AI in Cyber Security: CSA Orders CII Leaders to Review AI-Enabled Threats

AI in cyber security took center stage as Singapore's CSA ordered board-level reviews across all CII sectors. The Silicon Review reports on Senior Minister Tan Kiat How's directive that cyber risk can no longer be delegated to IT teams alone.

The Cyber Security Agency of Singapore has issued a directive requiring board-level reviews across all Critical Information Infrastructure sectors to assess cyber risks from AI-enabled threats, marking a significant escalation in the nation's cyber defence posture.

Senior Minister of State for Digital Development and Information Tan Kiat How announced the directive at the CSA's annual Cybersecurity Leadership Summit, warning that the integration of artificial intelligence into offensive cyber operations has fundamentally altered the threat landscape for Singapore's most vital sectors, including banking, energy, water, transport, healthcare, and government.

Cybersecurity risk management can no longer be delegated to technical teams alone. "This is not an issue that should be delegated to IT teams alone. It demands leadership attention at the highest levels," Tan told an audience of C-suite executives and board members. "Board members cannot claim plausible deniability if they are not monitoring how AI-powered threats could disrupt their operations."

The directive requires each CII owner to submit risk assessment reports within 90 days, followed by remediation plans within six months. The reviews must examine: adversarial machine learning models that can poison or evade AI detection systems; deepfake-enabled social engineering targeting financial and data systems; and automated attack agents that can recon autonomously.

Specifically, financial institutions must assess the risk of hyper-personalized deepfake scams that bypass current biometric verification, while energy and water utilities must examine AI-driven control system intrusions.

To support compliance, CSA will release an AI in cyber security playbook for CII boards and establish a threat intelligence sharing platform focused on AI-driven attack patterns. CSA will also host a series of "red-teaming" exercises simulating sophisticated AI-enabled attacks.

Data from the Cybersecurity risk management division of the Ministry of Communications and Information indicates that AI-powered phishing attacks have increased 226% year-on-year in Singapore, while deepfake-based fraud incidents in the financial sector have doubled since 2024.

"Every board should already be discussing cyber risks at every meeting. With AI, the stakes have multiplied," Tan concluded.

As the CSA orders Critical Information Infrastructure leaders to conduct urgent board-level reviews of AI-enabled threats, The Silicon Review examines how Singapore is forcing a tectonic shift in cybersecurity risk management from IT backrooms to the highest levels of corporate governance and why a 226% surge in AI-powered attacks left regulators no choice.