MDDI 演講稿 · 2025-04-15
高階政務次長 Tan Kiat How 在推出擴充套件型 Cyber Essentials 和 Cyber Trust Marks 時的開場致辭
要點
- • 新加坡網路安全域性擴充套件了《網路安全基本能力標誌》和《網路安全信譽標誌》認證範圍,新增雲安全、人工智慧安全和運營技術安全覆蓋。
- • 雲安全要求企業按照"雲共享責任模式"實施保護措施,其中雲服務提供商和企業分別負責各自領域的安全責任。
- • 擴充套件後的《網路安全信譽標誌》和《網路安全基本能力標誌》現涵蓋人工智慧安全風險,包括"影子AI"(員工在未獲IT部門批准或監督的情況下使用AI工具)。
- • 運營技術安全已納入《網路安全基本能力標誌》和《網路安全信譽標誌》,以應對工業4.0和IT與OT環境融合(特別是製造業等部門)的挑戰。
- • 新加坡政府正在評估是否要求擁有敏感政府資料訪問許可權的網路安全供應商(例如滲透測試公司和審計師)在競標政府合同前獲得《網路安全基本能力標誌》或《網路安全信譽標誌》認證。
- • 已有超過500個組織獲得《網路安全基本能力標誌》認證,符合條件的中小企業可獲得政府資金支援,網路安全域性聘請的顧問以"首席資訊安全官即服務"模式提供支援。
完整譯文(繁體中文)
MDDI 英文原文譯文 · 翻譯日期: 2026-07-04
數字發展和資訊資深部長譚克耶在2025年4月15日擴充套件網路安全基本能力標誌和網路安全信譽標誌釋出會上的開幕致辭
尊敬的來賓
女士們、先生們
下午好。我很高興看到今天有這麼多人來參加這個重要活動。我們將討論保護網路空間這一關鍵議題,以及我們可以採取哪些共同行動。
眾所周知,數字化步伐在加快。新加坡的企業正在推進數字轉型,包括大企業和許多中小企業。我們看到雲端計算在大企業中已成為主流。約三分之一的中小企業(SMEs)正在使用雲端計算。
人工智慧(AI)是一個令人興奮的技術領域,企業正在採用AI來提高生產力、創造新的業務模式或為其產品開闢新市場。政府通過各種舉措支援企業採用AI,包括信息通信媒體發展局(IMDA)的通用AI沙箱和企業通用AI實用手冊。
雖然這些新技術使企業更有生產力,但它們也擴大了網路攻擊面。我們看到越來越多的網路漏洞和個人資料洩露案例,特別是涉及新加坡中小企業的案例。
因此,新加坡網安局(CSA)及時更新網路安全基本能力標誌和網路安全信譽標誌認證,將雲安全、AI安全和運營技術(OT)的範圍包括在內,是恰當的舉措。
網路安全基本能力標誌針對中小企業。它是為較小或數字化程度較低的企業設計的,提出了防範常見網路攻擊的保護措施。網路安全信譽標誌幫助較大或數字化程度較高的企業採取基於風險的網路安全實施方法。
通過此次更新,網路安全基本能力標誌和網路安全信譽標誌將為實施雲端計算、AI和運營技術的企業提供覆蓋和保護。讓我簡要介紹主要更新內容。
首先是雲端計算——當企業採用雲端計算時,網路安全責任在雲服務提供商和企業之間共享——這被稱為"雲共享責任模式"。
一方面,雲服務提供商是數字基礎設施的關鍵提供者,我們將確保他們具有強大的數字韌性。但另一方面,企業也需要儘自己的責任。這不是"交給"雲服務提供商就完事的問題;企業也需要保護他們的雲使用,他們可以參考網路安全基本能力標誌或網路安全信譽標誌中的雲安全內容。
第二個領域是AI——當企業嘗試和創新AI時,我們需要保護自己免受與AI使用相關的風險。例子包括"影子AI",指員工在沒有IT部門批准或監督的情況下未經授權使用AI工具,或意外洩露資訊,以及輸出不當內容。
在世界經濟論壇(WEF)的一項調查中,66%的受調查組織認為AI將對網路安全產生最重大影響。擁有AI使用者的企業現在可以參考網路安全基本能力標誌和網路安全信譽標誌中的AI安全內容。
第三個領域是運營技術(OT)——隨著工業4.0的興起,我們看到運營技術環境與資訊科技環境的融合。這對新加坡製造等關鍵行業產生了影響。雖然資訊科技側重於資料管理,關注資訊的機密性、完整性和可用性,但運營技術優先考慮工業環境中物理過程和裝置的即時控制和安全。
保護資訊科技環境的做法在運營技術環境中不一定可行,因為投資週期很長,可能仍在使用遺留協議和裝置。運營技術企業現在可以參考網路安全基本能力標誌和網路安全信譽標誌中的運營技術安全內容來保護其運營技術環境。我們不僅要關注保護您的資訊科技環境和運營技術環境,而且越來越多地關注資訊科技和運營技術邊界的交界處,因為越來越多的全球系統變得更像資訊科技,越來越多的系統需要自動化,更多的運營技術流程和協議也隨之而來。我非常高興新加坡網安局正在採取這些步驟,更新這些基本能力和信譽標誌,以包括雲端計算、AI和運營技術——這些對數字企業來說都是非常重要的領域。
請允許我用華語作一些簡短的評述。
現在,請允許我用華語總結關鍵內容:
雖然使用新興數字技術可以提升效率,卻也可擴大攻擊面。我們看到了很多網安漏洞及個人資料洩露事件的發生,尤其涉及到新加坡的中小企業。
新加坡網安局(CSA)此時擴充套件"網路安全基本能力標誌"(Cyber Essentials)和"網路安全信譽標誌"(Cyber Trust)的認證範圍非常及時,新增三大領域:
(一)雲安全
(二)人工智慧安全
(三)運營技術安全。
政府還在計劃全面提升國家網路安全標準,特別是針對高風險的行業機構。網安局正在評估,要求接觸敏感資料的機構必須取得相關網路安全認證才可以參與政府合同競標。具體實施方案將在籌備完成後另外公報。
我們收到業界反饋,稱實施網路安全對中小企業來說可能具有挑戰性。為簡化中小企業的網路安全工作,網安局與網路安全顧問合作,這些顧問可充當其首席資訊安全官(CISO即服務模式)。這些顧問幫助中小企業實施與網路安全基本能力標誌相符的網路衛生措施。
