• 14 August, 2025
• No Comments

Cybersecurity Act: Why 2025 Marks a Turning Point in National Defence

In the modern digital ecosystem, cybersecurity is no longer a secondary concern. It is a cornerstone of national defence, economic stability, and public trust. Nowhere is this more apparent than in Singapore, where the evolving threat of advanced persistent threats (APTs) has prompted major legislative and operational reforms, including significant updates to the Cybersecurity Act to better safeguard critical infrastructure.

On 29 July 2025, Minister for Digital Development and Information, Josephine Teo, announced a critical update to Singapore’s Cybersecurity Act in which operators of critical systems will soon be legally required to report suspected APT activity to the Cyber Security Agency of Singapore (CSA). This landmark change marks a significant turning point in the city-state’s approach to digital resilience and national security.

The new mandate is not a speculative exercise. It is a response to a concrete and growing danger. In July 2024, Singapore’s critical information infrastructure (CII) was targeted by UNC3886, a cyber-espionage group believed to be linked to China. According to the Straits Times, activity by APT actors like UNC3886 has surged fourfold from 2021 to 2024. These attacks are not opportunistic. They are stealthy, persistent, and engineered to infiltrate essential systems, from energy grids to water treatment plants, in pursuit of long-term disruption or intelligence gathering.

The reality of APTs: Beyond ransomware

Unlike traditional cyberattacks, APTs are not about immediate financial gain. They are complex operations, often state-sponsored, designed to silently penetrate high-value networks and remain undetected for extended periods. The goal is not to extort but to observe, learn, and exploit over time. These actors may lurk within systems for months before launching an attack, making their detection particularly challenging.

Singapore’s pivot towards mandatory reporting reflects an understanding that the old models of isolated defence and voluntary disclosure are no longer sufficient. As Minister Teo stated, APTs are no longer theoretical. They are active, evolving threats that demand a collective, coordinated response. The belief that any organisation, especially those managing critical infrastructure, can deal with such intrusions on its own is dangerously outdated.

Legal reform: Strengthening the Cybersecurity Act

The amendments to the Cybersecurity Act, passed in 2024 and expected to take full effect by the end of 2025, significantly broaden CSA’s oversight. CII operators will be obligated to report not just confirmed breaches but also suspected APT activity. This proactive stance is crucial in ensuring early detection and timely response, two elements that are often the difference between a contained incident and a full-scale national crisis.

The revised Act also extends CSA’s reach to cover supply chain vulnerabilities and cloud services used by CII operators. Given the interconnected nature of today’s digital infrastructure, this is a pragmatic and necessary step. An attacker may not need to breach a core system directly if they can infiltrate a poorly secured vendor or cloud provider. This broader scope enables regulators to examine security holistically rather than in silos.

Singapore is not alone in this shift. The European Union’s NIS2 Directive and the United States’ Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) similarly mandate the timely disclosure of cyber incidents. These legal frameworks signal a global move towards transparency and accountability, grounded in the understanding that cyber defence must be a shared endeavour.

Real-world consequences: Learning from global incidents

Minister Teo’s remarks were punctuated by sobering examples from around the world. In January 2024, a malware attack on Ukrainian internet routers left 600 homes without heating during winter, exploiting a zero-day vulnerability to cause real-world suffering. Meanwhile, in Norway, a cyberattack on a dam in April 2024 led to the unintended release of seven million litres of water. While physical damage was limited, the event illustrated how digital breaches can have tangible, dangerous consequences.

Closer to home, the 2018 SingHealth breach remains Singapore’s most severe cybersecurity incident. The attackers exfiltrated personal data from 1.5 million patients, including that of then Prime Minister Lee Hsien Loong. They are believed to have operated undetected for nearly nine months. These events underscore a key point: the longer an APT remains hidden, the more devastating its eventual impact.

Operational readiness: Exercises and partnerships

To accompany the new legal requirements, Singapore has scaled up its efforts to improve operational readiness across CII sectors. Exercise Cyber Star, now in its sixth iteration, is the largest national cybersecurity drill to date. It brought together nearly 500 participants across the nation’s 11 CII sectors, spanning aviation, water, healthcare, media, energy, and more, to simulate realistic attacks and stress-test national defences.

In these simulations, participants faced scenarios modelled on actual APT tactics, such as the compromise of transportation systems and subsequent public safety implications. These exercises serve a dual purpose: they test technical capabilities and build institutional relationships. Minister Shanmugam has emphasised the need for cross-sector cooperation, reminding stakeholders that effective cybersecurity is as much about human coordination as it is about firewalls and patches.

Beyond simulations, the CSA has also formalised partnerships with key private sector players. On 29 July 2025, it signed a memorandum of collaboration with ST Engineering to co-develop cybersecurity tools tailored to operational technology environments. These partnerships reflect a forward-looking strategy that leverages local expertise to build custom defences suited to Singapore’s unique digital ecosystem.

Shifting culture: From secrecy to shared responsibility

A less visible but equally vital aspect of this reform is cultural. Historically, organisations have been reluctant to disclose cyber incidents, fearing reputational damage or regulatory fallout. However, as Mrs Teo aptly noted, silence only serves the attacker. Mandatory reporting shifts this paradigm by normalising transparency and reframing it as an act of responsibility rather than weakness.

This shift is not just symbolic. By fostering an environment where early disclosure is encouraged and supported, CSA can provide more immediate assistance. It also improves the quality of national threat intelligence, enabling swifter identification of attack patterns and coordinated mitigation strategies. Importantly, this approach builds public trust. Citizens and consumers have a right to know that the systems they rely on, from transport to healthcare, are under constant and competent protection.

The role we play at Privacy Ninja

As Singapore tightens its cybersecurity framework, private sector support will become increasingly important. Privacy Ninja stands ready to assist organisations in adapting to the new requirements through a full suite of cybersecurity services. Our Vulnerability Assessment and Penetration Testing (VAPT) services are designed to proactively uncover and remediate security weaknesses before they can be exploited by actors like UNC3886.

We also offer Data Protection Officer-as-a-Service, Smart Contract Audits, and Data Breach Management support, ensuring that organisations are not only compliant with the Personal Data Protection Act (PDPA) but also operationally resilient. In a regulatory environment that demands speed, transparency, and cross-sector coordination, having a trusted cybersecurity partner like Privacy Ninja can be the difference between breach prevention and crisis management.

Whether you are a CII operator or part of the broader digital ecosystem, the message is clear: vigilance is no longer optional. With Singapore entering a new phase of cybersecurity maturity, now is the time to strengthen your defences, align with national mandates, and adopt a culture of readiness.