CSA tasks critical information infrastructure leaders to review cyber risks due to AI-enabled threats
"This is not an issue that should be delegated to IT teams alone. It demands leadership attention at the highest levels," said Senior Minister of State for Digital Development and Information Tan Kiat How.
by Matthew Mohan · CNA · JoinRead a summary of this article on FAST.
Get bite-sized news via a new
cards interface. Give it a try.
Click here to return to FAST Tap here to return to FAST
FAST
SINGAPORE: The Cyber Security Agency of Singapore (CSA) has written to boards and senior leadership of all Critical Information Infrastructure (CII) owners to review their cybersecurity in light of AI-enabled threats.
Senior Minister of State for Digital Development and Information Tan Kiat How said in parliament on Tuesday (May 5) that the letter from CSA sets out clear expectations on what the review should include.
He was responding to questions from MPs on AI cyberattacks and how organisations are being fortified against such attacks.
"This is not an issue that should be delegated to IT teams alone," said Mr Tan.
CNA Games
Guess Word
Crack the word, one row at a time
Buzzword
Create words using the given letters
Mini Sudoku
Tiny puzzle, mighty brain teaser
Mini Crossword
Small grid, big challenge
Word Search
Spot as many words as you can
Show More
Show Less
"It demands leadership attention at the highest levels, including board members and chief executives. This applies whether an organisation runs information technology, operational technology, or both types of systems.
"The priority is to get the fundamentals right, and do so quickly."
CII are computer systems directly involved in the provision of essential services. The CII sectors are: energy, water, banking and finance, healthcare, transport, infocomm, media, security and emergency services, and government.
22:50 Min
The government does not have access to Mythos and it is not aware of any local bank that has been granted access. More broadly, the government does not assume that it will always have early access to every frontier model. Instead, it maintains close working relationships with various partners on capability developments and safety and security implications. Senior Minister of State for Digital Development and Information Tan Kiat How, who said this in reply to parliamentary questions on Tuesday (May 5), stressed the need to understand the advances in capabilities enabled by Mythos to be part of a continuum. The issue is not any single model like Mythos, he said. The underlying shift is broader, the risks are real and the government is treating them with the seriousness they deserve, he added.
In his letter, CSA chief executive David Koh said new developments in frontier AI "demand board-level and CEO attention".
"Frontier AI is accelerating at a rate where current assumptions in cyber risk management, on which your controls, measures and incident response plans were designed, may no longer be valid," he wrote.
"Vulnerability discovery is becoming faster and cheaper."
The organisation's review should look at whether its current cyber risk assessment takes relevant account of AI-enabled threats, as well as whether visibility over critical systems, internet-facing assets, privileged access, cloud services and third-party dependencies remains sufficient.
It should also consider whether vulnerability management, patching, monitoring and incident response arrangements are fast enough, and if its use of AI is appropriately governed.
Organisations should also look at where AI can be used to augment current cybersecurity operations.
The review should be tabled at the appropriate board or executive governance risk committee, said Mr Koh.
“Where material gaps are identified, management should ensure that these are addressed through clear remediation plans and explicit risk acceptance decisions and where necessary, adjustments to cybersecurity investment priorities.”
He added that CSA will continue to monitor developments, publish further technical guidance and work with partners to strengthen Singapore’s collective cyber resilience.
Mr Tan said that the Monetary Authority of Singapore has convened the CEOs of major financial institutions to discuss the threat landscape and "drive collective action on technology and cyber resilience".
"Financial institutions are treating this with the seriousness it deserves and have been strengthening their posture," he added.
The government views AI-enabled cyber risk as an amplification of an existing systemic risk, rather than a new category, he said. Government agencies are also on the alert for cybersecurity risks due to AI.
NO ACCESS TO MYTHOS
CSA last month urged companies in Singapore to strengthen cybersecurity measures, citing the potential for increased risks from frontier AI models.
The advisory came days after Anthropic previewed Mythos amid a wave of hype over its capabilities.
The UK’s AI Security Institute has found that Mythos is more capable of being used for complex cyberattacks than other AI tools such as OpenAI’s ChatGPT or Google’s Gemini.
In its release of Mythos, Anthropic said it had already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser.
Responding to a question from MP Louis Chua (WP-Sengkang), Mr Tan said that the government does not have access to Mythos.
Anthropic released it only to a limited set of partners under a controlled preview, and authorities are not aware of any local bank that has been granted access, he said.
“More broadly, we do not assume that we will always have early access to every frontier model,” he added.
Instead, the authorities maintain close working relationships with various partners, including major AI labs and cybersecurity firms, to track developments, as well as assess safety and security implications, he said.
"We are working with partners who have access to Mythos to better understand its capabilities and implications," Mr Tan added.
He added that CSA works closely with relevant government agencies and industry experts to exchange insights on the threats and mitigation measures. It is also reviewing standards and obligations for CII owners to account for the faster attack timelines that AI enables.
Mr Tan said that he has finished visiting all 11 CII sectors.
"I'm very heartened that all the senior leadership – from chief executives to board members – are aware of the risk and are taking steps. So they are not taking this lightly," said in response to a supplementary question from Mr Chua on how the government is directly supporting CII providers.
"They are putting in place not just processes, investments, to secure themselves and their systems, but also proactively thinking about how to secure their AI users in their organisations."
Under the Cybersecurity Act, CSA has the authority to direct and enforce action where necessary.
"On Mythos, specifically, without direct access, we cannot test the model ourselves. But we assess the risk based on published evaluations, threat intelligence and our ongoing engagement with the major AI labs," Mr Tan said.
“Where credible evidence emerges of a material risk to systems of national consequence, we work with and advise CII owners to patch and harden their systems. This is the approach we have used to date, and we will continue to do so.”
Responding to a supplementary question from MP Edward Chia (PAP-Holland-Bukit Timah) on how the government will ensure that small- and medium‑sized enterprises (SME) would not be left behind, Mr Tan said different resources have been deployed to support them.
These include a "self-check" on their systems and guidelines on how to deploy AI solutions within their organisations.
Mr Tan also cited initiatives like the SMEs Go Digital Programme, where authorities work with industry partners providing these technology solutions and pre-approve them for support. "We make sure that basic cybersecurity hygiene is baked into those systems," he said.
Ultimately, the issue is not any single model like Mythos, said Mr Tan.
He added: "The underlying shift is broader and the risks are real. We are treating them with the seriousness they deserve."
Sign up for our newsletters
Get our pick of top stories and thought-provoking articles in your inbox
Get the CNA app
Stay updated with notifications for breaking news and our best stories
Get WhatsApp alerts
Join our channel for the top reads for the day on your preferred chat app