We are creating some awesome events for you. Kindly bear with us.

Draft cybersecurity legislation in Singapore seeks to strengthen protection of Critical Information Infrastructure

Draft cybersecurity legislation in Singapore seeks to strengthen protection of Critical Information Infrastructure

The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) have issued an invitation to the public to provide feedback on a proposed Cybersecurity Bill. The public consultation exercise will run from 10 July to 3 August 2017.

MCI/CSA commenced work on the Bill in late 2015. Several rounds of consultations have been held with key stakeholders, including regulators of our critical sectors, potential CII owners, industry associations, and cybersecurity professionals.

Four objectives

The proposed Bill has four objectives:

  1. To provide a framework for the regulation of Critical Information Infrastructure (CII). This formalises the duties of CII owners in ensuring the cybersecurity of their respective CIIs.
  2. To provide CSA with powers to manage and respond to cybersecurity threats and incidents. Section 15A of the current Computer Misuse and Cybersecurity Act (“CMCA”) provides some existing powers related to cybersecurity. These will be enhanced within the Cybersecurity Bill, and specific powers will be vested in CSA officers as sitting powers.
  3. To establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information.
  4. To establish a light-touch licensing framework for cybersecurity service providers.

The consultation document draws a distinction between cybercrime and cybersecurity. Cybercrime can involve traditional, real-world crimes that are committed using a computer, such as e-commerce scams, and these are covered by criminal laws such as the Penal Code. Or it can involve criminal acts that target computer systems. Such offences are commonly referred to as “hacking”, and are covered by the CMCA. Cybercrime is under the purview of MHA and the Singapore Police Force (SPF).

Cybersecurity meanwhile refers to the security of a computer or computer system against unauthorised access or malicious acts, to preserve the availability and integrity of the computer or computer system, or the confidentiality of information stored or processed in the computer or computer system. National cybersecurity matters are under the purview of the CSA.

Four key principles

The first principle is to have a coordinated national approach, recognising that cybersecurity can only be as strong as the weakest link. The aim is to have a common framework across all sectors, so that CIIs can be protected consistently and to adopts  whole-of-government approach by empowering not only CSA officers to investigate cybersecurity threats and incidents, but also officers from sector leads as well.

The second principle is that there will be consistent application of the framework across sectors but it has to be flexible, taking into account the unique circumstances of each sector. The Bill recognises that every CII sector is different, in terms of the types of technology used, the nature of relationships between government and the private sector, and the current cybersecurity maturity level of industry players.

The third one is to have a proactive approach for CII protection, while the last principle is to have equal application across publicly and privately owned CIIs.

Fourthly, the provisions of the Bill will apply equally to both public and private sectors. Hence, the same duties shall apply to owners of CII in the private sector, in statutory boards and in the Government.

Commissioner of Cybersecurity

The powers of the Bill shall be vested in a Commissioner of Cybersecurity  (Commissioner), to be appointed by the Minister-in-charge of Cybersecurity (Minister). The position will be held by the Chief Executive of CSA. The Minister may also appoint a Deputy Commissioner (DC), as well as a number of Assistant Commissioners (AC). These ACs will oversee and enforce the protection requirements for CIIs.

Designation as CII and duties of CII owners

CII is defined as a computer or computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.

CIIs may be owned by public or private organisations and may be located wholly or partly in Singapore. Today, the CIIs fall under 11 critical sectors: (1) Aviation, (2) Banking & Finance, (3) Energy, (4) Government, (5) Healthcare, (6) Infocomm, (7) Land Transport, (8) Maritime, (9) Media, (10), Security and Emergency Services, (11) Water.

The Bill will allow the Commissioner to designate a computer or computer system as a CII. Prior to doing so, the Commissioner may require the owner to provide certain information about the computer or computer system. The designation of a computer or computer system as a CII is an official secret under the Official Secrets Act, and shall not be divulged to the public.

CII owners will have the duties to provide information to the Commissioner on the technical architecture of the CII; to comply with codes and directions; to report relevant cybersecurity incidents; to conduct regular compliance audits; to conduct regular risk assessments; and to participate in cybersecurity exercises.

Powers to investigate cybersecurity threats and incidents and penalties

Three scenarios are proposed for the exercise of power. For ‘All cybersecurity threats and incidents’, if the Commissioner has information regarding a cybersecurity threat or incident, the Commissioner may examine anyone relevant to the investigation and take statements, and require the provision of relevant information, typically in the form of technical logs. This will also allow the Commissioner to decide whether the threat or incident is serious and therefore take further action.

         For ‘Serious cybersecurity threats and incidents’, the Commissioner may exercise more intrusive measures, including directing persons to carry out remedial measures and assist in the investigation, enter premises where relevant computers and computer systems are located, access such computers, and scan computers for cybersecurity vulnerabilities. The Commissioner may also seize any computer or equipment for the purpose of carrying out further examination and analysis, if certain conditions are met.

In the case of ‘Emergency measures and requirements’ the Minister may (by issuing a certificate) authorise any person or organisation to take such measures or comply with such requirements as may be necessary to prevent, detect, counter any threat to a computer or computer service, or any class of computers or computer services.

In cases of wilful non-compliance of instructions or wilful refusal to provide information, penalties may be levied in the form of fines or imprisonment.

Light-touch licensing regime for cybersecurity service providers

The proposed licensing framework aims to help provide greater assurance of safety and security to consumers of cybersecurity services, address information asymmetry in the industry and provide for improving the standards of cybersecurity service providers and professionals.

Investigative and non-investigative cybersecurity services are considered.

         To start, CSA is proposing to license penetration testing service providers and individuals under an investigative cybersecurity service license, and managed security operations centre (SOC) monitoring services providers under a non-investigative cybersecurity service license.

Licensing requirements and registration procedures will be kept as simple as possible. Applications will be submitted and processed online, and service providers with established track records will be granted longer license terms. CSA will conduct audits from time to time, to ensure that licensing requirements are met. CSA will also want to keep license fees low.

CSA will have further consultation with the industry on detailed requirements before the framework is operationalised.

Read the consultation document here / Read the draft bill here.

PARTNER

Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.

PARTNER

CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.

PARTNER

Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.

SUPPORTING ORGANISATION

SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.

PARTNER

HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 

PARTNER

IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.

Send this to a friend