Sectoral Cyber Defence Teams (SCDTs)
CASE STUDY
Protecting Singapore’s Critical Information Infrastructure
| Category | Detail |
| Organization | Ministry of Defence (MINDEF), Singapore |
| Initiative | Sectoral Cyber Defence Teams (SCDTs) |
| Lead Agency | Digital and Intelligence Service (DIS) |
| Deployment Date | June 2026 |
| Domain | National Cybersecurity / Critical Information Infrastructure (CII) |
| Report Date | March 2026 |
1. Executive Summary
Singapore’s Ministry of Defence (MINDEF), through the Digital and Intelligence Service (DIS), has launched the Sectoral Cyber Defence Teams (SCDTs) initiative — a structural reorganisation of the Republic’s national cyber defence posture. Deploying from June 2026, SCDTs embed both regular military personnel and National Servicemen (NSmen) with sector-specific expertise directly into Singapore’s Critical Information Infrastructure (CII) sectors, including telecommunications, power, and transport.
This initiative marks a doctrinal shift from episodic, reactive incident response to a persistent, proactive, and coordinated defence strategy. It is underpinned by a reconceptualisation of civil-military integration in the cyber domain, leveraging the unique expertise Singapore’s NSmen accumulate in their civilian careers to fill capability gaps in defending nationally critical systems.
2. Background and Context
2.1 Singapore’s Digital Threat Landscape
As one of the world’s most digitally integrated economies, Singapore presents an inherently broad cyberattack surface. Its tightly coupled digital systems — spanning finance, telecommunications, utilities, and transportation — mean that disruption in any one sector can propagate rapidly across the national infrastructure. Defence Minister Chan Chun Sing has explicitly acknowledged that Singapore is not unfamiliar with state and non-state actors using cyber and digital tools to exert pressure short of full-scale conflict.
The threat environment is dominated by Advanced Persistent Threat (APT) groups: organised, well-resourced, and patient adversaries whose objectives span espionage, sabotage, and pre-positioning for future disruption. The February 2026 disclosure that APT group UNC3886 had targeted all four major Singapore telecommunications companies underscored the sophistication and reach of these actors, even as authorities confirmed that no sensitive data was exfiltrated and critical 5G infrastructure remained uncompromised.
2.2 Institutional Context
The Digital and Intelligence Service (DIS), established as Singapore’s fourth armed service in 2022, serves as the primary military institution for cyber and digital defence. Operating under the Singapore Armed Forces (SAF), DIS has developed the Defence Cyber Command (DCC), within which the Cyber Protection Group (CPG) sits. The CPG is responsible for coordinating active defence of Singapore’s CII and forms the organisational home for the newly established SCDTs.
Singapore’s National Service (NS) framework — which mandates military service for male citizens and permanent residents — provides a unique human capital asset. Many NSmen who served with DIS return to civilian careers in technology, cybersecurity, telecommunications, and other digitally intensive fields, accumulating expertise directly applicable to the defence of CII sectors. The Enhanced Expertise Deployment Scheme (EEDS), launched in 2022, was designed to harness this talent by enabling NSmen with specialised civilian expertise to be deployed in operationally relevant roles during their reservist obligations.
3. Case Study: The SCDT Initiative
3.1 Problem Statement
Prior to the establishment of SCDTs, SAF’s contributions to CII cyber defence were characterised by episodic involvement — reactive engagements triggered by incidents, rather than sustained, sector-embedded presence. This approach was structurally mismatched against APT adversaries, whose hallmark is precisely their persistent, long-dwell, low-and-slow methodology. The gap between the adversary’s operational tempo and Singapore’s defensive posture created structural vulnerability.
Compounding this, the boundary between civilian and military targets in cyberspace is, as the minister noted, blurred. A successful attack on a telco or power utility is simultaneously a civilian and a national security incident. The institutional siloes between the Cyber Security Agency of Singapore (CSA), which is the civilian CII regulator, and the SAF, which has military cyber capabilities, meant that coordination during complex APT intrusions was less systematic than the threat demanded.
