Singapore is currently in the midst of finalising revisions to its cybersecurity laws by way of a draft Cybersecurity Bill, which is expected to be passed by the Singapore Parliament in 2018 (Singapore Bill). The Singapore Bill is expected to overhaul and further strengthen Singapore’s already sophisticated cybersecurity governance regime, with a particular focus on protecting critical national infrastructure, and with the objective of establishing a robust national framework that will be able to comprehensively deal with cybersecurity threats and issues.
Given that the world today is highly interconnected and globalised, and that Singapore is one of Australia’s largest trading partners, it is useful to consider how the Singapore Bill could impact Australian businesses and interests.
Key features of the Singapore Bill
Commissioner of Cybersecurity
The Singapore Bill will establish the position of a Commissioner of Cybersecurity (Commissioner), who will be appointed by the Minister of Communications and Information (Minister).
Critical Information Infrastructure
The Singapore Bill defines ‘Critical Information Infrastructure’ (CII) as any computer or computer system (ICT Infrastructure), that is necessary for the continuous delivery of essential services for which Singapore relies upon, the loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
Powers of the Commissioner
The Commissioner will be empowered under the Singapore Bill to identify and designate any ICT Infrastructure as CII, for a period of 5 years, so long as such ICT Infrastructure fits the criteria of being CII, and is located wholly or partly in Singapore.
The Singapore Bill also provides that if the Commissioner has reason to suspect that ICT Infrastructure may fulfil the criteria of being CII, the Commissioner has the power to obtain information from any person who appears to be operating the ICT Infrastructure, to provide to the Commissioner, all information (which may include confidential, personal, and security information) relating to the ICT Infrastructure in question.
Effect of ICT Infrastructure being designated as CII
If ICT Infrastructure is designated as CII by the Commissioner, the owner of such CII must:
- provide information on the configuration and security of the CII, as well as any other ICT Infrastructure that the CII interacts with, if requested by the Commissioner;
- notify the Commissioner of any ‘material changes’ to the CII, with material changes being defined as any change that affects or may potentially affect the cybersecurity of the CII, or the ability of the CII owner to respond to a cybersecurity incident;
- notify the Commissioner of any cybersecurity incident that occurs in respect of any ICT Infrastructure under the CII owner’s control that is interconnected or communicates with the CII;
- comply with any relevant codes of practice and standards that the Commissioner may issue, pursuant to the Singapore Bill;
- conduct regular risk assessments and audits on the CII (and provide reports to the Commissioner); and
- participate in cybersecurity exercises, as required by the Commissioner.
Further, if the Commissioner receives information that he or she considers that there may be a cybersecurity threat to CII which satisfies the severity threshold as specified in the Singapore Bill (e.g. the threat creates a real threat to the national security of Singapore), the Commissioner may:
- direct any person to carry out remedial measures (which may include installing or uninstalling specified software on, or ceasing operations temporarily of, the CII);
- enter premises where CII are located, and access any relevant ICT Infrastructure (including to install or uninstall any software or software updates); and
- scan ICT Infrastructure for vulnerabilities, and seize any ICT Infrastructure that is deemed relevant for the purpose of carrying out further information and analysis.
The Singapore Bill also provides for the establishment of a regulatory licensing regime for persons or businesses providing ‘licensable cybersecurity services’ (Cybersecurity Licence). Under the Singapore Bill, a Cybersecurity Licence imposes certain duties on its licence holder, e.g. keeping records in relation to its provision of ‘licensable cybersecurity services’, which includes personal information, as well as any other details which may be prescribed (under Singapore law).
The Singapore Bill also provides that it is an offence if an owner of CII fails to comply with directions of the Commissioner without ‘reasonable excuse’ or fails to carry out his or her ‘statutory duties’ (including obligations imposed by its Cybersecurity Licence, where applicable).
The Australian Connection
As the Singapore Bill has not yet been passed by the Singapore Parliament (and no subsidiary legislation has been made pursuant to the Singapore Bill), there remains a number of unknowns as to how the Singapore Bill will operate in practice. For example, it is unclear what the:
- process for designating ICT Infrastructure as CII is; and
- exact scope of the powers of the Commissioner and the Minister will be (and perhaps more importantly, how those powers will in practice be exercised).
Regardless, taken as a whole, the practical effects of the Singapore Bill could potentially be far-reaching, especially in today’s highly globalised and interconnected world, and could very likely affect Australian businesses or agencies with a physical presence in Singapore or with data residing in Singapore.
Implications for Australian businesses and agencies
For example, an Australian business or government agency (Australian Entity) which has moved services to the “cloud” should consider whether its service provider is or may be using ICT infrastructure located in Singapore which could be CII under the Singapore Bill when enacted.
Consistent with sound supply chain risk management practices, such considerations should encompass the entire supply chain, including subcontractors and third party contractors to the prime and, if applicable, related entities of the prime.
If so, it would appear that when the Singapore Bill is enacted, the Commissioner will have the power to direct the relevant supplier to provide the Commissioner with information (which may include confidential and personal information) held on and access to its ICT Infrastructure. The provision of such information or access by the supplier, albeit in response to a lawful requirement under Singapore law, could potentially cause the cloud services customer to be in breach of its own upstream contractual obligations (e.g. confidentiality and security obligations) or Australian laws (e.g. the Privacy Act 1988 (Cth)).
If the customer is providing services to the Commonwealth Government, information security issues could potentially arise, both for the customer and for the Commonwealth Government, e.g. non-compliance with the Commonwealth’s Protective Security Policy Framework, and/or the Commonwealth’s Information Security Manual.
The way forward for Australian businesses and agencies
Assuming the potential for such requests under the Singapore Bill would be acceptable, there may be contractual measures that can be put in place to allow for such eventualities without triggering a breach. One of the ways in which agreements could deal with laws like the Singapore Bill would be to ensure that they include relevant exemptions or contractual mechanisms that allow compliance with relevant Australian laws and/or Commonwealth policies (as applicable).
Also, when entering into services arrangements with ICT providers which may be required to obtain a Cybersecurity Licence under the Singapore Bill, ensure that contracts include obligations requiring such ICT providers to obtain and maintain a Cybersecurity Licence (and all other relevant licences) during the term of the agreement, coupled with appropriate contractual remedies (e.g. termination rights), if such obligations are breached.