Cybersecurity: Essential Practices You Need - Bizruption Asia

When Knowing Who Attacked Matters Less Than Staying Neutral

The Bizruptor Investigators — Fri, 26 Dec 2025 06:11:38 +0000

When Singapore’s Coordinating Minister for National Security stood before parliament in July 2025 to announce that cyber espionage group UNC3886 had actively targeted the nation’s critical infrastructure, he was methodical. He named the threat group. He detailed their tactics. He confirmed they’d breached systems. But when pressed about which nation-state sponsored the attacks, K. Shanmugam’s response was deliberately measured: he wouldn’t go there.

This wasn’t evasiveness. It was a calculated strategy.

Muhammad Faizal Abdul Rahman, Research Fellow at S. Rajaratnam School of International Studies (RSIS), in an interview with Yahoo Singapore, explained the distinction: “Countries that consider themselves neutral or non-aligned may prefer technical attribution over political attribution.” Technical attribution points to the perpetrator using forensic evidence. Political attribution pins blame on the nation-state believed to be behind them.

Put simply: Singapore knows who’s attacking. It’s sharing that intelligence privately with critical infrastructure operators. But publicly naming state sponsors? That’s a geopolitical tripwire Singapore won’t touch. For now.

Here’s why this matters: the careful balancing act between knowing and saying is getting exponentially harder to sustain. And the boardrooms caught in the middle are about to face governance dilemmas they haven’t prepared for.

The Intelligence-Sharing Paradox

Participants from the DIS, Cyber Security Agency of Singapore and 11 Critical Information Infrastructure sectors at CIDeX 2025, held at the Sin. Photo: mindef.gov.sg

In October 2025, Singapore’s Ministry of Defence established the Digital Defence Hub, announcing it would share classified threat intelligence with organisations operating critical infrastructure across banking, energy, telecoms, water and healthcare. The timing wasn’t coincidental. APT attacks targeting Singapore quadrupled between 2021 and 2024, according to the Cyber Security Agency.

But here’s where it gets complicated for boards. You’re now receiving classified government briefings about state-sponsored threat groups targeting your systems. You know their tactics, their tools, their objectives. The intelligence is specific enough to inform your defence strategy. Yet you can’t publicly acknowledge who’s attacking without contradicting Singapore’s diplomatic positioning.

What happens when your institution gets breached using the exact malware the government warned you about privately? Do you disclose to shareholders that you had advance warning? Do you explain to regulators why certain defences were prioritised without revealing classified briefings? How do you navigate fiduciary duties to investors whilst respecting national security sensitivities?

Most boards haven’t developed frameworks for this. Corporate governance training doesn’t typically cover handling classified intelligence whilst meeting transparency obligations to shareholders. That gap is about to become quite expensive.

When Insurance Meets Geopolitics

The insurance dimension makes this messier. Most cyber insurance policies exclude coverage for war and state-sponsored attacks due to systemic risks, according to analysis from Lloyd’s of London. But here’s the catch: exclusions typically require proving state attribution.

If Singapore shares classified intelligence privately indicating state sponsorship but maintains public diplomatic neutrality, does the war exclusion apply? Insurance companies and policyholders could litigate this ambiguity for years.

The precedent everyone’s watching: Merck’s NotPetya case, where courts ruled a massive state-sponsored attack wasn’t excluded under war clauses because the specific policy language didn’t clearly define cyber warfare. Insurers responded by updating exclusions. But ambiguous attribution still creates grey zones.

For institutional investors assessing Singapore-based portfolio companies, this creates valuation puzzles. Your critical infrastructure holdings might have world-class cyber defences and receive classified threat warnings. But do they have viable insurance coverage if attacks escalate? The answer depends on attribution mechanisms that are deliberately kept ambiguous for diplomatic reasons.

That’s not a risk most investment committees have stress-tested yet.

The Pressure Intensifying

Singapore’s neutrality strategy works brilliantly during relative stability. But the geopolitical environment is becoming increasingly unstable. Taiwan tensions haven’t dissipated. South China Sea disputes continue simmering. US-China technological decoupling is accelerating, not slowing.

Western cybersecurity firms like Mandiant already publicly attribute UNC3886 to China-linked operations. These firms hold significant US government contracts, creating commercial and political incentives for explicit attribution. If Singapore institutions rely on these firms for defence whilst the government maintains public ambiguity, the operational contradiction becomes harder to manage.

What happens when the Five Eyes intelligence partners make intelligence-sharing conditional on public attribution? What happens when China seeks assurances that intelligence-sharing arrangements don’t constitute strategic alignment with Washington?

For regional investors, the implications cascade. If ASEAN’s most sophisticated cyber defence operator faces these attribution dilemmas, how do Indonesia, Malaysia, Thailand and Vietnam navigate similar pressures with even less diplomatic leverage and technical capacity?

