Back
About RSIS
Introduction
Building the Foundations
Welcome Message
Board of Governors
Staff Profiles
Executive Deputy Chairman’s Office
Dean’s Office
Management
Distinguished Fellows
Faculty and Research
Associate Research Fellows, Senior Analysts and Research Analysts
Visiting Fellows
Adjunct Fellows
Administrative Staff
Honours and Awards for RSIS Staff and Students
RSIS Endowment Fund
Endowed Professorships
Career Opportunities
Getting to RSIS
Research
Research Centres
Centre for Multilateralism Studies (CMS)
Centre for Non-Traditional Security Studies (NTS Centre)
Centre of Excellence for National Security
Institute of Defence and Strategic Studies (IDSS)
International Centre for Political Violence and Terrorism Research (ICPVTR)
Research Programmes
National Security Studies Programme (NSSP)
Social Cohesion Research Programme (SCRP)
Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
Other Research
Future Issues and Technology Cluster
Research@RSIS
Science and Technology Studies Programme (STSP) (2017-2020)
Graduate Education
Graduate Programmes Office
Exchange Partners and Programmes
How to Apply
Financial Assistance
Meet the Admissions Team: Information Sessions and other events
RSIS Alumni
Outreach
Global Networks
About Global Networks
RSIS Alumni
Executive Education
About Executive Education
SRP Executive Programme
Terrorism Analyst Training Course (TATC)
International Programmes
About International Programmes
Asia-Pacific Programme for Senior Military Officers (APPSMO)
Asia-Pacific Programme for Senior National Security Officers (APPSNO)
International Conference on Cohesive Societies (ICCS)
International Strategy Forum-Asia (ISF-Asia)
Publications
RSIS Publications
Annual Reviews
Books
Bulletins and Newsletters
RSIS Commentary Series
Counter Terrorist Trends and Analyses
Commemorative / Event Reports
Future Issues
IDSS Papers
Interreligious Relations
Monographs
NTS Insight
Policy Reports
Working Papers
External Publications
Authored Books
Journal Articles
Edited Books
Chapters in Edited Books
Policy Reports
Working Papers
Op-Eds
Glossary of Abbreviations
Policy-relevant Articles Given RSIS Award
RSIS Publications for the Year
External Publications for the Year
Media
Cohesive Societies
Sustainable Security
Other Resource Pages
News Releases
Speeches
Video/Audio Channel
External Podcasts
Events
Contact Us
S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
Nanyang Technological University Nanyang Technological University
  • About RSIS
      IntroductionBuilding the FoundationsWelcome MessageBoard of GovernorsHonours and Awards for RSIS Staff and StudentsRSIS Endowment FundEndowed ProfessorshipsCareer OpportunitiesGetting to RSIS
      Staff ProfilesExecutive Deputy Chairman’s OfficeDean’s OfficeManagementDistinguished FellowsFaculty and ResearchAssociate Research Fellows, Senior Analysts and Research AnalystsVisiting FellowsAdjunct FellowsAdministrative Staff
  • Research
      Research CentresCentre for Multilateralism Studies (CMS)Centre for Non-Traditional Security Studies (NTS Centre)Centre of Excellence for National SecurityInstitute of Defence and Strategic Studies (IDSS)International Centre for Political Violence and Terrorism Research (ICPVTR)
      Research ProgrammesNational Security Studies Programme (NSSP)Social Cohesion Research Programme (SCRP)Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      Other ResearchFuture Issues and Technology ClusterResearch@RSISScience and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      Graduate Programmes OfficeExchange Partners and ProgrammesHow to ApplyFinancial AssistanceMeet the Admissions Team: Information Sessions and other eventsRSIS Alumni
  • Outreach
      Global NetworksAbout Global NetworksRSIS Alumni
      Executive EducationAbout Executive EducationSRP Executive ProgrammeTerrorism Analyst Training Course (TATC)
      International ProgrammesAbout International ProgrammesAsia-Pacific Programme for Senior Military Officers (APPSMO)Asia-Pacific Programme for Senior National Security Officers (APPSNO)International Conference on Cohesive Societies (ICCS)International Strategy Forum-Asia (ISF-Asia)
  • Publications
      RSIS PublicationsAnnual ReviewsBooksBulletins and NewslettersRSIS Commentary SeriesCounter Terrorist Trends and AnalysesCommemorative / Event ReportsFuture IssuesIDSS PapersInterreligious RelationsMonographsNTS InsightPolicy ReportsWorking Papers
      External PublicationsAuthored BooksJournal ArticlesEdited BooksChapters in Edited BooksPolicy ReportsWorking PapersOp-Eds
      Glossary of AbbreviationsPolicy-relevant Articles Given RSIS AwardRSIS Publications for the YearExternal Publications for the Year
  • Media
      Cohesive SocietiesSustainable SecurityOther Resource PagesNews ReleasesSpeechesVideo/Audio ChannelExternal Podcasts
  • Events
  • Contact Us
    • Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
      rsisvideocast
      school/rsis-ntu
      rsis.sg
      rsissg
      RSIS
      RSS
      Subscribe to RSIS Publications
      Subscribe to RSIS Events