3.2 The SCDT Model
SCDTs are organised sector-aligned teams comprising both DIS regulars and NSmen with matching civilian expertise. Each team is assigned to a specific CII sector — telecommunications, power, transport, and others — enabling team members to develop deep sector knowledge and established relationships with CII operators over time.
Key design features of the SCDT model include:
- Sector alignment: Each SCDT maps to a defined CII sector, enabling specialists to develop domain-specific threat intelligence and operational familiarity.
- Civil-military integration: NSmen contribute expertise from their civilian roles — e.g., threat intelligence analysts at IMDA who work directly with telco operators — bridging the knowledge gap between government cyber regulators and military defence capabilities.
- Persistent engagement: Unlike episodic surge deployments, SCDTs maintain a continuous defensive posture, monitoring, analysing, and coordinating across their assigned sector.
- Community building: Teams are tasked with cultivating sector-specific cybersecurity communities of practice, facilitating the sharing of threat intelligence and best practices among CII operators.
- SAF-CSA complementarity: SCDTs complement rather than supplant the Cyber Security Agency, enhancing Singapore’s layered defence architecture.
3.3 Enabling Infrastructure: The SAF Digital Range
The SCDT initiative is underpinned by a significant training infrastructure investment. The SAF’s Digital Range — with its first phase operational in 2026 — builds on the upgraded Cyber Defence Test and Experimentation Centre (CyTEC). Drawing analogy to a live-firing range for warfighters, the digital range provides a sophisticated AI-powered environment for training cyber defenders in complex, realistic scenarios.
Capabilities include simulation of advanced cyber intrusion scenarios, remote connectivity with overseas partners for multilateral exercises, and facilitated collaboration with government agencies and private CII operators. This infrastructure enables SCDTs to conduct realistic rehearsals of the scenarios they will face in their operational roles.
3.4 Representative Case: The Telecommunications SCDT
Military Expert 4 (NS) Lye Han Wei, a cyberthreat intelligence and response manager with the Infocomm Media Development Authority (IMDA), exemplifies the SCDT model. In his civilian role, he analyses emerging threats, produces actionable intelligence reports, and works directly with telco operators on resilience and incident recovery. He also conducts digital forensics and incident response. Assigned to the telecommunications SCDT, he brings this applied expertise — including established working relationships with operators — directly into his NS role. This profile illustrates how the SCDT model converts Singapore’s NS obligation from a generic military training exercise into a high-value, operationally relevant contribution to national security.
| Aspect | Pre-SCDT (Episodic) | Post-SCDT (Persistent) |
| Engagement model | Reactive, incident-triggered | Proactive, continuous |
| Sector knowledge | Generalised | Deep, sector-specific |
| Civil-military coordination | Ad hoc | Structured and ongoing |
| NSman utilisation | Generic roles | Matched to civilian expertise |
| Threat posture alignment | Mismatched to APT tempo | Aligned to APT persistence |
4. Strategic Outlook
4.1 Near-Term (2026–2028)
The immediate priority is the operationalisation of the first cohort of SCDTs across the core CII sectors. Critical success factors in this phase include: effective matching of NSman skill profiles to sector assignments; establishment of working-level trust relationships between SCDTs and CII operators; and the development of sector-specific threat intelligence baselines. The digital range’s AI-simulated training environment will be pivotal in accelerating team readiness.
The UNC3886 telco attack, while contained, is likely to accelerate resourcing and inter-agency coordination mechanisms. Near-term, the CSA-DIS coordination framework will require formalisation to ensure that SCDTs’ military authorities and CSA’s regulatory mandate are clearly delineated and mutually reinforcing.
4.2 Medium-Term (2028–2033)
As SCDTs mature, the initiative’s community-building mandate — fostering sector-specific cybersecurity communities among CII operators — may prove to be its most durable contribution. These communities, sharing threat intelligence in near-real-time, can substantially raise the collective defensive floor across each sector. Singapore may emerge as a reference model for other small, highly digitised states seeking to integrate civil and military cyber capabilities without large standing cyber forces.
The expansion of the digital range to facilitate multilateral exercises with overseas partners suggests a trajectory toward deeper bilateral and multilateral cyber defence cooperation within ASEAN and with Five Eyes-adjacent partners, extending the SCDT model’s influence beyond Singapore’s borders.
