On 10 July 2017, the Cyber Security Agency of Singapore ("CSA") released a draft Cybersecurity Bill for public consultation. The Bill's four main objectives are:
- to provide a framework for the regulation of critical information infrastructure owners;
- to provide the CSA with the necessary powers to manage and respond to cybersecurity threats;
- to provide a framework for the sharing of cybersecurity information; and
- to introduce a licensing regime for selected cybersecurity service providers.
Each of these objectives will be discussed in brief below.
Regulation of critical information infrastructure owners
"Critical information infrastructure" or "CII" is broadly defined as "a computer or computer system that is necessary for the continuous delivery of essential services … the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore".
"Essential services" is focused on 11 critical sectors: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
If a particular computer or computer system is designated as a CII by the Commissioner for Cybersecurity, then the CII would have the following general obligations:
- Notification - CIIs would be required to notify the Commissioner:
- of any significant cybersecurity incidents involving the CII or computer systems that interconnect with the CII;
- of any changes to the design, configuration, security or operation of the CII; and
- of any change in ownership of the CII, 90 days prior to the intended date of change.
- Audit - Every three years, CIIs would be required to conduct regular audits for compliance with legislation and related codes of practice.
- Information - CIIs will be required to provide information to the Commissioner regarding the technical architecture of the CII.
- Cybersecurity exercises - CIIs will be required to participate in exercises organised to test a CII's response to significant cybersecurity incidents.
Giving the CSA the necessary powers
In addition to issuing codes of practice, standards of performance or written directions that the CIIs will be audited against (as mentioned above), the CSA would be granted powers to both prevent and investigate cybersecurity incidents.
Such powers would not be limited to critical information infrastructure, but in respect of any computer or computer systems generally in Singapore. These powers are broad and allow the Commissioner to examine any person, enter any premises to access the relevant computer system and direct any person to carry out remedial measures and assist in investigations.
All information provided to the Commissioner will be kept confidential by the Commissioner and the identity of any informers will be protected.
Cybersecurity providers will need to obtain a licence from the CSA to continue to provide any service that is "intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person".
There are two types of licenses available:
- Investigative cybersecurity services, such as penetration testing services, involving a deeper level of access to the computer system to test for vulnerabilities; and
- Non-investigative cybersecurity services, such as managed security operations, which involve the monitoring of the security of a computer system.
Notably this licensing regime does not apply where investigative or non-investigative cybersecurity services are provided in-house (i.e. if someone is employed by an organisation to provide these types of services to that organisation (and not anyone else), that person and that organisation do not have to obtain a licence).
In addition to fines and jail terms that may be imposed on individuals and organisations that operate without the appropriate licences, unlicensed providers will not be entitled to commence proceedings to recover any commission, fee, gain or reward for services provided during the period in which the provider did not have the appropriate licence. That is quite an incentive to ensure that appropriate licenses are obtained and maintained.
The consultation period of the Bill closes on 3 August 2017. In the meantime, Cybersecurity providers are encouraged to self-assess to determine whether they would be required to be licenced under the new regime.