      Getting to RSIS

      Nanyang Technological University
      Block S4, Level B3,
      50 Nanyang Avenue,
      Singapore 639798

      Click here for direction to RSIS

      Get in Touch

    Connect
    Search
    • RSIS
    • Publication
    • RSIS Publications
    • Strategic Decision-Making During Cyber Conflict: The SingHealth Case
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • RSIS Commentary Series
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • Future Issues
    • IDSS Papers
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers

    CO19182 | Strategic Decision-Making During Cyber Conflict: The SingHealth Case
    Gil Baram, Udi Sommer

    17 September 2019

    download pdf

    SYNOPSIS

    Cyber technology enables countries to act covertly. Furthermore, it is not always easy to identify who is behind a given attack. So, what leads countries that were victims of cyberattacks to reveal the incidents?

    COMMENTARY

    IT IS always not easy to identify the perpetrator of a cyber attack. Once the victim of a cyber offensive has identified the attack and decided to use a public strategy, it has two major options: firstly to reveal the attack and attribute it to the alleged attacker; or secondly reveal only the fact that the attack had occurred, without attribution.

    In the current political and technical landscape, it is important to consider cyberattacks in the wider strategic context. In certain geopolitical situations, it is in the victim’s interests to reveal the aggressive actions of its adversary. This might look at first like the victim admitting to its vulnerabilities. Yet, in a long-term cost-benefit analysis, sometimes it is better to ‘call out’ the aggressor as flouting international laws and norms than to keep quiet.

    Naming & Shaming Strategy

    For one, the victim is trying to say: ‘I know what you (the attacker) are up to and now so does everyone else.’ This is a Naming and Shaming strategy, which means publicly identifying perpetrators that are ‘doing wrong’ and undermining international law and the rules-based order.

    Another consideration is the need to avoid public humiliation. The victim can decide to disclose the attack in order to avoid humiliation and degradation, which will most likely accompany the publication of the attack by the attacker or by a third party. In a post-Snowden reality, secrecy is difficult.

    The general public is more aware of state activities, and has the means to publicise them, for instance via social media. So, getting ahead of the news cycle is often better than trying to avoid it altogether. Costs associated with hiding an incident, may easily supersede those of immediate transparency.

    Another goal may be showing strength in front of an international audience by warning the attacker from taking future actions. By disclosing the attack and accusing the attacker, the victim conveys a message that he has identified the attack and may intend to retaliate. Plus, he has the technical knowhow to identify the attack and point out the entity behind it.

    Attribution is a function of capacity, so demonstrating defensive capability can signal general technological competence that may hint at a complementary offensive know-how. It seems that revealing the attack has its advantages. Now the question is why not attribute it publicly?

    Motivations Not to reveal Attacker

    Assuming that the victim has identified the attacker, there are two main reasons why the victim would not want to reveal the attacker’s identity in public:

    The first is safety of intelligence sources.

    The desire to avoid exposing intelligence and sources is an important reason for not moving forward with making the attacker’s identity public. This is even more acute in cyberspace because it is difficult to identify the attacker only by using technical tools.

    Therefore, it is often necessary to use intelligence of various kinds, such as advanced technological and even human resources to obtain the necessary information. These sources are considered highly important and valuable for the country’s intelligence services, and therefore it is essential to protect their safety and covertness.

    The second is preventing escalation.

    There may be differences in the existing technological capabilities and power of the victim and the attacker. If this is the case, the victim may choose not to publicise the attack in order to avoid the chance that the exposure will lead to open confrontation. Not revealing the identity of the attacker allows the victim to refrain from the obligation to respond, and thereby contain the attack and prevent undesirable escalation.

