News

Articles:

Singapore’s Cybersecurity Bill passed into law

Singapore’s Cybersecurity Bill passed into law, Minister addresses concerns

Singapore’s Cybersecurity Bill which aims to strengthen the
protection of Critical Information Infrastructure (CII) was passed into law on
February 5,.

The Bill provides a framework for the regulation of CII and formalises
the duties of CII owners in ensuring the cybersecurity of their respective
CIIs. It also provides the Cyber Security Agency of Singapore (CSA) with powers
to manage and respond to cybersecurity threats and incidents, along with establishing
a framework for the sharing of cybersecurity information with and by CSA, and
the protection of such information. Another objective of the Bill is to
establish a light-touch licensing framework for cybersecurity service
providers.

In July 2017, the Ministry of Communications and Information
(MCI) and the CSA released
a draft version of the Bill and invited public feedback. The original
submission deadline of 3 August 2017 was extended in response to requests for
more time to provide feedback. 92 submissions were received from a wide
and diverse range of stakeholder groups at the close of the public consultation
on the draft Bill from 10 July to 24 August 2017.

MCI and CSA revealed their responses
to the feedback in November last year, providing clarifications on issues such
as designation of CIIs and duties of
CII owners. MCI and CSA also said that they would work closely with
sector regulators to streamline and harmonise the obligations of CII owners
under the Bill with their respective sectoral regulations.

During the closing
speech
for the Second Reading on Cybersecurity Bill 2018, Dr Yaacob
Ibrahim, Minister for Communications and Information, answered several
questions from Members of the Parliament on different aspects of the Bill.

Scope of the Bill

Some members asked about the application of the Bill to
systems located overseas which are providing essential services. Minister Ibrahim
replied that whileSingapore may be
able to work with these international organisations to ensure the cybersecurity
of the systems, they cannot be controlled by designating them as CII as they
are outside Singapore’s jurisdiction. There may also be potential conflicts
with other countries’ regulatory regimes. 

Minister Ibrahim highlighted the Government’s efforts to
develop strong international partnerships and linkages with overseas Computer Emergency
Response Teams (CERTs) to facilitate
investigations of cybersecurity threats and incidents that may originate
overseas.

Since CII owners often work with vendors, the Minister said
that CSA will work with the sector regulators and CII owners to define the
boundaries of the systems that will be designated as CII, on a case-by-case
basis. He also clarified that CII owners are ultimately responsible for the
cybersecurity of their respective CII. CII owners should carry out the
necessary risk assessments and due diligence while deciding on vendors to engage
and conditions to impose on them.

There was also a suggestion to establish an accredited
framework for a national cybersecurity audit for CII stakeholders. For now, CSA
plans to rely on existing sector audit regimes to ensure that the security
measures are effective in protecting the CII, as an additional layer could potentially
result in CII stakeholders experiencing audit fatigue. CSA will provide audit
guidance to auditors and track the audit outcomes, to ensure an acceptable
standard of practice.  

Determination of Essential Services and
CII
 

CII are identified as computers and computer systems that are necessary for the
continuous delivery of essential services, the loss or compromise of which
would have a debilitating effect on the availability of the essential services
in Singapore. For each sector, CSA worked closely with the relevant sector
regulator to identify the essential services within the sector, as well as the
computers and computer systems.

Higher education and research institutions are not considered essential
services at this point in time. However, Minister Ibrahim said that new
essential services may arise in the future, and the Minister may amend the list
of essential services if necessary. 

He also clarified that organisations are not required to make self-assessments
as to whether their computer or computer systems fulfil the criteria of a CII.
Prior to designating a computer or computer system as a CII, CSA will consult
its owner and the relevant sector regulator. The identified organisations will
be notified in writing. CII owners will be given an opportunity to submit
representations to the Commissioner (the Chief Executive of CSA will be
appointed as the Commissioner) or appeal to the Minister against the
designation. The Minister’s decision on an appeal will be final. 

The process for identifying and designating new CII in the future will be
similarly considered and consultative.  

Reporting requirements for CII owners

Questions were raised whether incident reporting and
investigation requirements could be too onerous for CII owners, especially when
they are potential victims of cyber-attacks. In reply, the Minister mentioned
that there is no intention to take action under the Bill against CII owners for
cybersecurity breaches so long as they comply with their obligations. 

