MDDI 演讲稿 · 2025-04-15
高级政务次长 Tan Kiat How 在推出扩展型 Cyber Essentials 和 Cyber Trust Marks 时的开场致辞
高级政务次长 Tan Kiat How 在推出扩展型 Cyber Essentials 和 Cyber Trust Marks 时的开场致辞
要点
- • 新加坡网络安全局扩展了《网络安全基本能力标志》和《网络安全信誉标志》认证范围,新增云安全、人工智能安全和运营技术安全覆盖。
- • 云安全要求企业按照"云共享责任模式"实施保护措施,其中云服务提供商和企业分别负责各自领域的安全责任。
- • 扩展后的《网络安全信誉标志》和《网络安全基本能力标志》现涵盖人工智能安全风险,包括"影子AI"(员工在未获IT部门批准或监督的情况下使用AI工具)。
- • 运营技术安全已纳入《网络安全基本能力标志》和《网络安全信誉标志》,以应对工业4.0和IT与OT环境融合(特别是制造业等部门)的挑战。
- • 新加坡政府正在评估是否要求拥有敏感政府数据访问权限的网络安全供应商(例如渗透测试公司和审计师)在竞标政府合同前获得《网络安全基本能力标志》或《网络安全信誉标志》认证。
- • 已有超过500个组织获得《网络安全基本能力标志》认证,符合条件的中小企业可获得政府资金支持,网络安全局聘请的顾问以"首席信息安全官即服务"模式提供支持。
完整译文(中文)
MDDI 英文原文译文 · 翻译日期: 2026-07-04
数字发展和信息资深部长谭克耶在2025年4月15日扩展网络安全基本能力标志和网络安全信誉标志发布会上的开幕致辞
尊敬的来宾
女士们、先生们
下午好。我很高兴看到今天有这么多人来参加这个重要活动。我们将讨论保护网络空间这一关键议题,以及我们可以采取哪些共同行动。
众所周知,数字化步伐在加快。新加坡的企业正在推进数字转型,包括大企业和许多中小企业。我们看到云计算在大企业中已成为主流。约三分之一的中小企业(SMEs)正在使用云计算。
人工智能(AI)是一个令人兴奋的技术领域,企业正在采用AI来提高生产力、创造新的业务模式或为其产品开辟新市场。政府通过各种举措支持企业采用AI,包括信息通信媒体发展局(IMDA)的通用AI沙箱和企业通用AI实用手册。
虽然这些新技术使企业更有生产力,但它们也扩大了网络攻击面。我们看到越来越多的网络漏洞和个人数据泄露案例,特别是涉及新加坡中小企业的案例。
因此,新加坡网安局(CSA)及时更新网络安全基本能力标志和网络安全信誉标志认证,将云安全、AI安全和运营技术(OT)的范围包括在内,是恰当的举措。
网络安全基本能力标志针对中小企业。它是为较小或数字化程度较低的企业设计的,提出了防范常见网络攻击的保护措施。网络安全信誉标志帮助较大或数字化程度较高的企业采取基于风险的网络安全实施方法。
通过此次更新,网络安全基本能力标志和网络安全信誉标志将为实施云计算、AI和运营技术的企业提供覆盖和保护。让我简要介绍主要更新内容。
首先是云计算——当企业采用云计算时,网络安全责任在云服务提供商和企业之间共享——这被称为"云共享责任模式"。
一方面,云服务提供商是数字基础设施的关键提供者,我们将确保他们具有强大的数字韧性。但另一方面,企业也需要尽自己的责任。这不是"交给"云服务提供商就完事的问题;企业也需要保护他们的云使用,他们可以参考网络安全基本能力标志或网络安全信誉标志中的云安全内容。
第二个领域是AI——当企业尝试和创新AI时,我们需要保护自己免受与AI使用相关的风险。例子包括"影子AI",指员工在没有IT部门批准或监督的情况下未经授权使用AI工具,或意外泄露信息,以及输出不当内容。
在世界经济论坛(WEF)的一项调查中,66%的受调查组织认为AI将对网络安全产生最重大影响。拥有AI用户的企业现在可以参考网络安全基本能力标志和网络安全信誉标志中的AI安全内容。
第三个领域是运营技术(OT)——随着工业4.0的兴起,我们看到运营技术环境与信息技术环境的融合。这对新加坡制造等关键行业产生了影响。虽然信息技术侧重于数据管理,关注信息的机密性、完整性和可用性,但运营技术优先考虑工业环境中物理过程和设备的实时控制和安全。
保护信息技术环境的做法在运营技术环境中不一定可行,因为投资周期很长,可能仍在使用遗留协议和设备。运营技术企业现在可以参考网络安全基本能力标志和网络安全信誉标志中的运营技术安全内容来保护其运营技术环境。我们不仅要关注保护您的信息技术环境和运营技术环境,而且越来越多地关注信息技术和运营技术边界的交界处,因为越来越多的全球系统变得更像信息技术,越来越多的系统需要自动化,更多的运营技术流程和协议也随之而来。我非常高兴新加坡网安局正在采取这些步骤,更新这些基本能力和信誉标志,以包括云计算、AI和运营技术——这些对数字企业来说都是非常重要的领域。
请允许我用华语作一些简短的评述。
现在,请允许我用华语总结关键内容:
虽然使用新兴数字技术可以提升效率,却也可扩大攻击面。我们看到了很多网安漏洞及个人数据泄露事件的发生,尤其涉及到新加坡的中小企业。
新加坡网安局(CSA)此时扩展"网络安全基本能力标志"(Cyber Essentials)和"网络安全信誉标志"(Cyber Trust)的认证范围非常及时,新增三大领域:
(一)云安全
(二)人工智能安全
(三)运营技术安全。
政府还在计划全面提升国家网络安全标准,特别是针对高风险的行业机构。网安局正在评估,要求接触敏感数据的机构必须取得相关网络安全认证才可以参与政府合同竞标。具体实施方案将在筹备完成后另外公报。