    Although at first glance, revealing the attack might be perceived as exposing the country’s weakness, we identify several considerations with positive implications, which could lead the country to decide to reveal the attack. The question is why do states act that way and in the pursuit of which advantages.

    And more specifically, what led the authorities in Singapore to reveal the attack and to carry out such an extensive public inquiry but consistently not mention the identity of the attacker?

    The SingHealth Case

    In the SingHealth case, it seems that although the head of Cyber Security Agency of Singapore (CSA) estimated a nation-state was behind the attack and many security analysts even estimated certain countries, Singapore took caution not to reveal the identity of the attacker in public.

    The decision to make the attack public, nonetheless, is likely based on two main considerations: The first derived from the theft of personal information that is critical for the daily life of citizens. As E-Government is well developed and most activities that are essential to the daily lives of Singapore’s citizens take place online, there was a concern that the attacker might want to use the data to gain access to additional information concerning the citizens.

    The second consideration for exposing the attack without attributing it might be the concern of public humiliation. If the attacker or a third party exposed the attack before the Singaporean authorities did, it could damage the reputation of the administration. Under such circumstances, it would appear that not only did the administration fail to protect its citizens, but it also made an attempt to conceal it.

    Speaking at a press conference on 20 July 2018, Chief Executive of the CSA, David Koh, confirmed that: “We have determined that this is a deliberate, targeted and well-planned cyberattack, not the work of casual hackers or criminal gangs… beyond this I apologise we are not able to reveal more because of operational security reasons.”

    It seems that for national security reasons the CSA most probably wanted to keep its intelligence resources safe and did not reveal any information that could jeopardise their integrity. While experts pointed fingers at some nations, authorities remained tight-lipped.

    One explanation for this is the need to avoid escalation. Singapore has close trade and economic relationships with many countries, although differences occur from time to time. The will of Singapore not to take any steps that could risk such relationships and escalate the situation seems to be one reason why Singapore chose not to reveal the identity of the attacker.

    About the Authors

    Gil Baram is an Adjunct Research Fellow with the Centre of Excellence for National Security (CENS), a unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. Udi Sommer is Senior Lecturer (Associate Professor), Department of Political Science at Tel Aviv University.

    Categories: RSIS Commentary Series / International Politics and Security / Global
    comments powered by Disqus

    SYNOPSIS

    Cyber technology enables countries to act covertly. Furthermore, it is not always easy to identify who is behind a given attack. So, what leads countries that were victims of cyberattacks to reveal the incidents?

    COMMENTARY

    IT IS always not easy to identify the perpetrator of a cyber attack. Once the victim of a cyber offensive has identified the attack and decided to use a public strategy, it has two major options: firstly to reveal the attack and attribute it to the alleged attacker; or secondly reveal only the fact that the attack had occurred, without attribution.

    In the current political and technical landscape, it is important to consider cyberattacks in the wider strategic context. In certain geopolitical situations, it is in the victim’s interests to reveal the aggressive actions of its adversary. This might look at first like the victim admitting to its vulnerabilities. Yet, in a long-term cost-benefit analysis, sometimes it is better to ‘call out’ the aggressor as flouting international laws and norms than to keep quiet.

    Naming & Shaming Strategy

    For one, the victim is trying to say: ‘I know what you (the attacker) are up to and now so does everyone else.’ This is a Naming and Shaming strategy, which means publicly identifying perpetrators that are ‘doing wrong’ and undermining international law and the rules-based order.

    Another consideration is the need to avoid public humiliation. The victim can decide to disclose the attack in order to avoid humiliation and degradation, which will most likely accompany the publication of the attack by the attacker or by a third party. In a post-Snowden reality, secrecy is difficult.

    The general public is more aware of state activities, and has the means to publicise them, for instance via social media. So, getting ahead of the news cycle is often better than trying to avoid it altogether. Costs associated with hiding an incident, may easily supersede those of immediate transparency.

    Another goal may be showing strength in front of an international audience by warning the attacker from taking future actions. By disclosing the attack and accusing the attacker, the victim conveys a message that he has identified the attack and may intend to retaliate. Plus, he has the technical knowhow to identify the attack and point out the entity behind it.

