Introducing Singapore’s new draft Cybersecurity Bill

12/07/2017

As a small and highly connected nation, Singapore is dependent on info-communications technology, and cybersecurity threats need to be taken seriously. Attacks on critical information infrastructure (CII) systems that manage utilities, healthcare, transportation and other essential services can lead to disruptions that can cripple Singapore’s economy and lead to loss of life.

Even though the current Computer Misuse and Cybersecurity Act (CMCA) already has some provisions on cybersecurity, it primarily concerns cybercrime such as e-commerce scams and hacking. This draft Cybersecurity Bill caters more broadly to the security of a computer or computer system against unauthorised access or malicious acts, to preserve their availability and integrity, or the confidentiality of information stored or processed in them.

The intention behind the draft Cybersecurity Bill is to have a coordinated national approach to cybersecurity, and ensure that CIIs across all sectors are protected consistently. Its provisions will apply equally to both public and private sectors.

The following are the key provisions under the draft Cybersecurity Bill:

1. Appointment of Commissioner and Powers. The powers of the Cybersecurity Bill will vest in the Commissioner of Cybersecurity, who has various functions including the overseeing and maintenance of cybersecurity in Singapore.

2. Critical Information Infrastructure. CIIs are computers or computer systems that are necessary for the continuous delivery of essential services that Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. Currently, essential services have been identified in 11 sectors, including utilities, banking and finance, media, info-communications, healthcare and transportation. The owners of CIIs, which are defined as persons with, amongst others, effective control over the operations of the CII, have certain statutory duties, including the duty to comply with codes and directions, to conduct audits and risk assessments, to report cybersecurity incidents including any incident that occurs in respect of the CII and any incident that occurs in respect of any computer or computer system under the owner’s control that is interconnected with or communicates with the CII, and to participate in cybersecurity exercises.

3. Responses to Cybersecurity Threats and Incidents. If there is a cybersecurity threat or incident, the Commissioner can choose to investigate it in order to determine its impact, to prevent further harm and to prevent further incidents. These investigative powers can be delegated to authorised persons, and can be exercised in respect of any computer or computer system in Singapore, not only CIIs. The level of intrusiveness of such powers that can be exercised will depend on the severity of the situation.

4. Information Sharing. The draft Cybersecurity Bill also establishes a framework for the sharing of cybersecurity information with and by the Cyber Security Agency of Singapore (CSA) officers to relevant parties for the purpose of preventing, detecting, countering or investing any cybersecurity threat or incident, and the protection of such information. Cybersecurity attacks can move around the world instantaneously, and the availability of reliable and timely information and threat intelligence is crucial to preventing and countering such cybersecurity attacks. This effort is an extension of the APAC Regional Intelligence and Analysis Centre, which is a collaboration between The Financial Services Information Sharing and Analysis Center and the Monetary Authority of Singapore, which, amongst other things, encourages cybersecurity information sharing and analysis between financial institutions around the APAC region.

5. Regulation of Cybersecurity Service Providers. As cybersecurity risks grow, the need for credible cybersecurity services is also growing. The draft Cybersecurity Bill introduces a light-touch licensing regime for cybersecurity service providers because (a) they can have significant access into clients’ computer systems and can gain deep understanding of its vulnerabilities; (b) there is a need to introduce baseline quality requirements; and (c) to help organizations identify credible service providers.

As Singapore moves along its goal to become a Smart Nation, we will become increasingly dependent on technology and concurrently more vulnerable to the impact of cybersecurity attacks. The pro-active approach to cybersecurity in the draft Cybersecurity Bill, which seeks to thwart cybersecurity threats before they materialise, is to be welcomed.

Nonetheless, there needs to be a balance between ensuring cybersecurity and making sure that the obligations imposed on the relevant stakeholders are not overly onerous. The public consultation on this draft Cybersecurity Bill closes on 3 August 2017, and affected parties will want to submit their feedback before that so that their views on whether this balance has been struck can be heard.