Singapore’s Cybersecurity Bill which aims to strengthen the protection of Critical Information Infrastructure (CII) was passed into law on February 5.

The Bill provides a framework for the regulation of CII and formalises the duties of CII owners in ensuring the cybersecurity of their respective CIIs. It also provides the Cyber Security Agency of Singapore (CSA) with powers to manage and respond to cybersecurity threats and incidents, along with establishing a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information. Another objective of the Bill is to establish a light-touch licensing framework for cybersecurity service providers.

In July 2017, the Ministry of Communications and Information (MCI) and the CSA released a draft version of the Bill and invited public feedback. The original submission deadline of 3 August 2017 was extended in response to requests for more time to provide feedback. 92 submissions were received from a wide and diverse range of stakeholder groups at the close of the public consultation on the draft Bill from 10 July to 24 August 2017.

MCI and CSA revealed their responses to the feedback in November last year, providing clarifications on issues such as designation of CIIs and duties of CII owners. MCI and CSA also said that they would work closely with sector regulators to streamline and harmonise the obligations of CII owners under the Bill with their respective sectoral regulations.

During the closing speech for the Second Reading on Cybersecurity Bill 2018, Dr Yaacob Ibrahim, Minister for Communications and Information, answered several questions from Members of the Parliament on different aspects of the Bill.

Scope of the Bill

Some members asked about the application of the Bill to systems located overseas which are providing essential services. Minister Ibrahim replied that while Singapore may be able to work with these international organisations to ensure the cybersecurity of the systems, they cannot be controlled by designating them as CII as they are outside Singapore’s jurisdiction. There may also be potential conflicts with other countries’ regulatory regimes.

Minister Ibrahim highlighted the Government’s efforts to develop strong international partnerships and linkages with overseas Computer Emergency Response Teams (CERTs) to facilitate investigations of cybersecurity threats and incidents that may originate overseas.

Since CII owners often work with vendors, the Minister said that CSA will work with the sector regulators and CII owners to define the boundaries of the systems that will be designated as CII, on a case-by-case basis. He also clarified that CII owners are ultimately responsible for the cybersecurity of their respective CII. CII owners should carry out the necessary risk assessments and due diligence while deciding on vendors to engage and conditions to impose on them.

There was also a suggestion to establish an accredited framework for a national cybersecurity audit for CII stakeholders. For now, CSA plans to rely on existing sector audit regimes to ensure that the security measures are effective in protecting the CII, as an additional layer could potentially result in CII stakeholders experiencing audit fatigue. CSA will provide audit guidance to auditors and track the audit outcomes, to ensure an acceptable standard of practice.

Determination of Essential Services and CII

CII are identified as computers and computer systems that are necessary for the continuous delivery of essential services, the loss or compromise of which would have a debilitating effect on the availability of the essential services in Singapore. For each sector, CSA worked closely with the relevant sector regulator to identify the essential services within the sector, as well as the computers and computer systems.

Higher education and research institutions are not considered essential services at this point in time. However, Minister Ibrahim said that new essential services may arise in the future, and the Minister may amend the list of essential services if necessary.

He also clarified that organisations are not required to make self-assessments as to whether their computer or computer systems fulfil the criteria of a CII. Prior to designating a computer or computer system as a CII, CSA will consult its owner and the relevant sector regulator. The identified organisations will be notified in writing. CII owners will be given an opportunity to submit representations to the Commissioner (the Chief Executive of CSA will be appointed as the Commissioner) or appeal to the Minister against the designation. The Minister’s decision on an appeal will be final. The process for identifying and designating new CII in the future will be similarly considered and consultative.

Reporting requirements for CII owners

Questions were raised whether incident reporting and investigation requirements could be too onerous for CII owners, especially when they are potential victims of cyber-attacks. In reply, the Minister mentioned that there is no intention to take action under the Bill against CII owners for cybersecurity breaches so long as they comply with their obligations.

