AI, CYBERSECURITY AND PUBLIC POLICY

SCOPE OF PRESENTATION

1. Digitalization and Digital Transformation

2. Internet and Challenges of Digitalization

3. Artificial Intelligence (AI)

4. Cybersecurity

5. Conclusion
 WHAT IS DIGITAL TRANSFORMATION?

Use technologies like AI to

Digital Transform the processes using digital
technologies so as to bring new value
Transformation
to customers and beneficiaries.
predict which designs the client
likes. Allow client to interact with
the design using AR/VR to
review/modify. Loop back into AI
engine to improve.

Processes leveraging on digitized data Inputs from clients. Search

Digitalization and technologies. E.g., generate digital design databases, create
records base on inputs. designs digitally.

Physical objects like reports, receipts

Digitization Design Co. Produce design
etc.. are turned into digital
drawings and digitize these.
representations.
TECHNOLOGIES FOR
DIGITAL
TRANSFORMATION :

ARTIFICIAL INTELLIGENCE (AI)

INTERNET-OF-THINGS (IOT)

BLOCK CHAIN

CLOUD COMPUTING

5G
DEPLOYMENT OF DIGITAL TECHNOLOGIES

• Commercial companies.
• Sectors :
• Banking and Finance
• Transport
• Logistics
• Health Care
• Education
• Energy
• Water
• Defence
• Government
 SMART CITIES, SMART NATIONS
Cities, districts, provinces and nation states now want to
reap the benefits of digitalization for their communities.

Birth of the idea of smart cities and smart nations.

A smart city uses information and communication
technology (ICT) to improve operational efficiency,
share information with the public and provide a better
quality of government service and citizen welfare. ...
The value lies in how this technology is used rather than
simply how much technology is available.
Smart cities use IoT devices such as connected
sensors, lights, and meters to collect and analyze
data. The cities then use this data to improve
infrastructure, public utilities and services, and more.

IMPROVE THE QUALITY OF LIFE FOR THEIR COMMUNITIES.

Internet – Enabling Technology
 KEY FEATURES OF THE INTERNET

• Connected computers.
• Standard and protocols established.
• Pave the way for communications between computers.
• First application - email.
• Gradually other commercial applications were developed riding on the Internet.
• Who governs the Internet?
• Who runs the Internet? Who is co-ordinating the activities in cyberspace?
• Largely a system running on trust without any top-down co-ordination.
• Hence, there are risks associated with being on the Internet.
• Biggest risk facing important users such as government and companies is cybersecurity.
 CHALLENGE OF DIGITALIZATION

• Benefits of digitalization are clear to all. • But there are dangers.

• Improved productivity, efficiency. • Cyber espionage.

• New products and services. • Cyber terrorism.

• Growth opportunities. • Cyber attacks.

• Higher quality of life for the communities. • Cyber warfare.

• To reap the benefits of digitalization you need cybersecurity.

• Cybersecurity enables Digitalization.

 IMPLICATIONS FOR PUBLIC POLICY

• Countries and commercial companies want to harness the benefits of emerging digital technologies.

• The Covid-19 pandemic has made this an imperative – a must have and not good to have.

• But there is a dark side.

• These technologies are not perfect.

• These imperfections can lead to unintended outcomes. Sometimes fatal.

• And risks associated with being connected to the Internet.

• So what can governments do? Regulations ?

DISCUSSION ON ARTIFICIAL INTELLIGENCE (AI)
WHAT IS
ARTIFICIAL
INTELLIGENCE
(AI) ?
WHAT IS • Science of making machines smart.

ARTIFICIAL • Using algorithms to solve problems.

INTELLIGENCE
• Search engines, shopping, digital assistants, astronomy.
• Fraud detection to climate change.

(AI)? • Machine Learning – vast amount of data.

• AI lacks broad intelligence.
• Questions :
• Jobs affected.
• Unintentional bias in AI systems.
• Technology can answer these questions.
• But, society and people need to decide.
 • Artificial intelligence (AI) refers to systems that
display intelligent behaviour by analysing their

WHAT IS environment and taking actions – with some

ARTIFICIAL degree of autonomy – to achieve specific goals.

INTELLIGENCE • AI-based systems can be purely software-

(AI)? based, acting in the virtual world (e.g., voice

assistants, image analysis software, search
engines, speech and face recognition systems)

• AI can be embedded in hardware devices (e.g.,

advanced robots, autonomous cars, drones or
Internet of Things applications).
DIFFERENT TYPES OF AI
APPLICATIONS
SOME EXAMPLES OF CHALLENGES OF AI DEPLOYMENTS
APPLICATION IN
CREATING DEEP
FAKES
SOME CONCERNS WITH AI DEPLOYMENTS

• Governance.