When Your Insurance Won’t Pay After State Attacks

Most cyber insurance policies exclude state-sponsored attacks due to systemic risks. But here’s the operational problem: exclusions require proving state attribution.

⚠ The Problem

If Singapore shares classified intelligence privately indicating state sponsorship whilst avoiding public political attribution, does your policy’s war exclusion apply?

Insurance companies and policyholders could litigate this for years.

📋 Precedent

Merck / NotPetya

Courts ruled their NotPetya losses from a state-sponsored attack weren’t excluded because policy language didn’t clearly define cyber warfare.

Insurers have since updated exclusions, but ambiguous attribution still creates disputes.

🇸🇬 For Singapore Institutions

You might implement defences, suffer breaches anyway, then discover insurance won’t pay because private intelligence does not equal public attribution requirements in your policy language.

The Less Talked-About Mercenary Factor

There’s another layer complicating everything. As Faizal noted to Yahoo Singapore, nation-states increasingly use cybercriminals as “deniable tools of state power” – functioning exactly like physical mercenaries who provide plausible deniability in traditional warfare.

The same malware appears in both state-affiliated espionage operations and purely criminal ransomware attacks. Attribution lines are deliberately blurred. When your institution gets breached, determining whether it’s state-sponsored espionage, criminal extortion or state-contracted criminals masquerading as independents fundamentally changes everything: insurance coverage, regulatory obligations, diplomatic implications, law enforcement jurisdiction.

Yet attackers design operations specifically to make definitive attribution impossible. And governments like Singapore maintain strategic ambiguity that reinforces this uncertainty.

What Boards Need Now

The November 2025 Critical Infrastructure Defence Exercise brought together over 250 participants from all 11 critical infrastructure sectors, demonstrating Singapore’s cross-sector coordination capability. The technical defences are advancing and the intelligence-sharing mechanisms are operational.

The Singapore Cyber Landscape 2024-2025 publication reviews Singapores cybersecurity situation against a dynamic backdrop of rapid digitalisat. Photo: Cyber Security Agency of Singapore (csa)

But the governance frameworks haven’t caught up. What’s needed now: protocols for boards handling classified intelligence that satisfy both national security requirements and corporate transparency obligations. Insurance products that address the grey zone between technical and political attribution. Regional coordination frameworks so ASEAN institutions aren’t navigating these tensions in isolation.

For investors, the analytical framework becomes clearer: cyber risk assessment, moving forward, requires understanding geopolitical positioning alongside technical capabilities. Portfolio companies in Singapore face fundamentally different risk profiles than those in jurisdictions that publicly attribute attacks or those that avoid intelligence-sharing entirely.

Smart portfolio managers should be stress-testing for scenarios where diplomatic neutrality becomes untenable. What happens to Singapore-based financial institutions if US-China tensions force clearer alignment? How do supply chains absorb disruptions if intelligence-sharing arrangements fracture along geopolitical fault lines?

The Calculation That’s Getting Harder

Singapore has built something sophisticated: technical precision without political escalation. Advanced intelligence capabilities without diplomatic commitments. The strategy has worked remarkably well.

But strategic ambiguity has limits. When cyber-attacks escalate from espionage to infrastructure disruption, neutrality becomes harder to justify. When allied nations demand public solidarity against specific threats, silence becomes conspicuous. When boards need to explain breaches to shareholders, ambiguity creates legal liability.

The question for 2026 isn’t whether Singapore’s approach will face intensifying pressure. It will. The question is whether the institutions receiving classified intelligence – banks, utilities, telecoms, healthcare providers – have developed the governance frameworks needed when diplomatic neutrality collides with operational transparency.

Right now, most likely haven’t. And that gap between sophisticated national strategy and corporate readiness is about to become very expensive for everyone caught in the middle.

Singapore’s attribution challenge reveals something larger emerging across Southeast Asia: the maturation of a cyber mercenary economy that deliberately blurs every line.

Research from RSIS highlighted in the Yahoo Singapore interview shows nation-states increasingly contract cybercriminals as “deniable tools of state power.”

The same malware, the same tactics, the same infrastructure appears in both state-affiliated espionage operations and purely criminal ransomware attacks.

⚠ For ASEAN Boardrooms

When your institution suffers a breach, is it:

State-sponsored espionage requiring diplomatic response

Criminal ransomware requiring law enforcement

State actors masquerading as criminals

Criminals contracted by states

The answer fundamentally changes insurance coverage, regulatory obligations and diplomatic implications. Yet attackers design operations specifically to make that answer incomprehensible.

2026

Expect Maturation

States contract more freelance hackers for deniability

Criminal groups sell infrastructure access to intelligence services

Attribution lines blur deliberately and systematically

ASEAN institutions will confront the reality that proving “who” attacked matters less than acknowledging they cannot definitively establish attribution using evidence that courts or insurers will accept.