符合條件的中小企業可獲得政府資金支援。我們很高興看到超過500個組織認識到網路安全的重要性,已獲得至少網路安全基本能力標誌認證。
近年來,網路威脅變得更加嚴重,犯罪集團越來越多地線上尋求非法利益。我們需要採取更系統的方法來提升國家網路安全基礎標準,保護更多組織,特別是那些高風險組織。
正如我們部門今年供款委員會辯論會上所分享的那樣,網安局正在評估是否需要採取更多措施,特別是對於可能獲得政府敏感資料或系統許可權的供應商。
這些供應商包括網路安全滲透測試公司和網路安全審計員。可能採取的措施包括要求這些供應商及其分包商在獲得政府許可證或參與政府合同競標之前,獲得網路安全基本能力標誌和/或網路安全信譽標誌。網安局將與業界進行協商,探討未來的方向。
網路安全基本能力標誌和網路安全信譽標誌是國內標誌,最初是為了提升新加坡企業的網路安全水平而開發的。
我們很高興該地區多個國家表示了興趣。我們瞭解來自馬來西亞、泰國、菲律賓和中東的企業已獲得認證,可能還有汶萊的另一家公司正在進行認證過程。
除了提升我們企業的網路安全態勢和保護我們的數字經濟外,我們的企業還有市場機遇,這建立在新加坡享有盛譽的信任和可靠性品牌的基礎上。
我期待所有利益相關者在這方面的共同努力,因為我們正在構建一個充滿活力的數字經濟,為所有企業和我們的工人提供機遇。
謝謝。
英文原文
MDDI 官網原始記錄 · 抓取日期: 2026-07-04
Opening Remarks by Senior Minister of State for Digital Development and Information Tan Kiat How at the Launch Event for the Expanded Cyber Essentials and Cyber Trust Marks on 15 April 2025
Distinguished guests
Ladies and Gentlemen
Good afternoon. I am very glad to see many of you here today, for a very important topic about securing our cyberspace, and what steps we can take together.
As we all know, digitalisation is picking up pace. Enterprises in Singapore are pushing ahead with their digital transformation - large enterprises, and many SMEs as well. We see cloud computing become mainstream with large enterprises. About one-third of Small and Medium Enterprises (SMEs) are using cloud.
Artificial Intelligence (AI) is an exciting area of technology, where companies are adopting AI to improve productivity, create new business models or new markets for their products. The Government is supporting enterprise AI adoption through various initiatives, including the IMDA’s GenAI sandbox and the GenAI playbook for enterprises.
While such new technologies enable firms to be more productive, they also enlarge the cyber attack surface. We are seeing more cases of cyber breaches and loss of personal data, especially those involving SMEs in Singapore.
It is therefore timely for CSA to update the Cyber Essentials and Cyber Trust certification marks to include coverage of cloud security, AI security and Operational Technology, or OT.
Cyber Essentials is targeted towards SMEs. It is designed for smaller or less digital enterprises, proposing protection measures from common cybersecurity attacks. Cyber Trust helps larger or more digital enterprises to adopt a risk-based approach to implementing cybersecurity.