4.3 Long-Term Structural Considerations
The SCDT initiative’s sustainability is contingent on several structural factors. First, continued NS demographic investment in STEM and cybersecurity education will determine the depth of the talent pool available for future SCDT cohorts. Second, as AI and automation reshape both offensive and defensive cyber operations, the digital range’s AI simulation capabilities will require continuous updates to remain strategically relevant. Third, the blurring of civilian-military boundaries in cyberspace raises unresolved legal and normative questions — particularly around rules of engagement for active defence operations that may touch civilian infrastructure.
5. Solutions and Recommendations
5.1 Institutional and Governance Solutions
To maximise the effectiveness of SCDTs, several institutional mechanisms are recommended:
- Formalise a CSA-DIS Joint Operations Protocol establishing clear triggers, authorities, and communication channels for SCDT activation during CII incidents. This should delineate CSA’s regulatory primacy and DIS’s operational support role to prevent jurisdictional friction.
- Establish a National CII Cyber Defence Council comprising representatives from MINDEF, CSA, the Cyber Security Agency of Singapore, and sector leads from each CII domain. This body should meet regularly to review threat intelligence and coordinate SCDT tasking.
- Develop formal data-sharing agreements between SCDT sector operators and civilian CII owners, enabling classified threat intelligence to be appropriately sanitised and shared to improve sector-wide defensive posture.
5.2 Talent and Human Capital Solutions
The SCDT model’s dependence on NSmen expertise creates human capital pipeline risks that require proactive management:
- Expand the Enhanced Expertise Deployment Scheme through active talent mapping of DIS alumni in the private sector, enabling earlier identification and pre-assignment of high-value NSmen to SCDT roles before their reservist cycles.
- Create SCDT-specific training pathways within the DIS career framework, providing NSmen with advanced certifications, threat intelligence analyst training, and sector-specific credentialling that complements rather than duplicates their civilian qualifications.
- Explore retention incentives — including MINDEF Scholarships, professional development funding, or enhanced CPF contributions — to encourage NSmen with rare cyber expertise to maintain active DIS participation beyond statutory obligations.
5.3 Technical and Operational Solutions
The digital range and CyTEC provide a foundational technical capability, but additional investments are warranted:
- Develop sector-specific threat simulation modules within the digital range that replicate the SCADA, ICS, and OT environments prevalent in power and transport CII, enabling SCDT members to rehearse scenarios directly relevant to their assigned sectors.
- Implement a Cyber Threat Intelligence (CTI) sharing platform interoperable with CSA’s existing platforms and international CTI feeds, enabling SCDTs to ingest, analyse, and disseminate threat intelligence in near-real-time.
- Establish SCDT-specific red team programmes — perhaps drawing on SAF cyber units and white-hat contractors — to conduct persistent adversarial testing of CII operators’ defences, identifying vulnerabilities before APT actors can exploit them.
5.4 Regional and International Engagement
- Leverage the digital range’s remote connectivity capability to institutionalise annual bilateral cyber defence exercises with ASEAN partners, building interoperability and shared situational awareness for regional CII threats.
- Position SCDTs as a knowledge-export asset, sharing the SCDT model through ASEAN defence cooperation frameworks to help neighbouring states develop analogous capabilities and raise the regional cyber defensive baseline.
6. Impact Assessment
6.1 National Security Impact
The establishment of SCDTs represents a substantive enhancement to Singapore’s national cyber resilience. By shifting from reactive to persistent, proactive defence of CII sectors, SCDTs structurally close the adversarial tempo mismatch that characterised Singapore’s pre-SCDT posture. The model is specifically calibrated against APT threat actors, whose persistent and organised approach now meets a persistent and organised defence. The direct embedding of personnel with civilian sector expertise further ensures that SCDT interventions are operationally informed and contextually appropriate — reducing both response time and the risk of defensive actions that inadvertently disrupt the services they are protecting.