• Privacy and Cybersecurity

• Legal Liability

• Ethics and Transparency

• Biases in data and algorithms.

 KEY TAKEAWAYS FOR AI

• Make machines smarter at solving problems.

• Efficient at analysing vast amount of data.
• Existing applications in search engines, online shopping recommendations
and digital assistants.
• Endless possibilities – fraud detection, climate change.
• Improve the human condition.
• But some limitations in what these systems can do.
• Lacks broad intelligence.
• Bias and discrimination against certain groups.
• Job losses
• Social inequalities.
• However, technology can help to solve these problems.
• But also need people and society to address how AI systems should be
used.
 • Pervasiveness of AI applications raises a number of ethical
concerns.
• Concerns of discriminatory behaviour based on algorithms.
• Lack of fairness.
• Limited safety for humans.
• Absence of transparency about how the software operates.
AI ETHICS • Poor accountability for AI outcomes.
• This has led to many governments, nongovernment entities,
corporate organizations, academics and groups of individuals
putting forward declarations/guidelines on the need to
protect basic human rights in AI and machine learning.
AI ETHICS – RECAP
 • In 2018, 26 countries had created national AI strategies. Many
mention ethics but these are often just a general declaration
that rights should be preserved.
• Ethical frameworks have been developed by the UN, OECD and
Council of Europe.
• European Commission published guidelines in 2019 following
expert opinion of the idea of “Trustworthy AI”.
AI ETHICS – • US (Jan 2020) released a list of ten principles that federal
RESPONSES agencies should follow when developing rules for artificial
intelligence.
• Singapore released a Model AI Governance Framework
(2019,2020).
• Industry association, Singapore Computer Society (SCS)
released in 2020 a Book of Knowledge to guide AI deployment
by industry.
EXAMPLES OF NATIONAL RESPONSES TO AI
 EC JOURNEY ON AI REGULATIONS

• In 2020 : White Paper for “high-risk” AI.

• In 2021 : AI regulations using a risk-based approach.
EU
GUIDELINE
Unacceptable
Risk
Clear threat to safety, livelihoods and rights of people :
Banned
SHigh
FOR Risk AI Strict obligations.

DEPLOYME
Limited Risk Specific transparency obligations. For example user should
be aware that you are interacting with a machine.

NT (2020)
Minimal Risk Free use of AI applications like video games or spam filters.
Scope Covers all generations of AI applications. Burden on AI
providers in the EU irrespective of where the provider is
located.
Prohibitions Physical or psychological harm, Exploitative especially of
vulnerable groups, Social scoring for general purposes by
public authorities, Real-time biometric identification systems
in public.
 EC AI REGULATIONS FOR HIGH RISK APPLICATIONS

Areas • Critical infrastructures.

• Educational or vocational training.
EU •
•
Safety components of products.
Employment, workers management and access to self-
GUIDELINE •
employment.
Essential private and public services.
S FOR AI•• Law enforcement.
Migration, asylum and border control management.
DEPLOYME • Administration of justice and democratic processes.
Obligations • Adequate risk assessment and mitigation systems.
NT (2020)•• High quality of datasets.
Logging of activity to ensure traceability of results.
• Detailed documentation.
• Clear and adequate information.
• Appropriate human oversight.
• Robustness, security and accuracy.
SINGAPORE MODEL AI GOVERNANCE FRAMEWORK
EXAMPLES OF AI DEPLOYMENTS USING
SINGAPORE’S MODEL FRAMEWORK
 1. EXAMPLE OF AI DEPLOYMENTS – IBM MFG SOLNS

• AI solution for quality assurance of its products.

• Collaboration between AI Singapore and IBM.

• Take a human-over-the-loop approach : Engineers would only review the product batches that were
flagged out by the AI model as high risk

• Engineers able to prioritize their inspection, focus on high-risk product batches and make the final
judgement call on whether to release the batches for sale into the market.

• Team worked to ensure that the datasets used to train the AI model are as representative as possible
of the intended population in order to reduce inherent bias.

• Team walked together with engineers to ensure a common understanding of the datasets used to develop
the AI solution.

• Team also shared a detailed and modularized code with accompanying documentation in a final repository
for accountability purposes.
1. EXAMPLE OF AI DEPLOYMENTS – IBM MFG SOLNS

• Two key evaluation metrics are used to determine the performance of the AI
model:

• Consistency of prediction compared to actual defect rate. The AI model

achieved 85% of prediction, higher than the specification of 80%.

