Draft cybersecurity legislation in Singapore seeks to strengthen protection of Critical Information Infrastructure
The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) have issued an invitation to the public to provide feedback on a proposed Cybersecurity Bill. The public consultation exercise will run from 10 July to 3 August 2017.
MCI/CSA commenced work on the Bill in late 2015. Several rounds of consultations have been held with key stakeholders, including regulators of our critical sectors, potential CII owners, industry associations, and cybersecurity professionals.
The proposed Bill has four objectives:
- To provide a framework for the regulation of Critical Information Infrastructure (CII). This formalises the duties of CII owners in ensuring the cybersecurity of their respective CIIs.
- To provide CSA with powers to manage and respond to cybersecurity threats and incidents. Section 15A of the current Computer Misuse and Cybersecurity Act (“CMCA”) provides some existing powers related to cybersecurity. These will be enhanced within the Cybersecurity Bill, and specific powers will be vested in CSA officers as sitting powers.
- To establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information.
- To establish a light-touch licensing framework for cybersecurity service providers.
The consultation document draws a distinction between cybercrime and cybersecurity. Cybercrime can involve traditional, real-world crimes that are committed using a computer, such as e-commerce scams, and these are covered by criminal laws such as the Penal Code. Or it can involve criminal acts that target computer systems. Such offences are commonly referred to as “hacking”, and are covered by the CMCA. Cybercrime is under the purview of MHA and the Singapore Police Force (SPF).
Cybersecurity meanwhile refers to the security of a computer or computer system against unauthorised access or malicious acts, to preserve the availability and integrity of the computer or computer system, or the confidentiality of information stored or processed in the computer or computer system. National cybersecurity matters are under the purview of the CSA.
Four key principles
The first principle is to have a coordinated national approach, recognising that cybersecurity can only be as strong as the weakest link. The aim is to have a common framework across all sectors, so that CIIs can be protected consistently and to adopts whole-of-government approach by empowering not only CSA officers to investigate cybersecurity threats and incidents, but also officers from sector leads as well.
The second principle is that there will be consistent application of the framework across sectors but it has to be flexible, taking into account the unique circumstances of each sector. The Bill recognises that every CII sector is different, in terms of the types of technology used, the nature of relationships between government and the private sector, and the current cybersecurity maturity level of industry players.
The third one is to have a proactive approach for CII protection, while the last principle is to have equal application across publicly and privately owned CIIs.
Fourthly, the provisions of the Bill will apply equally to both public and private sectors. Hence, the same duties shall apply to owners of CII in the private sector, in statutory boards and in the Government.
Commissioner of Cybersecurity
The powers of the Bill shall be vested in a Commissioner of Cybersecurity (Commissioner), to be appointed by the Minister-in-charge of Cybersecurity (Minister). The position will be held by the Chief Executive of CSA. The Minister may also appoint a Deputy Commissioner (DC), as well as a number of Assistant Commissioners (AC). These ACs will oversee and enforce the protection requirements for CIIs.
Designation as CII and duties of CII owners
CII is defined as a computer or computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
CIIs may be owned by public or private organisations and may be located wholly or partly in Singapore. Today, the CIIs fall under 11 critical sectors: (1) Aviation, (2) Banking & Finance, (3) Energy, (4) Government, (5) Healthcare, (6) Infocomm, (7) Land Transport, (8) Maritime, (9) Media, (10), Security and Emergency Services, (11) Water.
The Bill will allow the Commissioner to designate a computer or computer system as a CII. Prior to doing so, the Commissioner may require the owner to provide certain information about the computer or computer system. The designation of a computer or computer system as a CII is an official secret under the Official Secrets Act, and shall not be divulged to the public.
CII owners will have the duties to provide information to the Commissioner on the technical architecture of the CII; to comply with codes and directions; to report relevant cybersecurity incidents; to conduct regular compliance audits; to conduct regular risk assessments; and to participate in cybersecurity exercises.
Powers to investigate cybersecurity threats and incidents and penalties
Three scenarios are proposed for the exercise of power. For ‘All cybersecurity threats and incidents’, if the Commissioner has information regarding a cybersecurity threat or incident, the Commissioner may examine anyone relevant to the investigation and take statements, and require the provision of relevant information, typically in the form of technical logs. This will also allow the Commissioner to decide whether the threat or incident is serious and therefore take further action.
For ‘Serious cybersecurity threats and incidents’, the Commissioner may exercise more intrusive measures, including directing persons to carry out remedial measures and assist in the investigation, enter premises where relevant computers and computer systems are located, access such computers, and scan computers for cybersecurity vulnerabilities. The Commissioner may also seize any computer or equipment for the purpose of carrying out further examination and analysis, if certain conditions are met.
In the case of ‘Emergency measures and requirements’ the Minister may (by issuing a certificate) authorise any person or organisation to take such measures or comply with such requirements as may be necessary to prevent, detect, counter any threat to a computer or computer service, or any class of computers or computer services.
In cases of wilful non-compliance of instructions or wilful refusal to provide information, penalties may be levied in the form of fines or imprisonment.
Light-touch licensing regime for cybersecurity service providers
The proposed licensing framework aims to help provide greater assurance of safety and security to consumers of cybersecurity services, address information asymmetry in the industry and provide for improving the standards of cybersecurity service providers and professionals.
Investigative and non-investigative cybersecurity services are considered.
To start, CSA is proposing to license penetration testing service providers and individuals under an investigative cybersecurity service license, and managed security operations centre (SOC) monitoring services providers under a non-investigative cybersecurity service license.
Licensing requirements and registration procedures will be kept as simple as possible. Applications will be submitted and processed online, and service providers with established track records will be granted longer license terms. CSA will conduct audits from time to time, to ensure that licensing requirements are met. CSA will also want to keep license fees low.
CSA will have further consultation with the industry on detailed requirements before the framework is operationalised.