Extent of Impact, Lessons Learnt and Resilience Measures Resulting from CrowdStrike Outage

Dr Syed Harun Alhabsyi asked the Minister for Digital Development and Information with regard to the recent IT outage caused by CrowdStrike (a) what has been the extent of its impact and cost to local businesses and institutions; (b) what lessons have been learnt from this outage thus far; and (c) what steps are being taken to ensure that the IT systems used by these businesses and institutions remain resilient against similar outages.

Mr Saktiandi Supaat asked the Minister for Digital Development and Information (a) which areas of the public service sector were most severely affected by the CrowdStrike outage on 19 July 2024; (b) what are takeaways on the strengths and weaknesses of Singapore's public service systems to ensure a reliable, efficient, and accessible public service for Singaporeans; and (c) what steps have been taken to ensure that possible vulnerabilities from any of our current and future cyber security solutions are mitigated.

I will answer Parliamentary Question (PQ) No 5 to 10 on today’s Order Paper, Written Parliamentary Question Nos 27 and 28 on today's Order Paper, and PQ Nos 60, 64, 65, 66, 68, and 69 on yesterday's Order Paper together, as they are related to the outage of IT systems caused by CrowdStrike on 19 July 2024.

My response will also cover the matters raised in the oral questions by Assoc Prof Razwana Begum Abdul Rahim which are scheduled for a subsequent Sitting. I would invite all interested Members to seek clarifications after I have given my reply today. If the questions have been addressed, it may not be necessary to proceed with the Parliamentary Questions for future Sittings.

On 19 July 2024, a faulty software update by a cybersecurity service provider CrowdStrike disrupted major services around the world. Images of the now infamous Blue Screen of Death appeared in media news cycles and attracted significant public attention. According to public reports, outages were experienced by users of the Microsoft Windows operating system that adopted CrowdStrike’s Falcon Endpoint Detection and Response (EDR) solution. It is a security solution that requires frequent and timely updates to be effective.

The Members’ questions fall broadly into two categories. First, what is the impact of the outage in Singapore, particularly in relation to services provided by Government. Second, what are the lessons learnt, particularly in relation to the resilience of our IT systems.

Fortuitously, Government services and most essential services in Singapore were unaffected by the outages. However, some businesses that use CrowdStrike’s Falcon EDR were affected. In most cases, the impact was to internal staff. In a minority of the cases, customers were impacted due to service disruptions. Prominent examples of these were the passenger check-in for some airlines at Changi Terminal 4 and gantry operations at some Housing and Development Board carparks.

Customers of affected business met with delays and were inconvenienced. However, business continuity plans (BCPs) kicked in. These included switching over to manual processes, such as for flight ticketing and check-in. The Singapore Cyber Emergency Response Team (SingCERT) of the Cyber Security Agency of Singapore (CSA) also quickly issued an advisory to guide affected system administrators and users on how to manually recover their systems. Most of the affected IT systems had recovered within a day, and services returned to normal.

As Members know, IT systems may experience outages and disruptions from time to time. In this particular instance, it is not yet fully understood what caused a relatively routine software update to have created such major disruptions around the world. My Ministry has set up an internal taskforce to engage relevant partners to gain insights into the incident and assess if further measures should be taken to improve Singapore’s resilience when such disruptions occur.

In the meantime, one key lesson can already be reinforced. As we have said on previous occasions, even with best efforts, not all disruptions can be prevented. System owners should therefore have plans in place to help them to recover quickly from unexpected disturbances.

On its part, the Government adopts a risk-based approach to ensure our critical systems and essential services are resilient. Critical Information Infrastructures (CIIs), Essential Services (ES) and Government services are all subject to stringent requirements and have to put in place robust BCPs, Disaster Recovery Plans and Incident Response Plans. The Cybersecurity Act and specific sectoral regulations hold CIIs and key ES operators accountable for meeting the baseline security and resilience requirements. This includes timely review of risks assessments and audits. For example, Government agencies using third-party software in their ICT systems have to do a thorough risk assessment and put in place necessary mitigation measures. CSA also established the CII Supply Chain Programme to better manage key vendor supply chain risks.

Businesses must also play their part to improve their resilience when disruptions occur and recognise that it is in their own, and their customers’ interests to do so. When things are running smoothly, businesses may question why they should incur cost or prioritise efforts to assess and improve their resilience measures. Unfortunately, some may not take appropriate actions until it is too late.

We therefore encourage businesses to conduct their own risk assessments and put in place the appropriate BCPs to help business continuity in the event of a disruption. SingCERT has recently published an advisory on building digital resiliency, which can be found on CSA’s website. As part of the support for enterprises’ digitalisation, my Ministry offers other practical resources and financial assistance to encourage robust IT practices. This includes CSA’s cybersecurity toolkits and the Infocomm Media Development Authority’s SMEs Go Digital Programme.

While these efforts may not specifically address IT outages like the one related to CrowdStrike, they can help businesses prevent incidents and recover more quickly should disruptions occur. I also encourage all businesses to take advantage of the Government’s resource support to strengthen their digital resilience.