What should our anonymisation process seek to achieve?

An effective anonymisation process seeks to reduce the likelihood of someone being identified or identifiable to a sufficiently remote level. This level depends on a number of factors specific to the context.

It may seem fairly easy to say whether a piece of information relates to an identified individual, as this may be clear from the information itself. For example, bank statements clearly identify individual account holders and contain information that relates to them. anonymisation processes should take into account the concept of identifiability in its broadest sense. They should not simply focus on removing obvious information that clearly relates to someone.

Click to download

The cryptocurrency space is always brimming with new technological advances, whether that be with token projects or blockchain applications. The latest buzz comes in the form of Non-Fungible Tokens (NFTs). Celebrities, artists, billionaire entrepreneurs, and athletes are seemingly tweeting about the excitement of NFTs, but what exactly are they?

While the recent hype surrounds art or collectible NFTs, like NBA player Stephen Curry’s purchase of a zombie-eyed Bored Ape, their application and usability reach far beyond static art or collectibles. NFTs are tokens that have introduced a new way to verifiably prove ownership of virtually anything through the blockchain. While a majority of the current NFTs come in the form of a JPEG or GIF, the sector is evolving such that the NFT itself becomes a means to an end. In other words, the ownership of a NFT can grant the owner the right and avenue to access data or a community directly.

NFTs reportedly recorded over $56M in sales in 2020 and over $927M in 1H2021 alone. This marks a 5,404% growth year-over-year when compared to 1H2020. While NFTs may sound foreign to many, the concept is fairly aged and rooted in the history of the crypto industry. For a fuller understanding of NFTs, in this report we outline their purpose, background, current developments, and how they can be game-changing for those who believe in their application and potential.

We also show how to participate in this sector, by including examples of where you can buy or mint a NFT. While we do provide examples, please note that it is not an endorsement of any specific NFT platform or the buying, minting, or selling of NFTs. As always, we strongly urge you to do thorough research before jumping in.

Click to download

Organizations have the responsibility to protect the data they hold and safeguard their systems. This can be challenging, as technology changes in size and complexity, and as resources and workforces become more limited. Organizations must remain vigilant, as outside parties may attempt to gain unauthorized access to sensitive data through ransomware.

Ransomware refers to a business model and a wide range of associated technologies that bad actors use to extort money. The bad actors use a range of tactics to gain unauthorized access to their victims’ data and systems, including exploiting unpatched vulnerabilities, taking advantage of weak or stolen credentials, and using social engineering. Access to the data and systems is restricted by the bad actors, and a ransom demand is made for the “safe return” of these digital assets.

There are several methods such actors use to restrict or eliminate legitimate access to resources, including encryption and deletion, modified access controls, and network-based denial of service attacks. In some cases, even after data access is restored, bad actors have demanded a “second ransom,” promising that its payment guarantees the deletion of victims’ sensitive data, instead of selling it or publicly releasing it.
Ransomware attacks are typically opportunistic in nature, targeting end users through emails, embedding malicious code within websites, or gaining access through unpatched systems. Ransomware can cost organizations a significant amount of resources in response and recovery, as well as impact their ability to operate.

Click to download

Singapore launched our first Singapore Cybersecurity Strategy in 2016 (‘Strategy 2016’), which helped lay the foundations of our cybersecurity efforts today. As our strategic and technological environment has changed significantly over the past five years, we have reviewed and refreshed our cybersecurity strategy to address new and emerging cyber-threats.

With a robust cybersecurity workforce and a vibrant cybersecurity ecosystem as key enablers, the Singapore Cybersecurity Strategy 2021 (‘Strategy 2021’) lays out our plans to strengthen the security and resilience of our digital infrastructure and enable a safer cyberspace to support our digital way of life. It also articulates how Singapore could play an outsized role in the digital domain despite being a small country, to support an open, secure, stable, accessible, peaceful, and interoperable cyberspace.

Click to download

Ransomware attacks—the use of malicious software to deny users access to data and information systems to extort ransom payments from victims—are prevalent. A recent notable example is the May 2021 ransomware attack that temporarily shut down the Colonial Pipeline Company’s network, affecting gasoline availability and prices. This attack is but one of many; in 2020 alone, the Federal Bureau of Investigation (FBI) received nearly 2,500 ransomware complaints with losses exceeding $29 million.

Federal law provides several potential approaches to combat ransomware attacks. First, federal criminal laws, such as the Computer Fraud and Abuse Act (CFAA), can be used to prosecute those who perpetrate ransomware attacks. These laws and others, such as the statutes criminalizing conspiracy and aiding and abetting, might also be used to prosecute individuals who help to develop ransomware that is ultimately used by others. Victims who pay ransoms might also be subject to criminal or civil penalties in some cases—for example, where a ransom payment is made knowingly to an entity either designated as a foreign terrorist organization or subject to sanctions by the Department of Treasury. Nevertheless, policy considerations, mitigating factors, and prosecutorial discretion may weigh against enforcement in such instances.

Second, federal cybersecurity laws play an important role in both preventing and responding to ransomware attacks. Cyber preparedness laws require federal agencies to secure their networks and authorize the Cybersecurity and Infrastructure Security Agency (CISA) and Office of Personnel Management (OPM) to establish federal network security requirements. Other cyber preparedness laws authorize federal agencies to assist private entities operating in critical infrastructure sectors in securing their systems. Moreover, many data protection laws include requirements for covered entities to safeguard customer or consumer data. If a ransomware attack or other cyber incident occurs, federal law requires CISA and other federal agencies to work together to mitigate harm to federal networks and authorizes them to assist private entities in incident response and damage mitigation.

Click to download