我们收到业界反馈,称实施网络安全对中小企业来说可能具有挑战性。为简化中小企业的网络安全工作,网安局与网络安全顾问合作,这些顾问可充当其首席信息安全官(CISO即服务模式)。这些顾问帮助中小企业实施与网络安全基本能力标志相符的网络卫生措施。
符合条件的中小企业可获得政府资金支持。我们很高兴看到超过500个组织认识到网络安全的重要性,已获得至少网络安全基本能力标志认证。
近年来,网络威胁变得更加严重,犯罪集团越来越多地在线寻求非法利益。我们需要采取更系统的方法来提升国家网络安全基础标准,保护更多组织,特别是那些高风险组织。
正如我们部门今年供款委员会辩论会上所分享的那样,网安局正在评估是否需要采取更多措施,特别是对于可能获得政府敏感数据或系统权限的供应商。
这些供应商包括网络安全渗透测试公司和网络安全审计员。可能采取的措施包括要求这些供应商及其分包商在获得政府许可证或参与政府合同竞标之前,获得网络安全基本能力标志和/或网络安全信誉标志。网安局将与业界进行协商,探讨未来的方向。
网络安全基本能力标志和网络安全信誉标志是国内标志,最初是为了提升新加坡企业的网络安全水平而开发的。
我们很高兴该地区多个国家表示了兴趣。我们了解来自马来西亚、泰国、菲律宾和中东的企业已获得认证,可能还有文莱的另一家公司正在进行认证过程。
除了提升我们企业的网络安全态势和保护我们的数字经济外,我们的企业还有市场机遇,这建立在新加坡享有盛誉的信任和可靠性品牌的基础上。
我期待所有利益相关者在这方面的共同努力,因为我们正在构建一个充满活力的数字经济,为所有企业和我们的工人提供机遇。
谢谢。
英文原文
MDDI 官网原始记录 · 抓取日期: 2026-07-04
Opening Remarks by Senior Minister of State for Digital Development and Information Tan Kiat How at the Launch Event for the Expanded Cyber Essentials and Cyber Trust Marks on 15 April 2025
Distinguished guests
Ladies and Gentlemen
Good afternoon. I am very glad to see many of you here today, for a very important topic about securing our cyberspace, and what steps we can take together.
As we all know, digitalisation is picking up pace. Enterprises in Singapore are pushing ahead with their digital transformation - large enterprises, and many SMEs as well. We see cloud computing become mainstream with large enterprises. About one-third of Small and Medium Enterprises (SMEs) are using cloud.
Artificial Intelligence (AI) is an exciting area of technology, where companies are adopting AI to improve productivity, create new business models or new markets for their products. The Government is supporting enterprise AI adoption through various initiatives, including the IMDA’s GenAI sandbox and the GenAI playbook for enterprises.
While such new technologies enable firms to be more productive, they also enlarge the cyber attack surface. We are seeing more cases of cyber breaches and loss of personal data, especially those involving SMEs in Singapore.
It is therefore timely for CSA to update the Cyber Essentials and Cyber Trust certification marks to include coverage of cloud security, AI security and Operational Technology, or OT.
Cyber Essentials is targeted towards SMEs. It is designed for smaller or less digital enterprises, proposing protection measures from common cybersecurity attacks. Cyber Trust helps larger or more digital enterprises to adopt a risk-based approach to implementing cybersecurity.