CII owners are required to establish mechanisms and processes to detect cybersecurity threats and incidents and to promptly report incidents to the CSA. There is no obligation for a CII owner to report a cybersecurity incident in respect of other infrastructure that it owns, where such infrastructure is not connected to the CII. They are also required to cooperate with CSA during the investigation. When exercising investigative powers, the Commissioner will be mindful that the owners of the computer systems in question are typically also victims. CSA will be providing further details to guide CII owners in incident reporting, such as relevant forms and
guidelines.

The Minister rejected a suggestion for mandatory reporting of all cybersecurity incidents to the CSA, citing resource requirements for CSA, as well as the companies. All companies, can already voluntarily report cybersecurity incidents to CSA through SingCERT. On top of this, the Bill will provide CSA with powers to investigate cybersecurity threats and incidents pertaining to computer systems in Singapore, including computer systems that are not CII.

Cost Implications 

There were multiple questions on compliance costs for CII owners and ensuring that those costs do not trickle down to customers. Minister Ibrahim replied that the Government bears much of the cost of strengthening cybersecurity protection and enhancing responses to cybersecurity threats and incidents at the national level. This includes resourcing national-level cybersecurity infrastructure and manpower, conducting regular cybersecurity exercises to validate cybersecurity incident management processes, and deploying National Cyber Incident Response Teams (NCIRT) to respond to cybersecurity incidents.

Many CII owners have already put in place cybersecurity measures arising from regulations in sectors such as banking and finance and infocomm. According to the Minister, the requirements under the Bill have been carefully scoped and are considered not too onerous.

The Minister acknowledged that there might still be cost implications for some CII owners. MCI and CSA will not provide funding to offset the costs of CII obligations which are regulatory requirements. However, they will work with sector regulators to streamline the cybersecurity audit and incident reporting processes in order to harmonise cybersecurity requirements. Assistant Commissioners, or ACs, who are senior officers appointed from the 11 CII sectors will play a key role in ensuring that CII owners do not face
conflicting requirements under the Cybersecurity Bill and in sectoral regulations.

Assistance for CII owners 

To assist CII owners and their staff in getting ready for the implementation of the Bill, CSA has developed a Cybersecurity Legislation Initialisation Programme for Sector Leads, also termed as CLIPS. CLIPS will focus on establishing clarity on the roles and responsibilities between the sector regulators and the CII owners, and identifying and resolving any operational issue pertaining to the respective sectors. This includes harmonising policies, and streamlining audits and incident reporting processes.

Where necessary, CSA will also give CII owners sufficient time to undertake preparations and planning, prior to issuing the cybersecurity codes of practice or standards of performance for each sector. In addition, CSA currently shares information on cybersecurity threats and vulnerabilities with the CII sectors so that appropriate actions can be taken promptly. The CERTs overseeing specific sectors also issue advisories to the operators in their respective sectors.

Safeguards on Commissioner’s powers

Addressing concerns that the broad investigation powers provided to the Commissioner by the Bill would curtail innovation or intrude into personal privacy, Minister Ibrahim clarified that there are limits to the investigation powers that can be exercised depending on the severity of the threat or incident. While all organisations, regardless of whether they are local or foreign, are required to cooperate with CSA during the investigation of cybersecurity threats and incidents pertaining to computers or computer systems in Singapore, the Government do recognise the need to balance operational expediency with the proportionate and judicious exercise of power.

For example, the Commissioner’s authorisation is required before cybersecurity officers and authorised officers can exercise more intrusive investigation powers. There will also be governance process within CSA to ensure that the investigation powers are exercised responsibly and in accordance with the Bill.

Minister Ibrahim assured that the powers under the Bill are not intended to intrude into privacy. Information and measures required under the Bill mainly target cybersecurity threats and are primarily technical and not personal in nature. For example, to aid in the detection of cybersecurity threats, information such as network logs, indicators of compromise as well as system event and audit logs may be requested.

Development of cybersecurity ecosystem

When asked if the Bill would cover less mainstream cybersecurity services such as white-hat or ethical hackers and if the Ministry could consider encouraging a local community of white-hats, Minister Ibrahim stated that the current focus is on more mainstream or mature cybersecurity services with the potential to cause significant impact on the overall cybersecurity landscape.

