between BC and AD is a bit of a blur to me, but it’s wonderful to be here again. 

First, a self-introduction. So, I’m Gaurav. I’m the Deputy Chief Executive of the Cyber Security Agency of Singapore. I’m actually a software developer by background way back a long time ago in my training and studying days, but I stumbled into cybersecurity towards the end of my military career. I got involved in innovation, capability development, and finally I was responsible for defending the Air Force’s operational networks. Prior to doing cybersecurity, I had no white hair.

We use this ambiguous phrase “cybersecurity is a shared responsibility”, and even Andrew mentioned it – it’s a shared responsibility. But it’s a rather ambiguous phrase. I’d like to try to demystify it a bit by unpacking, understanding, and considering ways in which we can use that phrase to give us greater clarity on how each of us is expected to contribute to that mission.

Now, my role in CSA requires me to think about how to design and develop a more secure Internet. This is a difficult task made more complex by the fact that nobody listens to me because I don’t own the Internet. It sounds silly to say, but let’s unpack this issue of ownership a little bit more. Our founding Prime Minister Mr. Lee Kuan Yew once said (and I paraphrase): “What we cannot defend, we do not own.” Conversely, what we do not own, we feel no obligation to protect. So, the question of ownership is linked very tightly to the question of responsibility. And often, an organization that leases office space is responsible (and will be held responsible in a court of law) for the building’s fire safety – you can’t say “Well, I own this building, but if a fire breaks out, that’s your responsibility, not mine. People died, not my problem.” We see that this responsibility extends beyond just protecting assets to protecting the people – protecting the lives and livelihoods that interact or deliver these services or these assets. Simply put, ownership begets responsibility.

So the first big question I’m going to ask all of you is: who owns the Internet? Turns out, everybody and nobody. Private corporations – the companies that are here today – they own much of the infrastructure that we use today. Non-state institutions like ICANN help to administer important aspects of it. Individual developers – the guys who built Log4J – they own parts of it. Governments regulate parts of it. So, many own parts; none own the whole.

Turns out, that wasn’t very helpful to ask. So we tried to look for past precedents or useful parallels. Surely we aren’t the first domain to deal with this difficult question. Perhaps the Internet is similar to the Ocean, Sky, or Space, which are natural domains of what we call the “Global Commons”? Like the Internet, there is no single owner for these “natural domains”, yet their shared usage and protection is critical to the modern world’s prosperity. But there’s one big difference between the ocean, sky, space, and the Internet: the oceans existed before Microsoft, the sky existed before Google, and space existed before Amazon (although Tesla may lay claim to Mars some day). Natural domains will continue to exist long after those companies cease to exist, assuming we can sort out our carbon footprint. But the Internet is different. The Internet only exists because private companies and organisations created it, and it is possible that if some of these companies disappear, some of the capabilities of the Internet will disappear. So, perhaps this parallel cannot be imported wholesale, even as the “Tragedy of the Commons” threatens our digital futures in the cyber domain as well. The stakes are simply too high for us to sleepwalk into an avoidable problem. We can, and perhaps we should, adopt a different approach of what shared responsibilities really means.

Today, the Internet is like a patchwork quilt we’ve stitched together somewhat anarchically. As a cybersecurity professional, this gives me more white hairs. Let me outline the four big concerns I have about how it is currently being protected.

The first is at the International level: Is the Internet being actively governed? Now, I travel from Singapore to New York to attend the United Nations, and I am fairly confident that me, my luggage, and my aircraft will arrive safely in New York. Why? Because airlines and airplane flight routes are tightly controlled, tightly monitored; passenger and luggage systems are globally governed and interconnected by design, and the aircraft themselves undergo really stringent safety checks to be determined airworthy internationally. Having been a pilot, I appreciate how much governance exists behind the scenes just to make it possible for me to fly to New York with my luggage. We don’t see this in the digital world today, yet.

Now, there are ongoing conversations which are promising – Singapore chairs the United Nations Open-Ended Working Group on the Security of and In the use of Information and Communications technologies. Long phrase – basically – the United Nations committee on cybersecurity where we discuss the voluntary, non-binding norms of responsible behaviour, and how international law applies in cyberspace. It’s a good start, but it does worry me that there are still so many unresolved big questions at the international level.

Next, we move to the National level: Is secure Internet a public utility or a private service? Now, a world where cybersecurity protection is only for those who can afford to pay for it – that’s not a good world. Last year, Singapore published our updated cybersecurity strategy, which included a significant emphasis on creating a safer cyberspace as a public utility. And we, the government, have a duty of protecting our users from the worst known threats.

Now, this doesn’t mean that the government will do everything for cybersecurity and users can avoid responsibility. Just like in the physical world, the police patrol the streets and they help to keep it safe, but individual homeowners still have to lock their doors.