With the update, Cyber Essentials and Cyber Trust will provide coverage and protection for enterprises that are implementing cloud computing, AI and OT. Let me briefly outline the key updates.
First on cloud computing - when enterprises embrace cloud computing, the responsibility for cybersecurity is shared between the cloud service provider and the enterprise – this is referred to as the “cloud shared responsibility model”.
On one hand, cloud service providers are key providers of digital infrastructure, and we will ensure that they have robust digital resilience. But, on the other hand, enterprises also need to do their part. It is not a case of “leaving it” to the cloud service provider; the enterprise also needs to secure their cloud usage, and they can take reference from the cloud security content in Cyber Essentials or Cyber Trust.
The second area, AI - as enterprises experiment with and innovate with AI, we need to protect ourselves from the risks associated with the use of AI. Examples include “shadow AI”, which refers to the unsanctioned use of AI tools by employees without approval or oversight of the IT department, or accidental leakage of information, and the output of inappropriate information.
In a World Economic Forum (WEF) survey, 66% of organisations polled expect AI to have the most significant impact on cybersecurity. Enterprises that have AI users can now refer to the AI security content in Cyber Essentials and Cyber Trust.
The third area, OT - with the rise of Industry 4.0, we are seeing a convergence of the OT environment and the IT environment. This has an impact on key sectors in Singapore, such as manufacturing. While IT prioritises data management, focusing on the confidentiality, integrity and availability of information, OT prioritises real-time control and safety of physical processes and equipment in industrial settings.
The practices to secure an IT environment are not necessarily feasible in an OT environment, where the investment cycle is long, and legacy protocols and equipment may still be in use. OT enterprises can now refer to the OT security content in Cyber Essentials and Cyber Trust to secure their OT environment. We are not just looking at securing your IT environment and OT environment, but increasingly, at the nexus of the IT and OT boundaries, as more global systems become more IT-like, and more systems invite automation and more OT processes and protocols. I am very glad that CSA is taking these steps to update these Essential and Trust marks, to include computing, AI and OT – all very important areas for digital enterprises.
Let me make a few brief remarks in Mandarin.
现在,请允许我用华语总结关键内容:
虽然使用新兴数字技术可以提升效率,却也可扩大攻击面。我们看到了很多网安漏洞及个人数据泄露事件的发生,尤其涉及到新加坡的中小企业。
新加坡网安局(CSA)此时扩展 "网络安全 基本能力 标志"(Cyber Essentials)和 "网络安全 信誉 标志"(Cyber Trust)的认证范围 非常及时,新增三大领域:
(一)云 安全
(二)人工智能 安全
(三)运营技术 安全。
政府还在计划全面提升国家网络安全标准,特别是针对高风险的行业机构。网安局正在评估,要求接触敏感数据的机构必须取得相关网络安全认证才可以参与政府合同竞标。具体实施方案将在筹备完成后另外公报。
We have received industry feedback that implementing cybersecurity can be challenging for SMEs. To simplify cybersecurity for SMEs, CSA taps on cybersecurity consultants that play the role of their Chief Information Security Officer [(CISO) as-a-Service]. These consultants help SMEs to implement cyber hygiene measures aligned to the Cyber Essentials mark.
Government funding support is available for eligible SMEs. We are heartened to see more than 500 organisations acting on the importance of cybersecurity by attaining at least Cyber Essentials certification.
In recent years, cyber threats have become more severe, and criminal groups are increasingly going online to look for illicit gains. We need a more systematic approach to raise baseline cybersecurity standards nationally and protect more organisations, especially those of higher risk.
As shared at our Ministry’s Committee of Supply Debate this year, CSA is assessing if more measures are needed, particularly for vendors that may be given access to sensitive data or systems within Government.
Such vendors include cybersecurity penetration testing firms, and cybersecurity auditors. Possible measures include requiring these vendors and their subcontractors to obtain their Cyber Essentials and/or Cyber Trust marks before they can be licensed or bid for contracts offered by Government. CSA will be engaging the industry on the way ahead.
Cyber Essentials and Cyber Trust are domestic marks, originally developed to uplift the cybersecurity posture of enterprises in Singapore.
We are glad that there has been interest from countries in the region. We understand that there are enterprises in Malaysia, Thailand, Philippines and the Middle East, who have been certified, with possibly another firm in Brunei going through the process.
Beyond raising the cybersecurity posture of our enterprises and securing our digital economy, there are market opportunities for our firms, building on the brand of trust and reliability that Singapore is known for.
I look forward to the collective effort of all stakeholders in this effort as we build a vibrant digital economy that provides opportunities for all enterprises and our workers.
Thank you.