Mr Gerald Giam Yean Song asked the Minister for Defence (a) whether any of the apparently classified US military and intelligence documents that appeared online addresses Singapore; (b) how does the Government ensure that information and intelligence that it shares with other countries are not compromised by those countries; and (c) in the event of a leak of information, whether the Ministry has damage assessment and mitigation protocols in place to protect related sources, information and intelligence.
The Senior Minister of State for Defence (Mr Heng Chee How) (for the Minister for Defence): Mr Speaker, may I have your permission to answer Question Nos 16 and 17 together?
Mr Speaker: Yes, please.
Mr Heng Chee How: Thank you. Mr Speaker, with regard to the incident highlighted in the Members’ questions, no classified information from Singapore has been reported or detected so far. There were two pieces of information related to MINDEF contained in those “leaks”, but they are not sensitive and they are information that is already in the public domain, namely, that the SAF uses the SPYDER air defence system and that a British Defence Singapore Support Unit is located in Sembawang to provide support services to visiting vessels from Australia, New Zealand and Britain as members of the Five Power Defence Arrangements (FPDA).
The need to protect our secrets is paramount and is a perennial preoccupation of MINDEF and SAF. As the dictum goes, “loose lips sink ships” and even our country, too, if the plans and capabilities of SAF are compromised and our defences weakened.
Guarding our secrets securely requires a systemic approach and layers of safeguards, both physical and virtual – something that all defence establishments and militaries put into place to prevent leaks of important and vital information. I will assume that the Members’ questions relate more to protecting information online and will not deal with the protection of physical assets.
At the highest level of security, highly classified information is stored in air-gap systems with only internal connectivity and strict protocols for access and monitoring. This keeps the information secure but there is always a trade-off which impacts on efficiency for the organisation. Apart from productivity, classified information needs to be shared when plans are reviewed or when dealing with quick cycle events where information is needed expeditiously. All defence organisations face this conundrum through levels of classification in order to strike that balance between protection and utility.
When dealing with external parties or external partners, whether they be commercial or government-to-government, there are agreements for protection and handling of classified information and mutual obligations to protect both parties’ classified information. But there is a limit despite these agreements in which MINDEF/SAF can control or compel standards of protection in their systems. Therefore, their security standards form an integral part of the assessment when MINDEF awards contracts. In some cases, companies assessed to have inadequate security standards have been dropped from consideration even when their products may be superior or competitively priced.
In all systems, even ones with the most stringent protection, humans are a potential source and cause for leaks. Attempts to enter into secure systems by exploiting the vulnerabilities of selected individuals with access, using phishing emails or other means are an everyday occurrence. Proactive steps are taken to educate our personnel to mitigate against this vulnerability. MINDEF/SAF has also a cyber-monitoring centre that is stood up to detect malware and other threats posed online.
When security breaches occur, there are established processes in place to thoroughly investigate and ascertain the information compromised and the extent of the damage incurred. The causes of the breach are also examined and mitigating or improvement measures will be implemented, as necessary.
Ministry of Defence
21 April 2023