MCI and CSA to refine designation of Critical Information Infrastructures (CIIs) and duties of CII owners in Singapore’s proposed Cybersecurity Bill

MCI and CSA to refine designation of Critical Information Infrastructures (CIIs) and duties of CII owners in Singapore’s proposed Cybersecurity Bill

The Ministry of Communications and Information (MCI) and the
Cyber Security Agency of Singapore (CSA) have released a report on the public consultation on the proposed
Cybersecurity Bill
. The draft bill was released in July 2017. The original
submission deadline of 3 August 2017 was extended in response to requests for
more time to provide feedback. 

92 submissions were received from a wide and diverse range
of stakeholder groups at the close of the public consultation on the draft Bill
from 10 July to 24 August 2017.

Respondents included local and international
organisations, multi-national companies, industry and professional
associations, sector regulators, academia and members of the public. During
this period, CSA also participated in dialogues with industry organisations and
attended sessions organised by professional associations for their members and
the public to address queries regarding the Bill. 

Respondents generally shared the Singapore Government’s
concerns on the impact of increasingly sophisticated cyber-attacks which could
potentially cause major disruptions, or even cripple the economy. Respondents
acknowledged the timeliness and importance of the Bill in setting the necessary
legislative framework for pro-active oversight and response to cyber threats
and incidents.

Several respondents also agreed with the need for
cybersecurity information-sharing between CSA and other organisations,
including the need to safeguard the information source and information

However, respondents had some reservations about the
proposed licensing framework.

Following careful deliberation, MCI and CSA intend to refine
the Bill in several aspects. Some of these clauses that will be refined include
the below: 

Designation of
Critical Information Infrastructures (CIIs)
– Some respondents felt that
the proposed definition of CIIs was too broad and asked for more clarity on the
scope of “computers” and “computer systems” that might be designated as CIIs.

MCI and CSA have clarified that this definition is intended
to formalise existing engagements with CII stakeholders, which has been in
place since 2013. The Bill will be amended to clarify that only systems which
have been explicitly designated by the Commissioner will be considered CIIs.

All other computers and computer systems will not be
considered CIIs, and the obligations in Part 3 of the Bill therefore do not
apply to them. Specifically, computer systems in the supply chain supporting
the operation of a CII will not be designated as CIIs, therefore third-party
vendors will not be considered as owners of CIIs.

CII owners are ultimately responsible for the cybersecurity
of their CIIs. If need be, CII owners can impose cybersecurity requirements
contractually on their vendors.

Duties of CII owners
– Respondents suggested that any codes of practices and standards of
performance required under the Bill should take into consideration any existing
codes and standards that CII owners were already required to comply with, e.g.
sectoral regulations, in order to avoid inconsistencies and confusion.

In response, MCI and CSA plan to work closely with sector
regulators to streamline and harmonise the obligations of CII owners under the
Bill with their respective sectoral regulations.

The appointment of Assistant Commissioners to oversee CIIs
in each sector will ensure that the Bill requirements are sensible and take
into account existing sector-specific requirements, including international
requirements. This is because the sector regulators understand the unique
contexts and complexities in each sector, and are in a good position to balance
the sectors’ cybersecurity needs and business requirements.

Requirements of
licensing regime
– Several respondents expressed reservations about the
proposed licensing framework. Some respondents were against licensing of
cybersecurity service providers in any form as they felt that licensing could
impact the development of a vibrant cybersecurity ecosystem in Singapore.

To strike a balance between industry development and
security needs, MCI and CSA intend to simplify the licensing framework by doing
away with the licensing of individual cybersecurity professionals, and removing
the distinction between “investigative” and “non-investigative” types of
licensable services.

This is expected to make Bill more future-proof, and enable
it to stay relevant even as cybersecurity services continue to evolve. At this
point, MCI and CSA intend to license only penetration testing and managed
security operations centre (SOC) monitoring service providers, as such services
are already mainstream and widely-adopted.