CII owners are required to establish mechanisms and
processes to detect cybersecurity threats and incidents and to promptly report incidents
to the CSA. There is no obligation for a CII owner to report a cybersecurity
incident in respect of other infrastructure that it owns, where such
infrastructure is not connected to the CII. They are also required to cooperate
with CSA during the investigation. When exercising investigative powers, the
Commissioner will be mindful that the owners of the computer systems in
question are typically also victims. CSA will be providing further details to
guide CII owners in incident reporting, such as relevant forms and
guidelines. 

The Minister rejected a suggestion for mandatory reporting
of all cybersecurity incidents to the CSA, citing resource requirements for CSA,
as well as the companies. All companies, can already voluntarily report
cybersecurity incidents to CSA through SingCERT. On top of this, the Bill will
provide CSA with powers to investigate cybersecurity threats and incidents
pertaining to computer systems in Singapore, including computer systems that
are not CII. 

Cost Implications 

There were multiple questions on compliance costs for CII owners and ensuring that
those costs do not trickle down to customers.

Minister Ibrahim replied that the Government bears much of
the cost of strengthening cybersecurity protection and enhancing responses to
cybersecurity threats and incidents at the national level. This includes
resourcing national-level cybersecurity infrastructure and manpower, conducting
regular cybersecurity exercises to validate cybersecurity incident management
processes, and deploying National Cyber Incident Response Teams (NCIRT) to
respond to cybersecurity incidents. 

Many CII owners have already put in place cybersecurity
measures arising from regulations in sectors such as banking and finance and
infocomm. According to the Minister, the requirements under the Bill have been
carefully scoped and are considered not too onerous. 

The Minister acknowledged that there might still be cost implications for some
CII owners. MCI and CSA will not provide funding to offset the costs of CII
obligations which are regulatory requirements. However, they will work
with sector regulators to streamline the cybersecurity audit and incident
reporting processes in order to harmonise cybersecurity requirements. Assistant
Commissioners, or ACs, who are senior officers appointed from the
11 CII sectors will play a key role in ensuring that CII owners do not face
conflicting requirements under the Cybersecurity Bill and in sectoral
regulations. 

Assistance for CII owners 

To assist CII owners and their staff in getting ready for the implementation of
the Bill, CSA has developed a Cybersecurity Legislation Initialisation
Programme for Sector Leads, also termed as CLIPS. CLIPS will
focus on establishing clarity on the roles and responsibilities between the
sector regulators and the CII owners, and identifying and resolving any
operational issue pertaining to the respective sectors. This includes
harmonising policies, and streamlining audits and incident reporting
processes. 

Where necessary, CSA will also give CII owners sufficient time to undertake
preparations and planning, prior to issuing the cybersecurity codes of practice
or standards of performance for each sector.
In addition, CSA currently shares information on cybersecurity threats and
vulnerabilities with the CII sectors so that appropriate actions can be taken
promptly. The CERTs overseeing specific sectors also issue advisories to the
operators in their respective sectors. 

Safeguards on Commissioner’s powers

Addressing
concerns that the broad investigation powers provided to the Commissioner by
the Bill would curtail innovation or intrude into personal privacy, Minister
Ibrahim clarified that there are limits to the investigation powers that can be
exercised depending on the severity of the threat or incident. While all
organisations, regardless of whether they are local or foreign, are required to
cooperate with CSA during the investigation of cybersecurity threats and
incidents pertaining to computers or computer systems in Singapore, the
Government do recognise the need to balance operational expediency with the
proportionate and judicious exercise of power.

For
example, the Commissioner’s authorisation is required before cybersecurity officers
and authorised officers can exercise more intrusive investigation powers. There
will also be governance process within CSA to ensure that the investigation
powers are exercised responsibly and in accordance with the Bill.

Minister
Ibrahim assured that the powers under the Bill are not intended to intrude into
privacy. Information and measures required under the Bill mainly target
cybersecurity threats and are primarily technical and not personal in nature.
For example, to aid in the detection of cybersecurity threats, information such
as network logs, indicators of compromise as well as system event and audit
logs may be requested. 

Development of cybersecurity ecosystem

When asked
if the Bill would cover less mainstream cybersecurity services such as white-hat
or ethical hackers and if the Ministry could consider encouraging a local
community of white-hats, Minister Ibrahim stated that the current focus is on
more mainstream or mature cybersecurity services with the potential to cause
significant impact on the overall cybersecurity landscape.