With the update, Cyber Essentials and Cyber Trust will provide coverage and protection for enterprises that are implementing cloud computing, AI and OT. Let me briefly outline the key updates.
First on cloud computing - when enterprises embrace cloud computing, the responsibility for cybersecurity is shared between the cloud service provider and the enterprise – this is referred to as the “cloud shared responsibility model”.
On one hand, cloud service providers are key providers of digital infrastructure, and we will ensure that they have robust digital resilience. But, on the other hand, enterprises also need to do their part. It is not a case of “leaving it” to the cloud service provider; the enterprise also needs to secure their cloud usage, and they can take reference from the cloud security content in Cyber Essentials or Cyber Trust.
The second area, AI - as enterprises experiment with and innovate with AI, we need to protect ourselves from the risks associated with the use of AI. Examples include “shadow AI”, which refers to the unsanctioned use of AI tools by employees without approval or oversight of the IT department, or accidental leakage of information, and the output of inappropriate information.
In a World Economic Forum (WEF) survey, 66% of organisations polled expect AI to have the most significant impact on cybersecurity. Enterprises that have AI users can now refer to the AI security content in Cyber Essentials and Cyber Trust.
The third area, OT - with the rise of Industry 4.0, we are seeing a convergence of the OT environment and the IT environment. This has an impact on key sectors in Singapore, such as manufacturing. While IT prioritises data management, focusing on the confidentiality, integrity and availability of information, OT prioritises real-time control and safety of physical processes and equipment in industrial settings.
The practices to secure an IT environment are not necessarily feasible in an OT environment, where the investment cycle is long, and legacy protocols and equipment may still be in use. OT enterprises can now refer to the OT security content in Cyber Essentials and Cyber Trust to secure their OT environment. We are not just looking at securing your IT environment and OT environment, but increasingly, at the nexus of the IT and OT boundaries, as more global systems become more IT-like, and more systems invite automation and more OT processes and protocols. I am very glad that CSA is taking these steps to update these Essential and Trust marks, to include computing, AI and OT – all very important areas for digital enterprises.
Let me make a few brief remarks in Mandarin.
现在,请允许我用华语总结关键内容:
虽然使用新兴数字技术可以提升效率,却也可扩大攻击面。我们看到了很多网安漏洞及个人数据泄露事件的发生,尤其涉及到新加坡的中小企业。
新加坡网安局(CSA)此时扩展 "网络安全 基本能力 标志"(Cyber Essentials)和 "网络安全 信誉 标志"(Cyber Trust)的认证范围 非常及时,新增三大领域:
(一)云 安全
(二)人工智能 安全
(三)运营技术 安全。
政府还在计划全面提升国家网络安全标准,特别是针对高风险的行业机构。网安局正在评估,要求接触敏感数据的机构必须取得相关网络安全认证才可以参与政府合同竞标。具体实施方案将在筹备完成后另外公报。
We have received industry feedback that implementing cybersecurity can be challenging for SMEs. To simplify cybersecurity for SMEs, CSA taps on cybersecurity consultants that play the role of their Chief Information Security Officer [(CISO) as-a-Service]. These consultants help SMEs to implement cyber hygiene measures aligned to the Cyber Essentials mark.
Government funding support is available for eligible SMEs. We are heartened to see more than 500 organisations acting on the importance of cybersecurity by attaining at least Cyber Essentials certification.
In recent years, cyber threats have become more severe, and criminal groups are increasingly going online to look for illicit gains. We need a more systematic approach to raise baseline cybersecurity standards nationally and protect more organisations, especially those of higher risk.
As shared at our Ministry’s Committee of Supply Debate this year, CSA is assessing if more measures are needed, particularly for vendors that may be given access to sensitive data or systems within Government.
Such vendors include cybersecurity penetration testing firms, and cybersecurity auditors. Possible measures include requiring these vendors and their subcontractors to obtain their Cyber Essentials and/or Cyber Trust marks before they can be licensed or bid for contracts offered by Government. CSA will be engaging the industry on the way ahead.
Cyber Essentials and Cyber Trust are domestic marks, originally developed to uplift the cybersecurity posture of enterprises in Singapore.
We are glad that there has been interest from countries in the region. We understand that there are enterprises in Malaysia, Thailand, Philippines and the Middle East, who have been certified, with possibly another firm in Brunei going through the process.
Beyond raising the cybersecurity posture of our enterprises and securing our digital economy, there are market opportunities for our firms, building on the brand of trust and reliability that Singapore is known for.
I look forward to the collective effort of all stakeholders in this effort as we build a vibrant digital economy that provides opportunities for all enterprises and our workers.
Thank you.