Singapore’s first Commissioner of Cybersecurity and founding chief executive of the Cyber Security Agency of Singapore (CSA), David Koh, will retire on July 1, 2026, after more than four decades in public service. The announcement, made by the Ministry of Digital Development and Information (MDDI) on June 17, marks the end of an 11-year tenure at the helm of the nation’s dedicated cybersecurity agency, during which Koh helped shape Singapore into a globally respected voice on digital security matters.
Koh, 61, has been instrumental in establishing and strengthening Singapore’s cybersecurity posture since CSA’s inception in 2015. His departure comes at a time when the city-state continues to navigate an increasingly complex threat landscape involving state-sponsored actors, sophisticated ransomware campaigns, and emerging risks tied to artificial intelligence and quantum computing.
Building Singapore’s Cybersecurity Foundations from the Ground Up
David Koh assumed the role of founding chief executive of CSA in April 2015. At that time, cybersecurity responsibilities were dispersed across various government agencies. Koh consolidated these efforts into a unified national agency focused on protecting critical information infrastructure, fostering a vibrant cybersecurity ecosystem, and positioning Singapore as a thought leader in international forums.
One of his earliest and most significant contributions was leading the development of Singapore’s first Cybersecurity Strategy in 2016. This comprehensive blueprint outlined priorities across critical infrastructure protection, cyber defence capabilities, and workforce development. The strategy was refreshed in 2021 to incorporate lessons from evolving threats and to emphasise greater collaboration with the private sector, including plug-and-play security tools for consumers and enhanced international partnerships.
Koh also oversaw the introduction of the Cybersecurity Act in 2018. The legislation imposed mandatory cybersecurity standards on operators of critical information infrastructure and required reporting of serious incidents. Amendments passed in 2024 extended oversight to key digital services and third-party providers whose compromise could disrupt essential services, reflecting the growing interdependence of Singapore’s digital economy.
Managing High-Profile Incidents and Building Resilience
Throughout his leadership, Koh demonstrated crisis management capabilities during several notable incidents. He guided the national response to the 2018 SingHealth breach, one of Singapore’s largest data thefts at the time, which affected 1.5 million patients. The episode prompted a thorough review of healthcare sector defences and broader improvements in incident response protocols across government.
More recently, Koh led the whole-of-government response to activities attributed to the UNC3886 cyberespionage group targeting Singapore’s telecommunications infrastructure. These efforts underscored the importance of continuous vigilance and rapid coordination between public and private sectors. Under his guidance, CSA also advanced work on threat detection tools tailored to Singapore’s unique environment.
Advancing Talent, Innovation and Emerging Technology Readiness
Recognising that technology alone cannot secure a nation, Koh prioritised human capital development. He championed the CyberSG Talent, Innovation and Growth Collaboration Centre to nurture cybersecurity professionals and support start-ups. The CyberSG R&D Programme Office was established to drive research commercialisation and strengthen ties between academia, industry and government.
Koh’s forward-looking approach extended to emerging technologies. In concurrent roles at MDDI as Chief (Digital Security and Technology) from 2022 to 2026 and Chief Quantum Advisor from 2025, he shaped Singapore’s strategies on artificial intelligence security and quantum-safe migration. These initiatives aim to future-proof critical systems against next-generation threats while maintaining Singapore’s competitive edge in the digital economy.
Photo by Devansh Bhikajee on Unsplash
Establishing Singapore as a Global Cybersecurity Thought Leader
Internationally, Koh architected Singapore’s cyber engagement strategy. This included active participation in the United Nations Group of Governmental Experts on ICT security from 2019 to 2021 and chairing the UN Open-Ended Working Group on cybersecurity from 2021 to 2025. Singapore’s voice helped promote norms of responsible state behaviour in cyberspace and practical confidence-building measures.
Koh launched the Singapore International Cyber Week in 2016. What began as a modest gathering has grown into one of Asia’s premier cybersecurity conferences, attracting policymakers, industry executives and technical experts from around the world each year. The event has become a key platform for dialogue on pressing issues ranging from supply chain security to the governance of frontier technologies.
For his contributions, Koh received the Public Administration Medal (Gold) in 2017 and the Public Administration Medal (Gold) (Bar) in 2025, among Singapore’s highest honours for public servants.
A Smooth Transition: Welcoming Gwenda Fong
Succeeding Koh is Gwenda Fong, 48, who brings more than 20 years of public sector experience across technology, security and social policy domains. She will assume the dual roles of CSA chief executive and Commissioner of Cybersecurity on July 1.
Fong previously served as Deputy Secretary (Digital Society and Development) at MDDI, where she oversaw the development of an inclusive and safe digital society. She led the review of the Digital Society Strategy supporting Smart Nation 2.0 and worked on measures to combat online harms, sustain trusted public service media, and strengthen legislative frameworks against misinformation and other digital risks.
Her earlier tenure at CSA from 2017 to 2022 as Assistant Chief Executive (Policy and Corporate Development) gave her direct involvement in drafting the original Cybersecurity Act and refreshing the national strategy. Additional experience at the Infocomm Media Development Authority and other ministries equips her with a broad perspective on both technical security and societal dimensions of digital policy.
Implications for Singapore’s Ongoing Cybersecurity Journey
Koh’s retirement occurs against a backdrop of persistent and evolving threats. Singapore’s status as a global financial and logistics hub makes it an attractive target for sophisticated actors. The leadership transition provides an opportunity to build on established foundations while adapting to new realities such as AI-enabled attacks and supply-chain vulnerabilities.
Officials have emphasised continuity. Permanent Secretary Chng Kai Fong of MDDI noted that Koh had “built CSA from the ground up and set Singapore on a strong footing,” creating a solid platform for continued success. The agency’s mandate remains focused on protecting critical infrastructure, fostering ecosystem growth, and advancing international cooperation.
Looking Ahead: Continuity and Adaptation in a Dynamic Threat Environment
With Fong at the helm, CSA is expected to maintain momentum on talent pipelines, regulatory updates, and public-private partnerships. Her background in digital society issues positions the agency well to integrate cybersecurity with broader efforts to build public trust in digital services.
Key priorities likely to carry forward include enhancing threat intelligence sharing, accelerating adoption of secure-by-design principles across industries, and contributing to global discussions on responsible AI development and quantum-resistant cryptography. Singapore’s proactive stance, honed under Koh, provides a strong base for these endeavours.
Photo by Jacob Peters-Lehm on Unsplash
Legacy of Visionary Leadership and Institutional Strength
David Koh leaves behind a mature national cybersecurity institution that has matured from a nascent agency into a respected global player. His emphasis on whole-of-society approaches, legislative clarity, and international engagement has helped embed cybersecurity into Singapore’s national fabric.
As the city-state marks CSA’s continued evolution, Koh’s tenure serves as a reminder of the long-term commitment required to safeguard digital sovereignty in an interconnected world. Colleagues and stakeholders across government and industry have expressed appreciation for his steady hand and strategic foresight over the past decade.
Conclusion: A New Chapter for Singapore’s Cyber Defences
The retirement of David Koh on July 1, 2026, closes a significant chapter in Singapore’s cybersecurity story while opening another under Gwenda Fong’s leadership. With robust frameworks already in place and a clear pipeline of talent and policy initiatives, Singapore remains well-positioned to address future challenges. The transition reflects the maturity of the nation’s institutions and the deliberate succession planning that characterises effective public service leadership.