On 21 January 2016, the Minister for Communications and Information and Minister-in-charge of Cyber Security Mr Yaacob Ibrahim announced that a new cyber security bill would be introduced. This new cyber security bill is intended to provide the Cyber Security Agency of Singapore (“CSA”) with wider powers to enable it to better prevent and cope with cyber security threats to Singapore’s critical information infrastructure (“CII”).
This follows on from other recent initiatives taken by the government to strengthen cyber security in Singapore, such as the establishment of the Monitoring and Operations Control Centre, which provides constant monitoring and surveying of Singapore’s networks, in late 2014 and the CSA in April 2015.
This update takes a brief look at past cyber security breaches that have occurred in Singapore that have engendered the government’s efforts to enhance cyber security in Singapore, the state of the existing cyber security legislation in Singapore and the potential scope of the new cyber security law.
Renewed Focus on Cyber Security Breaches
The Singapore government has been placing a renewed focus on the issue of cyber security in recent times, ostensibly in light of the growing threat of cyber-related attacks as evidenced by the spate of cyber security related incidents in Singapore affecting both the public and private sector in the past few years.
For instance, 2013 saw the hacking and defacement of various governmental and private websites by an individual hacker in response to the issuance of the new class licence requirements for internet content providers issued by the Media Development Authority of Singapore. The perpetrator has since been apprehended and convicted in court.
In 2014, notable incidents include the hacking of a local karaoke chain’s member database in which personal data, such as phone and NRIC numbers, of more than 317,000 members were stolen, and the unauthorised access of SingPass accounts where 1,560 user accounts were compromised. Mr Yaacob Ibrahim has also revealed that in that year, the Ministry of Foreign Affair’s IT system was breached, although no harm was reported as the remedial steps to rectify the breach were taken in time.
In January 2015, it was reported that a website, “www.dncpdpc.com.sg”, had been taken down by Singapore’s domain name registry for impersonating the Personal Data Protection Commission (“PDPC”).
More recently, two key incidents involving malware resulted in financial losses being suffered by the victims. In October 2015, a local businessman lost more than S$7,000 after malware residing in his computer re-directed him to a phishing site that posed as an internet banking website.
Similarly, in December 2015, it was reported that approximately 50 individuals were affected when malware posing as a software update for Android smartphones tricked the users into providing their credit card details. Some of the victims lost thousands of dollars as a result of fraudulent transactions made with their stolen credit card details.
In one particular case, reported in January 2016, hackers used the credit card details of an individual, including the authentication codes issued for online transactions from his credit card, to make purchases, amounting to S$12,327, for flight tickets in Europe. The credit card details were ostensibly stolen through the malware that was residing in his smartphone. It is understood that the individual is currently in a dispute with the bank on which party should bear the costs of the aforementioned fraudulent transactions.
Also in January 2016, the Ministry of Education sent out an advisory warning relating to several fake websites of various polytechnics in Singapore. These websites adopted the look and feel of the official websites and were made to mirror them almost exactly.
The increasing number of cyber security breaches locally is consistent with the global trend, in which the period from 2013 to 2015 were marked with an increasing number of high profiles data thefts by hackers (i.e. Target (2013), Sony (2014) and Ashley Madison (2015)).
Current State of Play
At present, Singapore’s primary cyber security legislation, which was last amended in 2013, is the Computer Misuse and Cybersecurity Act (Cap. 50A) (the “CMCA”). The CMCA criminalises certain activities including, inter alia, the unauthorised access, use, interception and modification of computers, data and computer services.
The CMCA also empowers the Minister of Home Affairs to act against cyber security threats. For instance, the Minister of Home Affairs can, through the issuance of a certificate, authorise, direct or compel a person or entity to take such steps or to comply with certain obligations as are necessary for the detection and prevention of cyber security threats to the national security, defence, foreign relations and essential services of Singapore. In this regard, it is noteworthy that the definition of essential services as set out in the CMCA is limited to specified sectors, such as communications infrastructure, banking and finance, public utilities, public transportation, land transport infrastructure, aviation, shipping, public key infrastructure and emergency services such as police, civil defence or health services.
Potential Scope of the New Cyber Security Law
Based on an interview given by Mr David Koh, Chief Executive of the CSA on 4 August 2015, the genesis of the new cyber security law appears to be the CSA’s mandate to assess the adequacy of Singapore’s current cyber security laws. In that interview, Mr Koh had hinted towards a 12-month timeframe and being able to provide “more concrete” information at a later date.
Although no draft of the new cyber security bill has yet been circulated, it is understood that the new cyber security bill is intended to provide the CSA with wider powers to protect Singapore’s CII, which have been identified as including the “energy, water, transport, health, government, infocomm, media, security and emergency services, and banking and finance sectors”. This largely mirrors the present scope of the CMCA, although it remains to be seen what these wider powers will entail.
Separately, given the need for the new cyber security bill to keep up with the “evolving landscape” of cyber security threats, it is possible that new categories of cyber security offences may be set out in the new cyber security bill.
Another key feature that may find its way into the new cyber security bill would be the inclusion of a mandatory requirement to report cyber security breaches, an obligation which is not presently mandated under the CMCA unless the Minister of Home Affairs specifically requires a person or entity to do so through the issuance of a certificate.
In this regard, the new cyber security bill could potentially adopt the approach taken by the Monetary Authority of Singapore (“MAS”) viz-a-viz financial institutions. Under the MAS’ Notice on Technology Risk Management, financial institutions regulated by the MAS are required to notify the MAS of, inter alia, any security breaches to their IT system. Timelines have also been stipulated such that an initial notification must be made within an hour of the discovery of such an incident, with a detailed report to follow within fourteen (14) days of the incident.
Such a mandatory notification requirement may be especially pertinent, given the potential adverse consequences that could result from the theft of personal data belonging to individuals and the need for the individuals to be alerted to the same in a timely fashion so as to allow the individuals to take protective measures.
In this regard, a mandatory notification requirement would ensure that this is the case in the event of a cyber security breach, and would prevent a situation similar to that involving China’s largest online shopping platform TaoBao, where a cyber security breach that occurred in October 2015, in which the user accounts of over 20 million users were compromised, was reported only in February 2016, leaving the users potentially unaware that their personal data, including financial information, may have fallen into the wrong hands, during the interim period.
In any case, it is necessary for businesses to keep apprised of any developments relating to the new cyber security bill, given its potential to have significant implications, from an operational and compliance standpoint, for businesses in every industry, especially those cited above.
The increasing number of incidents involving cyber security related breaches and the resurgence in the government’s efforts to enhance cyber security in Singapore are demonstrative of the need for greater measures to be taken to guard, as far as possible, against potential cyber threats. In this regard, businesses should not only ensure that their IT systems are regularly tested and updated, but should also develop policies and procedures, such as crisis management teams, to respond to cyber security related incidents when they inevitably occur. Given the potential reputational and financial damages that cyber- attacks are capable of causing to businesses, it is imperative that cyber security is no longer labelled as a matter purely for the IT department but recognised as a board level and senior management issue.