• Time saved for IBM QA engineers — The prediction model was able to
identify products that had high risks of defects and reduce the average
time of 30 minutes spent by QA engineers to just few minutes.

• Better detection of product defects and assurance of quality products for sale
will lead to greater customer satisfaction and confidence.
 2. EXAMPLE OF AI DEPLOYMENTS - RENALTEAM

• Provider of haemodialysis services.

• Collaborated with AI Singapore to develop an AI solution to help its trained nurses who carry out
dialysis treatment for patients.

• Aim is to predict hospitalization risk of the patients. Hospitalization means the patient has
advanced kidney failure.

• Predictive ability can help in early medical intervention.

• Team jointly agreed to adopt a human-in-the-loop decision-making approach, where the trained
nurses would make the final call on whether to proceed with the AI solution’s recommendation.

• RenalTeam’s nurses can use the AI model as a support tool for a second opinion.

• This approach can help to minimize incidents.

• Final decision on whether a patient should be hospitalized still lies with the trained nurses.
 2. EXAMPLE OF AI DEPLOYMENTS - RENALTEAM
• Patients’ data were anonymized before being used to train the AI
model.

• Team conducted a model validation exercise.

• Over the period of one month, the nurses assessed their patients,
made their own predictions and recorded them down.

• At the end of the month, AISG used the same patients’ data and ran
them through the AI model.

• The nurses’ predictions and AI predictions are then compared against

whether the patients were hospitalized (which is the ground truth).

• Based on the results, the AI model performed 36% better in precision

(i.e., less false positive predictions).

• Hence confidence in implementing the AI solution to improve the

• quality of care for its patients.
DISCUSSION ON CYBERSECURITY
 What is Cybersecurity?
Cybersecurity is the protection of Cybersecurity is primarily about people,
Internet-connected systems, including
hardware, software, and data from cyber processes, and technologies working
attacks.
together to encompass the full range of
It is made up of two words one is cyber
and other is security. threat reduction, vulnerability reduction,

Cyber is related to the technology which deterrence, international engagement,

contains systems, network and programs
or data. incident response, resiliency, and

Whereas security related to the protection
which includes systems security, network
security and application and information
security.
recovery policies and activities, including
computer network operations, information
assurance, law enforcement.
 Cybersecurity Goals – “CIA”
Confidentiality :
Keeping the data private
as information has value.
Supported by technical
tools such as encryption
and access control as well
as legal protections.
Integrity :
System and data have not been
improperly altered or changed
without authorization.
Subtlely makes it a frequent
target for the most sophisticated
attackers.
Ex. Stuxnet
Availability :
Able to use the system as
anticipated.
It becomes a security issue when
and if someone tries to exploit the
lack availability in some way.
An attacker could do this either by
depriving users of a system (e.g.,
GPS) or by merely threatening the
loss of a system – “ransomware”.
 Types of Cyber Attacks

Web-Based Attacks
System-Based Attack

1.Injection Attacks
1. Virus
2. DNS Spoofing
3. Session Hijacking 2. Worms
4. Phishing 3. Trojan Horse
5. Brute Force
4. Backdoors
6. Denial of Service
7. Dictionary Attacks 5. Bots
8. URL Interpretation
9. File Inclusion Attack
10. Man-in-the-Middle Attack
Examples of Cyber Attacks
Examples : SolarWinds cybersecurity breach in the
US

Russian hackers breaking into

the Texas software company
SolarWinds.

The hackers then sent corrupted updates

to customers including the State,
Treasury, Commerce and Homeland
Security departments…
 Response by the US Govt.

US Elections Solar Winds

..damaged
centrifuges
at its largest
uranium
enrichment
plant,..
Thursday March 11, 2021
The Straits Times
RECENT EXAMPLE OF HACKING
Center for Strategic and International Studies –
Significant Cyber Incidents Since 2006

June 2011. Citibank

reported that credit
card data for 360,000
of its customers were
exfiltrated using a
relatively simple
manipulations of
URLs.
 March-April 2011.
Hackers using
phishing techniques
in attempt to obtain
data that would
compromise RSA’s
SecureID
authentication
technology. The data
acquired was then
used in an attempt to
penetrate Lockheed
Martin’s networks.

October 2010. Stuxnet, a

complex piece of malware
designed to interfere with
Siemens Industrial Control
Systems, was discovered in
Iran, Indonesia and
elsewhere, leading to
speculation that it was a
government cyber weapon
aimed at the Iranian nuclear
program.
July 2018.
Singapore’s
largest healthcare
institution was
targeted by state-
sponsored
hackers, leading to
the leakage of
personal
information for 1.5
million patients,
along with
prescription details
for 160,000 others.
 RANSOMWARE ATTACK

• Computers locked by hackers.

