The newly published Cybersecurity Bill is further evidence that the authorities in Singapore are taking the issue of cybersecurity seriously. It sits alongside other legislative developments and key trends.
Strong commitment from the Singapore authorities
The authorities in Singapore have shown they are making the protection of cyberspace a priority.
This was reflected in the Global Cybersecurity Index 2017 (GCI 2017) released by the United Nations International Telecommunication Union (ITU) in July 2017, in which Singapore was ranked top in the GCI 2017.
The GCI 2017 measured the commitment of countries towards cybersecurity. The ranking was based on the legal, technical and organisational institutions, their educational and research capabilities, and their cooperation in information-sharing networks of countries surveyed. The key efforts recognised by the ITU include:
- the launch of the first cybersecurity masterplan by Singapore in 2005;
- the creation of the Cybersecurity Agency (CSA) of Singapore, the government agency entity dedicated to oversee cybersecurity; and
- the comprehensive national cybersecurity strategy launched in 2016.
In fact, in May 2017, it was reported that the Government of Singapore had allocated funds amounting to S$528 million into cybersecurity spending, including the setting up a new Government Security Operation Centre to detect cyberthreats.
The government's attitude appears to be paying off as organisations in Singapore were reportedly left unscathed in the aftermath of the WannaCry ransomware attacks in May 2017, and by the “Petya” ransomware attacks in June. In addition, most critical infrastructure was also reportedly prepared for and unaffected by the attacks.
Importance of international co-operation
Law enforcement agencies have long recognised the need for collaboration with the private sector in the fight against cybercrime, and the Interpol president recently emphasised during the INTERPOL World conference held in Singapore in July 2017, that it would be mutually beneficial for law enforcement agencies and organisations to share intelligence and research and development, and to build up joint capabilities to address threats. International co-operation is, in fact, a common thread which runs through Singapore's policy.
Regulatory authorities
The Personal Data Protection Commission of Singapore (PDPC), the body entrusted to enforce privacy obligations under the Personal Data Protection Act of Singapore (PDPA) has been busy during the first half of the year.
There has been an increase in enforcement decisions. 2016 saw a total of 22 enforcement decisions issued and, to date, twelve decisions have already been issued in 2017. Significantly there are some discernible trends:
- decisions and practice directions of other data protection enforcement agencies have been treated as having persuasive value – in the Matter of National University of Singapore [2017] SGPDPC 5, decided on 26 April 2017, in reaching its decision, the PDPC referred to practice guidelines of the UK’s Information Commissioner’s Office, a decision of the Office of the Information & Privacy Commissioner for British Columbia, Canada, and made reference to Code of Practice of the Hong Kong Office of the Privacy Commissioner for Personal Data. This approach was also followed in Furnituremart.sg [2017] SGPDPC 7 decided on 31 May 2017, and in Orchard Turn Developments Pte. Ltd. [2017] SGPDPC 12 on 6 July 2017;
- the PDPC recognised the need for international co-operation - in Orchard Turn Developments Pte. Ltd. [2017] SGPDPC 12, at [11], the PDPC recognised that it would have to “pursue available options for assistance in this aspect of the investigations with the relevant foreign data protection authority”. In this case, the organisation had engaged the services of an outsourced IT service provider based in Hong Kong, (most likely as data intermediary under the PDPA) who allegedly played a contributory role in a data leak incident.
This approach demonstrates the international nature of privacy protection, and the need to have international co-operation between enforcement agencies.
As well as conducting enforcement actions, the PDPC updated its guidelines on the Healthcare sector, revised its Guides on the treatment of personal data in the electronic medium, and has also provided updates on Guides for the proper disposal of personal data.
In addition, the PDPC has put in place a series of certification programs designed to enhance the training and standards of Data Protection Officers in organisations.
The CSA also formalised Singapore’s relationship on cybersecurity with two more countries, again demonstrating the emphasis on international co-operation. In June 2017, the CSA signed an MOU with Australia to promote cooperation between the two countries on cybersecurity. In July 2017, Singapore and Germany signed a Joint Declaration on strengthening cybersecurity cooperation. The Joint Declaration was signed by the CSA and Director of International Cyber Policy of the German Federal Foreign Office (FFO).
These two latest joint collaborations add to the existing previous five Memorandums of Understanding with France, India, the Netherlands, UK, and the United States.
Legislative changes
Under proposed changes to the Computer Misuse and Cybersecurity Act (CMCA), the act of obtaining hacking tools to commit a crime or using personal data that was obtained through hacks will be criminalised. Four key changes are proposed:
- the act of dealing in personal information obtained via an act in contravention of the CMCA will be a criminal offence;
- the act of dealing in items capable of being used to commit a CMCA offence will be a criminal offence;
- CMCA offences causing “serious harm” to Singapore will have extraterritorial application; and
- charges for multiple CMCA offences will be aggregated with a view towards applying enhanced penalties when the combined acts result in high aggregate damage.
Industry trends
The Monetary Authority of Singapore (MAS) appears to be turning to innovative technology as a means to enhance security measures. In June 2017, its was reported by the MAS that, in collaboration with a number of banks (local and overseas) and blockchain technology firms, phase one of tokenising Singaporean Dollars through an ethereum blockchain had been successfully completed, paving the way for safer cross-border payments.
The Healthcare industry is attracting a lot of attention in the data privacy space. The use of emerging technologies such as artificial intelligence (AI), machine learning, mHealth and Internet of Medical Things (IoMT), has led to the PDPC updating its Guidelines on the Healthcare Sector.
The first half of 2017 has also seen some significant business developments in the cybersecurity space. In May 2017, StarHub Limited acquired a 51% stake in Accel Systems & Technologies Pte. Ltd. for S$19 million (Accel). Accel is a cybersecurity systems integrator specialising in the provision of security solutions, consulting and managed security services. The acquisition will strengthen StarHub’s cybersecurity portfolio, giving it the in-house capabilities to be an end-to-end provider of cybersecurity solutions and services. It was just announced in July 2017, that StarHub would acquire a further 29% now and the balance of 20% by the year 2020.
What to expect next
At the international level, organisations should not be surprised if there are express provisions in the Singapore Data Protection Law relating to the implementation of the General Data Protection Rules.
On a national level, the CSA released the much anticipated Cybersecurity Bill on 10 July 2017, to establish a framework to provide an oversight and to maintain national cybersecurity in Singapore, and empower CSA officers to carry out their functions.
This Cybersecurity Bill takes a holistic approach to making Singapore resilient against cyberattacks especially for Critical Information Infrastructure in Singapore (CII), and seeks to achieve the following four objectives:
- to provide a framework for the regulation of CII. This formalises the duties of CII owners in ensuring the cybersecurity of their respective CIIs;
- to provide the CSA with powers to manage and respond to cybersecurity threats and incidents. Section 15A of the current CMCA provides some existing powers relating to cybersecurity. These will be enhanced by the Cybersecurity Bill, and specific powers will be vested in CSA officers as sitting powers;
- to establish a framework for the sharing and protection of cybersecurity information with and by the CSA; and
- to establish a light-touch licensing framework for cybersecurity service providers.
A period of consultation has been set and Singapore can look forward to a more robust cybersecurity regime.