Next, we move to the Organisation level: Is cybersecurity seen as a priority or a burden? Ideally, companies would fill this international and government void by proactively creating a more secure Internet for users. But sadly, many companies see cybersecurity as a cost centre, as a drag on innovation, and they try to spend just the minimum amount of money for compliance. I regularly engage with developers who consider me the enemy – I, the Cyber Security Agency, am the bad guy! That’s odd, because when my red team engages and hacks their system, we give you a nicely formatted report, not a ransom note. The real enemy is not here, it’s out there. And as an economy, having companies race to the bottom for cybersecurity spending is not a desirable outcome as they will inevitably pay more when things go wrong.

Now, there are some companies that are starting to change their mental model and treat cybersecurity – security, trust – as a unique selling point. I drove past a billboard along the AYE that advertised the DBS mobile banking app with one big word: Secure. As a DBS customer, this makes me happy.

Next, we move to the Individual level: When things go wrong, whose fault is it? When I first joined the cybersecurity industry, I found it really puzzling. Cybersecurity companies regularly blamed users – a.k.a. their customers – as being the weakest link. I’ve never heard of another industry that blames their customers for their problems. When users do (and they do) make mistakes, how can industry, regulations, and international norms reduce the likelihood and impact of those mistakes? Again, going back to an unrelated experience of being a pilot – now as a pilot, it is a difficult and demanding job, but the industry and regulations made it harder for me to be the weakest link by making airplanes safer to fly and easier to fly safely and governance better. Can the same thing happen in the digital world?

Now of course, we all recognise that protecting users is not an easy undertaking. But poor cybersecurity is not a problem that will go away if we ignore it for long enough. Instead, it will become worse. Attacks, victims… the losses will just mount. And when people lose trust in those technologies due to safety or security concerns, the digital future that all of us are working hard to create may actually collapse.

On that note, there are people (including people in this room) who believe that technology is irreversible: “No matter what happens, it is irreversible – we cannot uninvent something”. It is worth remembering (especially for those of you who flew here) that humans invented supersonic passenger travel with the Concorde. We invented it, it is a technology that exists! It crashed, and today, all of you who flew, flew on subsonic travel – slow, bulky aircrafts – because we uninvented the technology because of the lack of trust. We must take security of the Internet, cloud, autonomous vehicles, and so on – all these emerging technologies – very, very seriously to avoid that same fate.

So we come back to that original question which I asked as I took on the job, as I took on my job: How do we secure the Internet? Let me suggest three unusual models to consider.

The first model draws again from that governance of the natural “public commons” domains: the sea, sky, and space. Differences aside, how have humans wrestled with the thorny problems in those domains could be illuminating. International organisations play a pivotal role in the governance of these domains: we have this thing called the United Nations Convention on the Law Of the Sea for the sea, we have ICAO for the sky, and more recently, the Artemis Accords for space. This gives me hope that something similar can be achieved for the cyber domain.

Now, these examples of states working with non-state stakeholders realizing a common goal – it’s proof that we can overcome these collective action problems and develop a clearer notion of what shared responsibility really, actually, and tangibly means, for a safe and stable cyberspace.

The second model is a strange one; it’s from how countries have approached the problem of dirty water. In developing countries, the responsibility for drinking clean water falls almost entirely upon the individual drinking it (whether it is through decontamination or boiling or purchase). Unfortunately, those who can’t afford to do so will drink unclean water and fall ill, and this creates problems for themselves and the society at large. In developed countries like Singapore, you can turn on the tap, put a cup under it, and drink. Yeah, it may not taste like mountain spring water, but you are not going to die from it. Governments have accepted the responsibility of providing clean drinking water to their people. Consumers are still free to purchase nice bottled water, flavoured water, soda drinks; perform additional filtering of their own. But the government has accepted the responsibility that clean drinking water through upstream filtering is our responsibility. Society benefits in terms of improved public health and hygiene.

There are parallels to the digital world as well, as more governments are thinking about how to “clean the digital pipes upstream” to reduce the known cyber threats that are in the system. But users still need to decide if this is good enough for them.

The last model is from the automotive industry. You know, when cars first came out, cars competed on cost and features, and there were horrible accidents. Volvo came along and innovated on safety. The market dynamic suddenly changed: Rather than trying to save costs on safety, manufacturers tried to show off and say that they were the safest. Safety went from a cost to being a feature – to being a profit generator. In the same way that good brakes give the drivers confidence to drive their car faster, good cybersecurity gives users the confidence to digitise more with your company. If my banking app was constantly being hacked, I would prefer to line up at the teller or – even worse – change banks. Customers will start paying more for things that are more secure. 

Now this sounds like a clever idea, but we actually tested this hypothesis in Singapore. Over the last two years, we introduced a Cybersecurity Labelling Scheme, where IOT devices (baby cameras, routers, smart door locks) got a sticker – one to four stars – based on how secure they were. We have over 140 devices from international brands including Google, Asus, and other companies, and consumers are now equipped to pick the four star device over the one star device and avoid the zero star devices.  Most importantly, the hypothesis is true: Manufacturers have reported that consumer behaviour has changed, and there is more interest in the labelled devices than the unlabelled ones.

