Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 336 of 425 42.1.2 Intelligence generated by each enterprise from their investigations and prevention and detection tools 971. There should be sharing of threat intelligence within each sector and across sectors. This is valuable where the sectors are faced with like threats, or use similar systems and thus have similar vulnerabilities. 972. There should also be sharing of threat intelligence from the sectors to the government. Gen. Alexander has opined that if the cyber attack is meant to destroy a country’s infrastructure, the government must have a role. The government has to have the ability to seethe cyber attack in time, in order to have a role in defence that goes beyond incident response. Where enterprises encounter suspicious behaviour indicative of a cyber attack, we recommend that they share this information with CSA. Where the suspicious behaviour meets the threshold for reporting under the relevant reporting frameworks, the information will have to be shared with the CSA as soon as possible, or at the latest, inline with the timelines for reporting under the frameworks. Even where the suspicious behaviour may not meet the threshold for reporting, enterprises should exercise judgment on whether their observations should be shared with CSA nonetheless, to enable in-depth analysis and, if necessary, broader dissemination across the CII sectors. 42.1.3 Classified information provided by commercial companies to their trusted partners 973. Commercial companies which offer threat intelligence feeds may separately engage in a deeper analysis of the intelligence and further generate classified intelligence based on this analysis. Such analysis is not available commercially, but maybe shared with trusted partners. CE, CSA’s evidence is that CSA is a trusted partner of some of these commercial companies, and receives classified threat intelligence from them. 974. CSA will then distil this threat intelligence into actionable intelligence and share it with CII operators (see paragraphs 966 (pg 333) and 967 (pg 333) above.
