On 10 July 2017, the Cyber Security Agency of Singapore (“CSA”) and Singapore Ministry of Communications and Information (“MCI”) released a draft Cybersecurity Bill for public consultation, which will conclude on 3 August 2017.
The proposed Cybersecurity Bill has four main objectives:
The proposed Bill comes at a time of increasing cybersecurity incidents globally, including the recent global WannaCry and Petya/Petna malware attacks, and as organisations increasingly focus on implementing technical and operational security measures to protect their systems from such incidents.
The proposed Bill would apply equally to both critical information infrastructure owners in the private and public sectors (i.e. statutory boards and the government). “Critical information infrastructure” is broadly defined as:
“A computer or a computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.”
“Essential services” currently encompasses 11 critical sectors: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
Within these sectors, critical information infrastructure includes both information technology (IT) as well as operational technology (OT) systems (e.g. industrial control systems, data acquisition systems etc). Banking and finance sectors are expected to own IT systems predominantly, whilst entities in other sectors, such as energy, are likely to own predominantly OT systems.
The owner of critical information infrastructure is the person who has effective control over the critical information infrastructure operation or is responsible for ensuring the continuous functioning of the critical information infrastructure. We would expect that further clarity around the scope of this definition may follow the public consultation on the Bill, particularly as it applies in the context of IT outsourcing.
Who makes the determination?
The Commissioner of Cybersecurity would have the power to designate a particular computer or computer system as critical information infrastructure, and in so doing, a written notice will be served on the critical information infrastructure owner. The Commissioner of Cybersecurity would have the power to obtain information from entities to make the determination, though the critical information infrastructure owner is not obliged to disclose information that is in breach of any written law. Any designation made would be an official secret under the law, and shall not be publicised.
Companies should internally review their computer or computer systems against the scope of critical information infrastructure whilst the Bill is being finalised.
Critical information infrastructure owners would have four general obligations in relation to notification, audit, provision of information, and participation in cybersecurity exercises. Failure to comply with the obligations would carry with it criminal sanctions, including fines of up to S$100,000, imprisonment for a term not exceeding 2 years, or both.
(3) Provide information and comply with Commissioner of Cybersecurity directions
(4) Participate in national cybersecurity exercises organised by the Commissioner of Cybersecurity
The CSA would be granted broad powers to both prevent and investigate cybersecurity incidents. The powers would be vested in the Commissioner of Cybersecurity.
Such powers would not be limited to critical information infrastructure, but in respect of any computer or computer systems generally in Singapore. Note that a failure to comply with the Commissioner of Cybersecurity’s directions would invite criminal penalties. The Commissioner’s powers would vary depending on the severity of the cybersecurity threat or incident.
For all threats and incidents, regardless of their severity, the Commissioner may examine anyone relevant to the investigation and take statements to determine if further steps are needed. For serious threats and incidents, the Commissioner may take measures including:
The proposed Bill also aims to regulate providers of cybersecurity services. For this purpose, a cybersecurity service is defined as:
“a service provided for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person.”
If your organisation is a cybersecurity service provider, it would need to obtain a licence from the CSA to continue to provide such services.
There are two types of licences:
(1) investigative cybersecurity services, which typically involves a deeper level of access to the computer system, such as searching for cybersecurity vulnerabilities; and
(2) non-investigative cybersecurity services, which typically involve monitoring the cybersecurity of a computer system.
The following persons do not fall within scope of a cybersecurity service provider:
Please note that the proposed Bill is still pending public consultation with possibility of amendments. In the meantime, companies are encouraged to contribute to the consultation and to make a preliminary assessment of whether your organisation is a critical information infrastructure owner or cybersecurity service provider, and what your organisation would need to do to comply with the obligations under the proposed Bill.