COI Report – Part III
Page
75 of
425 219. Mr David Koh, Chief Executive of CSA (“
CE, CSA”), stated in his evidence
that at the time of the attack, DAM was not common in the healthcare sector, but was common in both the security sector, and the banking and finance sector. Based on this, counsel for IHiS has submitted that the lack of DAM should not be viewed as an “
inherent weakness” in SingHealth’s network architecture, in light of the prevailing security posture in the healthcare sector at the time of the attack. The upshot of IHiS’ submissions on this point is that it was not unreasonable for IHiS not to have implemented DAM at the time.
220. As discussed in the course of proceedings, the reasonableness of IHiS’ conduct in this respect is not in issue. What the Committee is concerned with is in (i) identifying the contributing factors (
i.e. the lack of monitoring at the SCM database for unusual queries and access, (ii) identifying whether there was anything that could have been done better to address the vulnerability (
i.e. implementing DAM, and (iii) the reasons, if any, why such steps were not taken.
221. It is in respect of this third issue that CE, CSA’s evidence becomes relevant. The Committee notes that CE, CSA goes onto state in his evidence that the security and banking
and finance sectors are “(sectors) where database monitoring is commonly in place because of the mindset of the network designers”. The Committee is inclined to accept the Solicitor-General’s view that the lack of security measures at the database-level to monitor for unconventional querying and access demonstrates that the need for such measures was
not part of the consciousness of the network designers and operators for the SCM system at the time of the Cyber Attack.
Share with your friends: 