The post When Knowing Who Attacked Matters Less Than Staying Neutral appeared first on Bizruption Asia.

Beating Cyber Disruption Means Getting Back to Basics

The Bizruption Team — Wed, 19 May 2021 11:57:11 +0000

Cybersecurity is as important for protecting businesses as buying home insurance is in typhoon-prone areas. Security breaches are a reality of business that many company leaders would rather avoid. Attack methods and technologies to stop it have become more sophisticated with every passing year. The pandemic has heightened awareness of cybersecurity threats as companies adopted new technologies rapidly and corporate networks were suddenly being accessed from outside the company’s firewall on employees’ personal devices.

Yet, as we learned from a recent conversation with Benjamin Ang, a senior fellow at Nanyang Technological University, cybersecurity remains underfunded or overlooked in the grand scheme of what is required to protect an enterprise and generate growth. Ang spends his time looking at cyber issues from a 10,000 ft view. He digs into the policy aspects of international and national cybersecurity to increase understanding of how disinformation online, international cyber or nation state attacks, and the security of advanced technologies disrupt the real world. From this perspective, the reasons for nations, enterprises and individual consumers securing their data and systems within networks become clear.

However, if you read the business news regularly, you may come away with a picture of a high stakes war with invisible threats and a global talent shortage to address it. Enterprises continue to underspend on areas that may protect them most. Although 47% of Asia-Pacific executives reported in a survey that they plan to increase data security spending in the next 12 months, it comprises less than 15% of typical IT security budgets. The primary focus remains on network security for 37% of enterprises followed by data and application security. Additionally, the consequences of not notifying the public quickly about incidents are escalating – at least in Europe. Yet, Benjamin’s response to that is to offer good news; protecting your business is not as complicated as it seems.

In his view, not enough businesses are implementing practices to be aware of the risks, ensure proper access to IT networks and keep employees trained to reduce the success of breach attempts. The current environment has also led some company leaders to cut corners when it comes to what they perceive as non-core expenses. Their timing could not be worse. Cyber threats and incidents have intensified with attackers adapting to people’s fears around COVID-19 and exploiting vulnerabilities brought to light by digitalisation.

Managing Cyber Disruption

Ang cautioned that leaders holding their business together in this manner need to enter a new phase. That includes getting back to some basic tenets of security by making sure that all employees working at home are provided with the right devices and are thoroughly educated about cyber risks on a continual basis.

“Giving your employees devices and proper access actually makes them more productive, and can also help the bottom line. If your employees are often on calls, but they are in a noisy home environment like most of us are with kids or other family members working from home, can you provide them with a headset and a mic so that they can make a sales call properly? Maybe that helps them to close the deal. Can you provide them with a computer that is going to allow them to pull up the information faster because it’s not creaking at the seams or doesn’t keep crashing out of Zoom calls? These things will in the end, add up.”

It also means helping your employees access the corporate network safely. Ang noted that companies can guide employees in setting up a safe Wifi network at home, but should also consider other places employees may set up their laptop to work.

We can’t take it for granted that everybody’s got the access to be able to do things from home.

If your employees are escaping noisy homes to get some work done at a cafe or to get a reliable internet connection, they could be putting your company at greater risk. Benjamin said business owners should consider what documents their employees are accessing from public places.

“Should your employees be working on confidential documents where everybody can just walk by and see it?”

Despite the potential threats, Ang said business leaders who think about these factors when protecting their company’s data are in the minority. Even large enterprises are still guilty of setting basic passwords to servers in spite of the amount of information available explaining why setting strong passwords is important.

“You can avoid certain more basic things like having unsafe passwords, or employees sharing passwords around, or having passwords in a visible place. These kinds of things still matter, because it is terrifying how many breaches happen because of these basics.”

Benjamin recommends that business owners devise a security backup plan and invest in more IT hardware with the guidance of security experts, especially if there is no dedicated expert on staff. These steps pay off in the long run because your business is not helpless if a breach occurs.

“You either pay upfront, or you pay later when customer data is stolen, there is a ransomware attack, or you get fined from the Personal Data Protection Commission for a data leak. Then your business grinds to a halt for a day, two days, a week, which could actually wipe out some businesses.”

We know that cyber threats will continue to loom over enterprises, especially with the accelerated pace of digitalisation. Establishing or reinforcing basic security processes can mean the difference between focusing on growing your business or facing the consequences of a successful attack.

Recommended reads: Benjamin recommends reading the Singapore Cyber Landscape, which is published annually, and the Safer Cyberspace Masterplan from the Cyber Security Agency of Singapore (CSA) to know the risks and gain insight on how to reduce it.
https://www.csa.gov.sg/news/publications

The post Beating Cyber Disruption Means Getting Back to Basics appeared first on Bizruption Asia.