    Attribution is a function of capacity, so demonstrating defensive capability can signal general technological competence that may hint at a complementary offensive know-how. It seems that revealing the attack has its advantages. Now the question is why not attribute it publicly?

    Motivations Not to reveal Attacker

    Assuming that the victim has identified the attacker, there are two main reasons why the victim would not want to reveal the attacker’s identity in public:

    The first is safety of intelligence sources.

    The desire to avoid exposing intelligence and sources is an important reason for not moving forward with making the attacker’s identity public. This is even more acute in cyberspace because it is difficult to identify the attacker only by using technical tools.

    Therefore, it is often necessary to use intelligence of various kinds, such as advanced technological and even human resources to obtain the necessary information. These sources are considered highly important and valuable for the country’s intelligence services, and therefore it is essential to protect their safety and covertness.

    The second is preventing escalation.

    There may be differences in the existing technological capabilities and power of the victim and the attacker. If this is the case, the victim may choose not to publicise the attack in order to avoid the chance that the exposure will lead to open confrontation. Not revealing the identity of the attacker allows the victim to refrain from the obligation to respond, and thereby contain the attack and prevent undesirable escalation.

    Although at first glance, revealing the attack might be perceived as exposing the country’s weakness, we identify several considerations with positive implications, which could lead the country to decide to reveal the attack. The question is why do states act that way and in the pursuit of which advantages.

    And more specifically, what led the authorities in Singapore to reveal the attack and to carry out such an extensive public inquiry but consistently not mention the identity of the attacker?

    The SingHealth Case

    In the SingHealth case, it seems that although the head of Cyber Security Agency of Singapore (CSA) estimated a nation-state was behind the attack and many security analysts even estimated certain countries, Singapore took caution not to reveal the identity of the attacker in public.

    The decision to make the attack public, nonetheless, is likely based on two main considerations: The first derived from the theft of personal information that is critical for the daily life of citizens. As E-Government is well developed and most activities that are essential to the daily lives of Singapore’s citizens take place online, there was a concern that the attacker might want to use the data to gain access to additional information concerning the citizens.

    The second consideration for exposing the attack without attributing it might be the concern of public humiliation. If the attacker or a third party exposed the attack before the Singaporean authorities did, it could damage the reputation of the administration. Under such circumstances, it would appear that not only did the administration fail to protect its citizens, but it also made an attempt to conceal it.

    Speaking at a press conference on 20 July 2018, Chief Executive of the CSA, David Koh, confirmed that: “We have determined that this is a deliberate, targeted and well-planned cyberattack, not the work of casual hackers or criminal gangs… beyond this I apologise we are not able to reveal more because of operational security reasons.”

    It seems that for national security reasons the CSA most probably wanted to keep its intelligence resources safe and did not reveal any information that could jeopardise their integrity. While experts pointed fingers at some nations, authorities remained tight-lipped.

    One explanation for this is the need to avoid escalation. Singapore has close trade and economic relationships with many countries, although differences occur from time to time. The will of Singapore not to take any steps that could risk such relationships and escalate the situation seems to be one reason why Singapore chose not to reveal the identity of the attacker.

    About the Authors

    Gil Baram is an Adjunct Research Fellow with the Centre of Excellence for National Security (CENS), a unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. Udi Sommer is Senior Lecturer (Associate Professor), Department of Political Science at Tel Aviv University.

    Categories: RSIS Commentary Series / International Politics and Security

    Popular Links

    About RSISResearch ProgrammesGraduate EducationPublicationsEventsAdmissionsCareersVideo/Audio ChannelRSIS Intranet

    Connect with Us

    rsis.ntu
    rsis_ntu
    rsisntu
    rsisvideocast
    school/rsis-ntu
    rsis.sg
    rsissg
    RSIS
    RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    Getting to RSIS

    Nanyang Technological University
    Block S4, Level B3,
    50 Nanyang Avenue,
    Singapore 639798

    Click here for direction to RSIS

    Get in Touch

      Copyright © S. Rajaratnam School of International Studies. All rights reserved.
      Privacy Statement / Terms of Use
      Help us improve

        Rate your experience with this website
        123456
        Not satisfiedVery satisfied
        What did you like?
        0/255 characters
        What can be improved?
        0/255 characters
        Your email
        Please enter a valid email.
        Thank you for your feedback.
        This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
        OK
        Latest Book
        more info