The unveiling of the draft cybersecurity bill sheds light on proposed cybersecurity compliance standards and the broad, sweeping powers of Singapore’s Cyber Security Agency.
Hot on the heels of the recent worldwide ransomware attacks, Singapore’s Ministry of Communications and Information (MCI) and the Cyber Security Agency (CSA) have released a draft cybersecurity bill for public consultation, which will run from 10 July to 3 August 2017.
The draft bill provides insights as to the Singapore government’s approach in dealing with the surge in cybersecurity attacks and foreshadows what measures industry players must take to beef up their cybersecurity.
This LawFlash provides a brief overview of the key features of the draft bill, which applies to computer systems owned by both public and private entities.
Appointment of a Commissioner of Cybersecurity
The chief executive of the CSA will be appointed as the Commissioner of Cybersecurity and, as Commissioner, will be in charge of overseeing the cybersecurity of Singapore’s computer systems. This is broadly defined to include information technology (IT) systems and operational technology systems such as industrial control systems, programmable logic controllers, supervisory control and data acquisition systems, and distributed control systems (e.g., computer systems that control operations at plants).
The Commissioner of Cybersecurity will have the power to investigate cybersecurity threats and incidents and to establish compliance standards for cybersecurity practitioners and cybersecurity services in Singapore, including certification or accreditation schemes. The Commissioner also will have the power to designate certain computer systems as critical information infrastructure (CII).
Critical Information Infrastructure
CII refers to computer systems which are necessary for the continuous delivery of essential services that relate to Singapore’s national security, defence, foreign relations, economy, public health, public safety, or public order.
Before designating a computer system as a CII, the Commissioner of Cybersecurity is entitled to request technical or other information on the functioning of the subject computer system. The owner of the computer system must comply with such a request unless prohibited by other laws from doing so. After reviewing the information, the Commissioner will inform the owner in private whether the computer system will be considered a CII (note: the identity of CIIs is covered by the Official Secrets Act and cannot be divulged to the public). A computer system’s CII status will last for a five-year term unless withdrawn by the Commissioner. The CII owner may appeal against such a designation (within 30 days of designation) to the Minister of MCI, whose decision on the matter shall be final.
Once a computer is designated as a CII, the owner is required to perform the following duties:
- Provide the Commissioner with information on the technical architecture of the computer system
- Comply with the codes of practice and directions set by the Commissioner
- Report any cybersecurity threats or incidents associated or interconnected with the computer system
- Conduct regular audits to ensure that the computer system complies with the codes of practice and directions
- Conduct regular risk assessments
- Participate in cybersecurity exercises
An example of such a cybersecurity exercise is the recent exercise conducted by the CSA on 18 July 2017. The exercise participants included the Land Transport Authority, national water agency Public Utilities Board, Monetary Authority of Singapore, and Singapore Airlines, among others. The exercise simulated different types of cyberattacks targeting essential services—such as ransomware attacks, distributed denial of service (DDoS) attacks, and malware infections.
If the CII owner fails to comply with these duties without providing a reasonable excuse, the owner may face a financial penalty and/or its officers may face imprisonment.
The Commissioner of Cybersecurity also has the power to investigate and undertake emergency cybersecurity remedial measures in situations where there is a real risk of significant harm being caused to a CII, essential services, or valuable information.
Such remedial measures include compelling an owner of a CII computer system to do the following:
- Install software updates to address cybersecurity vulnerabilities
- Temporarily disconnect affected computers from the overall computer system
- Redirect malicious data traffic to designated computer servers
- Preserve the state of the computer system
Industry Standards among Cybersecurity Providers/Practitioners
The Commissioner also will have the power to introduce accreditation schemes and award licenses to cybersecurity providers/practitioners. The licensable cybersecurity services are broadly divided into two categories—investigative and non-investigative. Investigative cybersecurity services include penetration testing services (commonly known as “white hat” hacking), while non-investigative cybersecurity services refers to providers who sell, design, or monitor cybersecurity solutions.
Unlicensed practitioners who provide these services may face a financial penalty and/or imprisonment. Unlicensed practitioners also will not be able to bring any proceedings to recover fees for providing such services.
This draft cybersecurity bill comes at an important juncture when urgent measures are necessary to address significant and coordinated cyberattacks against important computer infrastructure. Owners of computer systems which are intertwined and interconnected with Singapore’s key infrastructure should take heed of the duties and obligations proposed under the draft bill to ensure that their IT and compliance departments are in a position to meet the new regulations.
Cybersecurity practitioners also should keenly monitor developments to ensure compliance with codes of practice and licensing requirements which may be set by the CSA as well as to ensure that there are no disruptions to business services.