• Demand payment.
• Allegedly they were paid !
 SPYWARE ATTACK
• Pegasus : zero-click exploit.

• Can theoretically harvest any data from the device

and transmit it back to the attacker.

• Can steal photos and videos, recordings, location

records, communications, web searches, passwords,
call logs and social media posts.

• Has the capability to activate cameras and

microphones for real-time surveillance without the
permission or knowledge of the user.
 Types of Cyber Attackers
• An attacker is an individual or organization who performs the malicious activities to destroy,
expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an
asset.

• As the Internet access becomes more pervasive, and more people spends more time on the
web, there number of attacker grows as well.
 Cybersecurity Goals
Confidentiality : Integrity :
Keeping the data private System and data have not been
as information has value. improperly altered or changed
without authorization.
Supported by technical
tools such as encryption Subtly makes it a frequent target
and access control as well for the most sophisticated
as legal protections. attackers.
Ex. Stuxnet
Availability :
Able to use the system as
anticipated.
It becomes a security issue when
and if someone tries to exploit the
lack availability in some way.
An attacker could do this either by
depriving users of a system (e.g.,
GPS) or by merely threatening the
loss of a system – “ransomware”.
Tools for “CIA”

Backups

CheckSums
Physical Protection
Data Correcting Codes
Computational Redundancies

Integrity Tools Availability Tools

Cybersecurity – Key Elements of a Strategy

• Prioritize information assets base on risks.

• Provide differentiated protection for the most important assets.

• Integrate cybersecurity into enterprise-wide risk management and

governance processes.

• Enlist frontline personnel to protect the information assets they use.

• Integrate cybersecurity into the technology environment.

• Deploy active defences to engage attackers.

• Test continuously to improve incident response.

 Cybersecurity – Strategy
Resilient Systems
• Expect intrusions – “Intrusion tolerance”.
• Capacity to work under degraded conditions.
• Ability to recover quickly.
• Adapt and learn.
Security-by-Design
• Security is placed at the front.
• Not a control function.
• Design against future attacks.
• Seeks to inspect security in.
Risk-Based Approach
• Plan for technology or equipment failure or loss from
adverse events, both natural and human-caused.
• Evaluate potential risks in evaluating to move forward
with the project.
• Identify the impact of and prepare for changes in the
enterprise environment.
• Anticipate and reduce the effect of harmful results
occurred from adverse events.
Integrate Across All Processes
• Pervasive.
• Embedded in all processes.
• Everyone’s responsibility.
 Cybersecurity : Critical Infrastructures
• Critical infrastructures (CI) can be defined as :
• systems that are so vital to a nation that their incapacity or destruction would have
a debilitating effect on national security, the economy, or public health and safety.
• underlying sectors that run our modern-day civilization, ranging from agriculture to
food distribution to banking, health-care, transportation, water and power.
• each of these once stood apart but are now all bound together and linked into
cyberspace via information technology.
• And most countries have defined their own CI depending on their national context; in
most cases, these include both core Internet and, more widely, ICT infrastructures
(such as telecommunications networks), and transport, energy, and other key
infrastructures that are more and more relying on ICTs
 Critical Information Infrastructure (CII)

1. Government 2. Healthcare 3. Banking and Finance

4. Energy 5. Water 6. Security & Emergency

 Critical Information Infrastructure (CII)

7. Land Transport 8. Aviation 9. Maritime

11. Media
10. Telecommunications
 Cybersecurity Policy

• Cybersecurity framework includes policy principles, instruments, and

institutions dealing with cybersecurity.

• It is an umbrella concept covering (a) critical information infrastructure

protection (CIIP), (b) cybercrime, and (c) cyberconflict

• At national level, a growing volume of legislation and jurisprudence deals

with cybersecurity, with a focus on combating cybercrime, and more and
more the protection of critical information infrastructure from sabotage and
attacks as a result of terrorism or conflicts.

