28-07-2025
Never trust, always verify: Why zero trust is essential for Singapore's cybersecurity
Singapore, a bustling digital and data hub, finds itself on the front lines of an escalating cyber battlefield.
Recent announcements from Coordinating Minister for National Security K Shanmugam underscore the serious threats from cyberespionage groups like UNC3886 attacking critical information infrastructure. These are not your average opportunistic hackers. We are talking about sophisticated, well-resourced advanced persistent threat (APT) actors that gain unauthorised access to a computer network and target essential services.
The intent is clear: espionage, disruption and undermining national security. So, how can nations defend against such formidable and constantly evolving adversaries in today's complex digital landscape?
The answer lies in a fundamental shift in our cybersecurity philosophy: zero trust.
Beyond the perimeter: why the old ways don't cut it anymore
A decade or so ago, securing technology felt simpler. We relied on physical security, strong network perimeters, firewalls and basic identity management. Our applications were often monolithic, tucked safely behind these defences. But those days are long gone.
Today, software development is all about distributed, cloud-native, microservices-based applications. We are 'gluing together' countless pieces of existing code, each with its own complex dependencies – forming the software supply chain, which typically encompasses all tools, libraries and processes used to develop and publish software.
A NEWSLETTER FOR YOU
Friday, 8.30 am Asean Business
Business insights centering on South-east Asia's fast-growing economies.
Sign Up
Sign Up
This interconnected nature vastly increases the potential attack surface of our critical systems. Every new component, configuration and connection becomes a potential doorway for attackers.
It is no surprise then that we have seen a dramatic hike in common vulnerabilities and exposures (CVEs) – publicly disclosed cybersecurity vulnerabilities found in software or hardware that act as a standardised way to identify and catalogue security flaws. In the first seven months of 2025, almost 27,000 CVEs were reported – an average of 127 CVEs per day.
While investments in cybersecurity spending are essential, vulnerability scanners only work against known threats. This leaves us acutely exposed to zero-day attacks like the infamous Log4Shell, which exploit previously unknown weaknesses and leave defenders no time to prepare a response. Even internal bad actors can pose a zero-day threat; true zero trust means verifying even code from 'the inside'.
This increasing complexity, coupled with the sheer volume of new vulnerabilities, means configuration errors or omissions in our distributed cloud-native applications can easily introduce exploitable paths.
In fact, SUSE's Securing the Cloud Apac 2024 report revealed that IT decision-makers in the Asia-Pacific region experienced an average of 2.6 cloud-related security incidents in the past year, and 64 per cent confirm an incident in the last 12 months. This includes threats ranging from artificial intelligence-powered cyberattacks to edge security breaches, all aiming to disrupt and exploit our cloud environments.
This reality underscores the urgent need for a transformative approach. Zero trust, with its 'never trust, always verify' principle, is that transformation.
Hidden weapons in our defence arsenal
More than a buzzword, zero trust is a strategic approach amplified by modern cybersecurity features.
Zero-day exploits: proactive runtime protection
As we have seen, UNC3886 and similar APTs frequently leverage zero-day vulnerabilities. While we cannot always predict where the next zero-day attack will strike, zero trust's granular access controls and microsegmentation significantly limit an attacker's lateral movement after a breach.
Cloud-native security solutions that protect applications from zero-day attacks at runtime are crucial. These solutions continuously monitor application behaviour, detecting anomalies and blocking malicious code even if it is present. They also halt unauthorised attempts at access and data exfiltration. This means threat actors are stopped dead in their tracks, even against unknown exploits like Log4Shell.
Software bill of materials: knowing what exactly is in your software 'ingredients list'
In today's interconnected software landscape, understanding what is inside our applications is paramount. A software bill of materials (SBOM) provides a detailed, itemised list of all components, libraries and dependencies used in a piece of software, much like ingredients on a food label.
For zero trust, SBOMs are essential. They enable organisations to know precisely what they are deploying, allowing for continuous monitoring of known vulnerabilities within those components. This visibility is critical for identifying potential weak points in the software supply chain that attackers might exploit.
By understanding the provenance – the origins and history – and composition of every software element, zero-trust principles can be applied more effectively, verifying the integrity of each component before it is granted access or permission to execute.
SBOMs, therefore, become a foundational element for building trust in the software we consume and deploy, aligning perfectly with the never trust, always verify ethos by exposing hidden risks.
Open source: transparency, agility and collaborative defence
In the face of sophisticated nation-state adversaries, proprietary, black-box security solutions can be a disadvantage. This is where open source shines.
Open-source software, by its very nature, is transparent. Its code is openly available for review by a global community of experts. This transparency leads to faster discovery of vulnerabilities, and patching. Open-source solutions are also adaptable to specific national security needs, allowing for rapid deployment of new defences against evolving threats, increasing overall security resilience.
At the same time, it is crucial to acknowledge that while open source offers many benefits, it can also be a source of risk if not managed properly. Regular scanning for known vulnerabilities, diligent patching, and the careful selection of well-maintained and trusted open-source projects can help organisations guard against ever-evolving threats.
Building a resilient digital Singapore
Cyberattacks by groups like UNC3886 are a stark reminder that our digital defences must be as agile and sophisticated as the threats we face. Implementing a zero-trust architecture – bolstered by features like proactive runtime protection, verified SBOMs and the collaborative power of open source – is a pre-emptive advantage.
It ensures that even if an adversary gains a foothold, their mission becomes infinitely harder – safeguarding vital infrastructure and preserving trust so that nations like Singapore can protect and advance their missions as secure digital hubs.
The writer is SUSE's chief technology officer for Asia-Pacific, Japan and Greater China
