Singapore is raising the stakes on safeguarding its critical infrastructures, and this is not just a bureaucratic update—it’s a seismic shift in how we understand accountability and preparedness. Board members of companies that operate essential services will no longer be able to sit on the sidelines, blissfully unaware of the intricacies and dangers lurking in cyberspace. By 2026, these leaders will be mandated to undergo rigorous cyber security training. This isn’t just an added checkbox; it’s a clarion call for a proactive stance on defending our nation’s backbone.
Imagine this: the very individuals who steer companies in vital domains—energy, healthcare, telecommunications, finance, media—will be expected not only to grasp the technical threats but to actively supervise and own their role in protecting critical information infrastructure (CII). This is not a casual recommendation; it’s a concrete requirement, part of an updated Cybersecurity Code of Practice that demands stronger, smarter oversight.
When Minister Josephine Teo spoke about granting chief information security officers direct access to the board, she underscored a fundamental truth: cyber threats aren’t abstract. They’re relentless, evolving, and go after the lifeblood of our infrastructure. You wouldn’t leave a key to your safe lying around, so why leave cyber doors open to ruthless threat actors aiming to disrupt essential services vital to millions?
One thing I’ve learned from numerous security drills and real-world incidents is that complacency breeds vulnerability. The Government’s decision to share classified threat intelligence with CII owners reflects a strategic pivot—facing threats as a cohesive unit, rather than isolated entities. This approach acknowledges that the cyber battlefield is fluid and complex. The offenders are sophisticated, state-sponsored, and often able to mask their moves behind layers of deception.
Reflecting on the annual Critical Infrastructure Defence Exercise, or Cidex, it’s evident how seriously Singapore takes this. Over 250 participants spanning 33 public and private organizations engage in simulated cyberattacks, testing and sharpening their defenses. I recall speaking with some of the defenders who felt the adrenaline rush of a simulated state-sponsored breach just like one targeting a virtual private network gateway—a stark reminder of how fragile our energy networks can be if left unchecked.
These scenarios bring to light a vital point: cyberattacks are no longer confined to the digital domain alone—they ripple outwards, disrupting physical systems. When the transport sector faced a simulated attack on traffic signalling, causing a virtual accident, it became clear how interconnected and fragile our critical services really are. Each sector is entwined with the others, and a breach in one network can cascade havoc across multiple vital services.
What stood out most in these real-time exercises was the indispensability of communication and intelligence sharing. It’s not just a luxury—it’s survival. Defence Minister Chan Chun Sing nailed it, emphasizing vigilance, unity of action, and resilience as our national watchwords. Keeping all players abreast of the latest threats isn’t enough if we do not act collectively. The strength of our defense is only as strong as its weakest link, making cross-sector collaboration a matter of national security.
Resilience—a term often thrown around lightly—takes on new weight here. It’s about bouncing back swiftly from setbacks, absorbing shocks, and emerging stronger. And it’s not an abstract concept; it’s highly practical. Your ability to recognize a breach, communicate it, contain damage, and restore operations directly impacts millions of lives who depend on these critical services daily.
Penalties for negligence serve as a potent reminder that security is everyone’s responsibility—from the boardroom down to the frontline defenders. The amendments to the Cybersecurity Act mandate that any outages or attacks with potential cross-border implications must be declared promptly. This transparency is non-negotiable. Remember, we are in an interconnected world where a ripple becomes a wave rapidly. Letting things slide isn’t an option—we pay dearly for inaction.
For those wondering about the skills required, Cidex offers hands-on experience in confronting advanced persistent threats pioneered by real-world actors. The involvement of industry giants like Google and Amazon Web Services ensures that the insights aren’t theoretical but battle-tested across different cloud environments. This blend of expertise and realistic threat simulation equips defenders with the knowledge of what they are truly up against.
Personally, participating in and observing such drills has reinforced that cyber security is a relentless pursuit. It demands constant vigilance, evolving strategies, and a mindset that expects the unexpected. In one exercise, a 20-strong team led by Major Chong Rong Hwa meticulously tracked attack vectors, differentiating benign activities from malicious intent—highlighting the painstaking attention to detail necessary in this field.
It’s easy to feel overwhelmed by the scale and complexity. Yet, this is precisely why Singapore’s approach is both commendable and necessary—building a cyber defense ecosystem where every stakeholder understands their role. The evolving threat landscape demands board members and frontline operators alike unveil the curtains on their cyber posture and own their defensive responsibilities.
Singapore’s updated code signals a bold move towards uncompromising cyber resilience. This is no ordinary compliance exercise; it’s a definitive stance that critical infrastructures are national lifelines that deserve elite protection. The lessons learned from Cidex and the robust enforcement mechanisms laid out in the Cybersecurity Act make one thing crystal clear: the era of cyber complacency is over.
In a world where digital and physical realms are inseparable, we either come together to defend or fall divided. The future of Singapore’s critical services relies not just on technology, but on leadership, unity, and the unyielding will to protect what matters most.