MCI and CSA to refine designation of Critical Information Infrastructures (CIIs) and duties of CII owners in Singapore’s proposed Cybersecurity Bill
The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) have released a report on the public consultation on the proposed Cybersecurity Bill. The draft bill was released in July 2017. The original submission deadline of 3 August 2017 was extended in response to requests for more time to provide feedback.
92 submissions were received from a wide and diverse range of stakeholder groups at the close of the public consultation on the draft Bill from 10 July to 24 August 2017.
Respondents included local and international organisations, multi-national companies, industry and professional associations, sector regulators, academia and members of the public. During this period, CSA also participated in dialogues with industry organisations and attended sessions organised by professional associations for their members and the public to address queries regarding the Bill.
Respondents generally shared the Singapore Government’s concerns on the impact of increasingly sophisticated cyber-attacks which could potentially cause major disruptions, or even cripple the economy. Respondents acknowledged the timeliness and importance of the Bill in setting the necessary legislative framework for pro-active oversight and response to cyber threats and incidents.
Several respondents also agreed with the need for cybersecurity information-sharing between CSA and other organisations, including the need to safeguard the information source and information disclosed.
However, respondents had some reservations about the proposed licensing framework.
Following careful deliberation, MCI and CSA intend to refine the Bill in several aspects. Some of these clauses that will be refined include the below:
Designation of Critical Information Infrastructures (CIIs) - Some respondents felt that the proposed definition of CIIs was too broad and asked for more clarity on the scope of “computers” and “computer systems” that might be designated as CIIs.
MCI and CSA have clarified that this definition is intended to formalise existing engagements with CII stakeholders, which has been in place since 2013. The Bill will be amended to clarify that only systems which have been explicitly designated by the Commissioner will be considered CIIs.
All other computers and computer systems will not be considered CIIs, and the obligations in Part 3 of the Bill therefore do not apply to them. Specifically, computer systems in the supply chain supporting the operation of a CII will not be designated as CIIs, therefore third-party vendors will not be considered as owners of CIIs.
CII owners are ultimately responsible for the cybersecurity of their CIIs. If need be, CII owners can impose cybersecurity requirements contractually on their vendors.
Duties of CII owners - Respondents suggested that any codes of practices and standards of performance required under the Bill should take into consideration any existing codes and standards that CII owners were already required to comply with, e.g. sectoral regulations, in order to avoid inconsistencies and confusion.
In response, MCI and CSA plan to work closely with sector regulators to streamline and harmonise the obligations of CII owners under the Bill with their respective sectoral regulations.
The appointment of Assistant Commissioners to oversee CIIs in each sector will ensure that the Bill requirements are sensible and take into account existing sector-specific requirements, including international requirements. This is because the sector regulators understand the unique contexts and complexities in each sector, and are in a good position to balance the sectors’ cybersecurity needs and business requirements.
Requirements of licensing regime - Several respondents expressed reservations about the proposed licensing framework. Some respondents were against licensing of cybersecurity service providers in any form as they felt that licensing could impact the development of a vibrant cybersecurity ecosystem in Singapore.
To strike a balance between industry development and security needs, MCI and CSA intend to simplify the licensing framework by doing away with the licensing of individual cybersecurity professionals, and removing the distinction between “investigative” and “non-investigative” types of licensable services.
This is expected to make Bill more future-proof, and enable it to stay relevant even as cybersecurity services continue to evolve. At this point, MCI and CSA intend to license only penetration testing and managed security operations centre (SOC) monitoring service providers, as such services are already mainstream and widely-adopted.