The
proposed licensing framework is intended to reduce the safety and security
risks that cybersecurity service providers can pose. The service providers are
required to ensure that their key executive officers are fit and proper persons
when applying for a licence.

While only
two categories of services, penetration testing and managed security operations
centre (SOC) monitoring, are identified to be licensable cybersecurity
services, other cybersecurity services will still need to comply with other
laws in Singapore, such as the CMA. 

However, he
acknowledged that there are diverse views on the issue of licensing
cybersecurity service providers and growing the cybersecurity ecosystem. On the
one hand, there is a call for even individual professionals to be regulated,
while on the other hand, some expressed concerns over potential cost
implications for businesses. 

He
clarified that for a start, the licensing framework is deliberately light-touch
in view of the need to strike a good balance between industry development and
cybersecurity needs. It is also due to the practical challenges to requiring
individual cybersecurity professionals to be licensed, given the global nature
of the cybersecurity industry.

Also, responding
to an enquiry on whether the Government could create a certification system
that favours cybersecurity professionals who have a vested interest in
Singapore, Minister Ibrahim remarked that Singapore should remain open, and
take reference from internationally recognised standards where possible.

Development of cybersecurity workforce

In response
to an enquiry on the Government’s plan to grow a pool of cybersecurity
professionals, Minister Ibrahim stated that the Government is collaborating
with the industry to grow the cybersecurity workforce in Singapore, with
Singaporeans continuing to be an important part of it.

The
examples Minister gave included:

  1. The Cyber Security Associates and
    Technologists (CSAT) programme
    which CSA and IMDA partner the industry and Institutes of Higher Learning (IHLs) to attract new
    graduates and convert existing professionals from related fields to a career in
    cybersecurity. 
  2. The Cybersecurity Professional
    Scheme (CSPS) under CSA
    through which officers will be recruited and trained in areas such as cyber
    forensics and vulnerability assessment, before being deployed to public
    agencies overseeing CII sectors to assist companies in these sectors with their
    cybersecurity capabilities. 

Regarding
the potentials of military-civilian collaborations to build cybersecurity
capabilities, Minister Ibrahim shared that CSA already works closely with
MINDEF on cybersecurity matters such as technology cooperation, sharing of
knowledge and experience, technical support and participation in joint
exercises.

Global development and standards

On how
Singapore is taking into account global developments and evolving standards to
tackle cybersecurity threat, Minister Ibrahim said that in formulating this
Bill, the Government studied cybersecurity legislation from other countries and
will continue to take reference from internationally recognised standards when
developing codes of practice and standards of performance for the different
sectors.

Noting that
the cybersecurity environment is fast-changing, Singapore will continue to keep
abreast of international developments, and review and adjust relevant laws to
address new and emerging issues moving forward. Such efforts include
active participation at international fora and discussions to develop
international cyber norms, bilateral and regional collaborations on
cybersecurity and capability development.

Public education and assistance for SMEs

People are
often the weakest link, but also the strongest asset in cybersecurity.

Regarding
public education efforts to enhance cybersecurity preparedness, the Minister
named a few government initiatives. They include: (1) cybersecurity talks and
conferences organised by the Cyber Security Awareness Alliance, (2) online
cybersecurity resource available on CSA’s GoSafeOnline website, (3) annual
Singapore Cyber Landscape report for public awareness. 

For
initiatives targeting the SMEs, IMDA’s SMEs Go Digital programme can help
businesses to adopt cybersecurity solutions, give technical advice on
cybersecurity and other digital concerns through IMDA’s SME Digital Tech
Hub. 

In general,
businesses and members of the public can also sign up for SingCERT’s advisories
and alerts on cybersecurity threats and incidents.

Conclusion

In
conclusion, Minister Ibrahim stated the Cybersecurity Bill is an important
legislation to protect the country’s critical information infrastructure and
safeguard essential services from disruption by cyberattacks.

He shared
that the Bill was developed under careful considerations and takes into the
account the interests of the different stakeholders and Singapore’s needs. He
assured that the Ministry and Government will continue to work with
stakeholders from the public and private sectors to ensure that the laws remain
robust and relevant, and beyond this Bill, to raise the level of cybersecurity
awareness and develop the cybersecurity ecosystem in Singapore.

Lastly, he
also noted that cybersecurity is not just the Government’s responsibility.
Instead, all members of the society need to play a role.