Now with these models in mind, how can we assemble them into a solution that fits our needs and answers these questions of ownership, responsibility, and duty?  The easy answer is “shared responsibility”, but let me offer some simple, practical, and direct answers on what it means for each of the steps or parts of the organisation.

Firstly, international organisations must govern the Internet better. Organisations like the United Nations must push for clarity on the norms of international behaviour. These norms (while they are broadly accepted already) must be implemented and translated into local laws. At the technical level, organisations that define standards should consolidate and simplify rather than fragment international standards. Singapore is an active contributor to the development of international technical standards in the security domain because we know this will help manufacturers know how to build more secure digital products. We’ve pushed hard for mutual recognition of standards and have already signed the world’s first MOU on the Cybersecurity Labelling Scheme with Finland. Mutual recognition – it’s not a competition with each other to design better standards; it’s a race against the attackers, against the bad guys, to agree on interoperable common standards. International organisations may not own the pipes and bytes of the Internet, but they own the intangible parts that set the direction and the standards for the Internet. They have that responsibility to use those tools to protect users.

Now, governments must reduce the risks of emerging technologies. In the early days, the digital world required a light touch to let innovation bloom. We’re no longer in the early days. As Singapore pushes ahead to build a smart nation, we are mindful of the risks, and need to adopt a mix of commercial contracts and regulatory levers to ensure that the smart nation is also a secure one, and a safe one. I saw a video on Youtube recently of a police officer trying to stop an autonomous car to give it a parking ticket. In the event that this autonomous car (without a driver in it, it was just going back to the owner) gets into an accident – who is to blame? The owner? The manufacturer? The programmer? The Cloud service that lagged? A light-touch may not be suitable for some parts of the digital world, and these are the vexing policy questions at the government’s door. We need to proactively de-risk the adoption of these emerging technologies before they become insidious threats. The government should use its instruments like laws and regulations – what it owns - to protect its people from threats.

Now we come to companies. Companies must think of cybersecurity as an opportunity to differentiate themselves, not as a cost to be minimised. Companies, in my view, have a much bigger part to play in the “shared responsibility”, because most of the actual parts of the Internet – the pipes, the bytes – they’re all are owned by them. The Singapore Government will make it easier for companies to secure themselves by offering tools as part of the SG Cyber Safe Programme and simplifying the adoption of better hygiene for smaller companies. Companies should leverage on initiatives like the Labelling Scheme which I talked about to invest more in cybersecurity and charge users a premium for those more secure devices. We will make it easier and more affordable and more recognisable for companies to know how to be more secure so that they can avoid being hacked. For those in the audience who run a business, also remember that you are a customer as well. Would you continue banking with a bank that is constantly hacked? Would you secure your house with a doorlock that can be easily bypassed? If the answer is no, then you know what to do for your own products.  Companies that own these tangible assets of the Internet should feel responsible – and be held responsible – for the protection of those parts.

Now, we come to individuals – all of us as humans. We should treat security the same way we treat safety. The two will converge as technology becomes more a part of our lives. Today, we invest in fire insurance, health insurance, and we look both sides before we cross the roads. We have internalised safety as adults.  The next generation – the digital natives – well, they’re starting to internalise online safety as well, but we need to help make it easier for them to find and adopt secure solutions. Singapore’s Labelling Scheme was mentioned earlier with regards to device purchases, but there are other examples. For example, SingPass, our national biometric authentication system that helps with the problem of authentication. Where users would previously use weak passwords or repeated passwords – we’ve done away with it. If you drive without your seatbelt, your car will make an annoying beeping noise. Perhaps we should do that to users who turn off the security features for their apps – having an annoying beeping noise in your iPad until you turn it back on. Users own the choices they make, and should be held responsible for the choices to be more secure. 

Now in conclusion, the questions I asked about who owns the Internet and hence who is responsible for protecting the Internet were, to some extent, a little bit of a red herring. We are already in a world with a patchwork Internet – one assembled together without much governance, one that has been built for functionality, not security, and it’s owned by a mixture of public, private and individuals. There is thus no neat answer to the questions we face, but perhaps an honest recognition of this fact – this patchwork – is a good step. I’ve tried to dive a little deeper into what I mean by the phrase “shared responsibility” to give us all a bit more of a stake in it, to show us which parts we each own, and how we can use what we own to protect the Internet. Whether it is the intangible norms or standards that guide our path, the policy instruments of laws and regulations that define what is secure or not, or the tangible assets that customers use, or the choices we make each time we go online – each of us owns a different part, and can hence partake in the shared responsibility to protect the Internet in a different way. And I urge you all to make the right choices at each level.

Thank you.