• It is difficult to find a developed country without some initiative focusing on

cybersecurity.
Summary - Components of a National Strategy

• Protection of Critical Information Infrastructure (CII)

• Reporting of Incidents and Information Sharing

• Simulation and Exercises

• Capacity Building – Domestic, Regional, International

• Engagement – Community, Industry, International

• Response and Attribution

 Singapore Cyber Security Strategy
• Created a Cybersecurity Agency
of Singapore (CSA) – one stop
agency dealing with cybersecurity
challenges.
• Passed a Cybersecurity Act –
powers to act and intervene in the
case of an attack.
• Protection of key Critical
Information Infrastructures (CIIs) –
main focus of CSA
• Conduct annual exercises with
CIIs.
• Provide updates on the cybersecurity
landscape in Singapore.
• Evolve a licensing framework for providers.
• Identify key areas for licensing such as IOT
devices.
• International engagement. Help shape a safe
and secure cyberspace.
• Information sharing with key partners. Learn
from each other the nature and types of
attacks.
• Capacity building. Provide training program for
officials in the region.
 CSA CYBERSPACE
LANDSCAPE REPORT
2020
 Singapore Cyber Security Strategy – 4 Pillars
Building a Resilient Infrastructure
• protection of essential services,
• decisive response to cyber threats,
• security of government networks, and
• strengthening cybersecurity legislation
Creating a Safer Cyberspace
• working closely with agencies to combat
cybercrime,
• enhance Singapore’s standing as a trusted hub,
and
• promote collective responsibility;
Developing a Vibrant Cybersecurity
Ecosystem
• focusing on cultivation of a pool of skilled
professionals,
• building up technologically advanced companies,
and
• strengthening research collaborations
Strengthening International
Partnerships
• spanning international and regional
cooperation,
• capacity building, and
• exchanges on issues such as norms and
legislation.
 Critical Information Infrastructure (CII) – 3-Tiered Model
National level, CSA sets :
• cybersecurity policies and standards,
• ensure compliance, and
• coordinate incident response to cyber incidents.

Sectoral level, :
• CSA works closely with the sector leads of the 11 key CII sectors.
• Sector leads will work with their respective operators on policy formulation,
and to manage operational response and encourage reporting of incidents;

Ground level,
• the individual organisations are responsible for incident response and recovery.
 Example : Sector Leads and Members

• Sector : Banking and Finance

• Sector Lead : Monetary Authority of Singapore (MAS)

• Members : All banks and financial institutions.

• CSA works with MAS

• MAS oversees all the members

 Safe Cyberspace Masterplan 2020 – Strategic Thrusts

• Securing our core digital infrastructure;

• Safeguarding our cyberspace activities
• Secure 5G networks
• Update Multi-Tier Cloud Security • Strengthen malicious cyber detection
• Introduce Cybersecurity Labelling Scheme capabilities.
(CLS) • Help enterprise do better
• Encourage enterprise to use National Digital
Identity’s trusted services.

• Empowering our cyber-savvy population

• Resources and toolkit for enterprise

• Voluntary SG Cyber Safe Trustmark
• GoSafeOnline Community Outreach Program
Examples of Recent Efforts in Cybersecurity
 PUBLIC AWARENESS

• Share information about risk associated with

connected devices (in this case).

• Share possible remedies.

• Empower the public to take action

Cybersecurity Innovation
 SYSTEM
TESTING

• Government agency relying on

public to test its system.

• Bug bounty program.

• Clear incentives.
Engagements – Regional, International
 Engagements for Cybersecurity at ASEAN

• Facilitate dialogue among ASEAN to address cybersecurity.

• Hosts the annual Singapore International Cyber Week (SICW), started in 2016.

• SICW brings together

• government officials from the region and beyond,
• as well as industry representatives,
• academics and
• NGOs to discuss cybersecurity through a multi-stakeholder approach.

• Conduct training programs for officials in ASEAN

 International Engagements for Cybersecurity

• Cybersecurity is a transboundary issue.

• Importance of forging strong partnerships, both internationally and

regionally, to work towards a more resilient and secure cyberspace.

• Rules-based international order in cyberspace.

• A rules-based order would give all states, big or small, the confidence,
predictability and stability that is essential for economic progress, job
creation and technology adoption.
COMMITMENT TO A RULES-BASED ORDER

CONTRIBUTE TO ITS DEVELOPMENT

 AI, CYBERSECURITY AND PUBLIC POLICY –
CONCLUSION

• Digital technologies like AI and cybersecurity are

inter-twined.
• Policies and regulations are needed.
• How extensive?
• Balance regulations with innovation.
• The best outcome :
• Everyone reap the benefits of digitalization.
• Everyone feel safe in the digital world.
• Everyone feel empowered with digitalization.
“The power of AI to serve people is undeniable, but so is AI’s
ability to feed human rights violations at an enormous scale
with virtually no visibility. Action is needed now to put human
rights guardrails on the use of AI, for the good of all of us.”
— Michelle Bachelet, the UN’s human rights chief, in rolling out
a new report on AI.
AI, CYBERSECURITY AND PUBLIC POLICY

Q&A
Thank you.