Cyber Deterrence in Singapore: Framework and Recommendations

Abstract

As a small state, Singapore’s ability to create deterrence against cyberattacks is very limited. There is limited value in pursuing classic deterrence through denial and punishment because: (i) technology is relatively cheap and widely available; (ii) there is difficulty in accurately attributing blame; and (iii) there is difficulty in identifying and punishing attackers. If there is no detection or ability to punish, Singapore’s credibility suffers. The report suggests six ways that Singapore can improve its cyberattack deterrence: 1. Develop a response mechanism to guide deterrence 2. Create resilient systems 3. Share collective responsibility in cybersecurity 4. Increase capabilities through the improvement of penetration detection 5. Create norms with enforcement capabilities 6. Strengthen international law enforcement, cooperation, and legislation It is also not feasible to measure deterrence in cyberspace the same way as nuclear deterrence, where a no-attack scenario denotes that deterrence is successful. Rather, deterrence should be seen as a mitigating effort that leads potential attackers to believe it is not in their best interest to attack. These efforts at deterrence can be further enhanced by improving the accuracy of attribution, the detection of cyber incidents regardless of size, and ensuring that timely action is taken against cyberattackers.