6.2 Civil-Military Integration Impact
The SCDT model represents one of the more sophisticated attempts by any small state to operationalise civil-military integration in the cyber domain. By deploying NSmen in roles that directly leverage their civilian expertise, Singapore converts its NS obligation — historically a liability in economic productivity terms — into a national security asset. This dual-use of human capital is particularly well suited to cyberspace, where domain knowledge accumulated in the private sector is often more operationally relevant than purely military training. The model may have significant implications for how other states with NS frameworks — South Korea, Israel, Switzerland — conceptualise cyber reserve forces.
6.3 Economic and Sectoral Impact
CII sectors — telecommunications, power, and transport — underpin Singapore’s economic activity. A successful APT disruption of any of these sectors would carry substantial economic costs: estimated global costs of major cyberattacks on critical infrastructure run into the tens of billions of dollars. By elevating the defensive posture of these sectors, SCDTs provide a form of macroeconomic insurance, reducing the probability and severity of economically damaging cyber incidents. The community-building mandate additionally raises the aggregate cybersecurity maturity of CII operators, producing positive externalities across the private sector.
6.4 Signalling and Deterrence Impact
Beyond operational effectiveness, the public announcement of SCDTs — including their proactive, persistent mandate — carries a deterrence dimension. By signalling that Singapore’s CII sectors are now defended by organised, expert teams aligned to each sector’s threat profile, MINDEF may raise the cost calculus for APT actors considering operations against Singaporean CII. The explicit linkage to the UNC3886 telco attack in parliamentary proceedings reinforces the message that Singapore attributes attacks, learns from them, and reorganises its defences in response.
6.5 Limitations and Risks
The SCDT initiative is not without limitations. Its effectiveness is contingent on: the depth of the NSman expert pipeline, which is finite; the quality of inter-agency coordination mechanisms, which are still being developed; and the pace of capability development at the digital range, which must keep pace with an evolving threat landscape. There is also an inherent tension between the military classification environment within which SCDTs operate and the information-sharing imperatives of effective CII defence, which may create friction in practice. Finally, the model’s applicability to cyber operations that implicate offensive or active defence authorities — beyond the defensive scope described — remains undefined.
| Impact Dimension | Assessment | Confidence |
| National cyber resilience | Significant structural improvement; closes APT tempo gap | High |
| Civil-military integration | Innovative and potentially exportable model | High |
| Economic security | Reduces probability and severity of CII disruption costs | Medium-High |
| Deterrence signalling | Raises adversarial cost calculus; reinforces attribution posture | Medium |
| Regional influence | Potential ASEAN reference model pending operational validation | Medium |
| Pipeline sustainability | Dependent on NS STEM talent pipeline depth | Medium-Low |
7. Conclusion
Singapore’s SCDT initiative is a carefully calibrated institutional response to a structural mismatch between the persistence of APT threats to CII and the episodic nature of prior defensive engagements. By embedding sector-expert teams — drawing on the unique human capital generated by Singapore’s NS framework — MINDEF has translated a national institutional obligation into a precision cyber defence instrument. The initiative’s success will ultimately be measured not by the absence of attacks, which cannot be guaranteed, but by the speed and effectiveness of detection, containment, and recovery when APT actors inevitably probe Singapore’s CII.
The broader significance of the SCDT model lies in its demonstration that small states with highly digitised economies can develop world-class cyber defence capabilities through creative institutional design rather than through scale alone. As Singapore operationalises SCDTs and builds the community-of-practice infrastructure around them, it positions itself not only as a more resilient target but as a potential model for allied and partner nations navigating the same civil-military cyber integration challenges.
8. References and Sources
Devaraj, S. (2026, February 27). MINDEF to deploy sectoral cyber teams to help defend critical services. The Straits Times. SPH Media Limited.
Ministry of Defence Singapore. (2026). Defence Budget Debate Statement by Minister Chan Chun Sing. MINDEF.
Cyber Security Agency of Singapore. (2023). Singapore Cyber Landscape 2023. CSA.
Digital and Intelligence Service (DIS). (2022–2026). Enhanced Expertise Deployment Scheme. SAF/MINDEF.
Ministry of Defence Singapore. (2022). Digital and Intelligence Service: Formation Statement. MINDEF.