The proposed licensing framework is intended to reduce the safety and security risks that cybersecurity service providers can pose. The service providers are required to ensure that their key executive officers are fit and proper persons when applying for a licence.

While only two categories of services, penetration testing and managed security operations centre (SOC) monitoring, are identified to be licensable cybersecurity services, other cybersecurity services will still need to comply with other laws in Singapore, such as the CMA.

However, he acknowledged that there are diverse views on the issue of licensing cybersecurity service providers and growing the cybersecurity ecosystem. On the one hand, there is a call for even individual professionals to be regulated, while on the other hand, some expressed concerns over potential cost implications for businesses.

He clarified that for a start, the licensing framework is deliberately light-touch in view of the need to strike a good balance between industry development and cybersecurity needs. It is also due to the practical challenges to requiring individual cybersecurity professionals to be licensed, given the global nature of the cybersecurity industry.

Also, responding to an enquiry on whether the Government could create a certification system that favours cybersecurity professionals who have a vested interest in Singapore, Minister Ibrahim remarked that Singapore should remain open, and take reference from internationally recognised standards where possible.

Development of cybersecurity workforce

In response to an enquiry on the Government’s plan to grow a pool of cybersecurity professionals, Minister Ibrahim stated that the Government is collaborating with the industry to grow the cybersecurity workforce in Singapore, with Singaporeans continuing to be an important part of it.

The examples Minister gave included:

1. The Cyber Security Associates and Technologists (CSAT) programme which CSA and IMDA partner the industry and Institutes of Higher Learning (IHLs) to attract new graduates and convert existing professionals from related fields to a career in cybersecurity.
2. The Cybersecurity Professional Scheme (CSPS) under CSA through which officers will be recruited and trained in areas such as cyber forensics and vulnerability assessment, before being deployed to public agencies overseeing CII sectors to assist companies in these sectors with their cybersecurity capabilities.

Regarding the potentials of military-civilian collaborations to build cybersecurity capabilities, Minister Ibrahim shared that CSA already works closely with MINDEF on cybersecurity matters such as technology cooperation, sharing of knowledge and experience, technical support and participation in joint exercises.

Global development and standards

On how Singapore is taking into account global developments and evolving standards to tackle cybersecurity threat, Minister Ibrahim said that in formulating this Bill, the Government studied cybersecurity legislation from other countries and will continue to take reference from internationally recognised standards when developing codes of practice and standards of performance for the different sectors.

Noting that the cybersecurity environment is fast-changing, Singapore will continue to keep abreast of international developments, and review and adjust relevant laws to address new and emerging issues moving forward. Such efforts include active participation at international fora and discussions to develop international cyber norms, bilateral and regional collaborations on cybersecurity and capability development.

Public education and assistance for SMEs

People are often the weakest link, but also the strongest asset in cybersecurity.

Regarding public education efforts to enhance cybersecurity preparedness, the Minister named a few government initiatives. They include: (1) cybersecurity talks and conferences organised by the Cyber Security Awareness Alliance, (2) online cybersecurity resource available on CSA’s GoSafeOnline website, (3) annual Singapore Cyber Landscape report for public awareness.

For initiatives targeting the SMEs, IMDA’s SMEs Go Digital programme can help businesses to adopt cybersecurity solutions, give technical advice on cybersecurity and other digital concerns through IMDA’s SME Digital Tech Hub.

In general, businesses and members of the public can also sign up for SingCERT’s advisories and alerts on cybersecurity threats and incidents.

Conclusion

In conclusion, Minister Ibrahim stated the Cybersecurity Bill is an important legislation to protect the country’s critical information infrastructure and safeguard essential services from disruption by cyberattacks.

He shared that the Bill was developed under careful considerations and takes into the account the interests of the different stakeholders and Singapore’s needs. He assured that the Ministry and Government will continue to work with stakeholders from the public and private sectors to ensure that the laws remain robust and relevant, and beyond this Bill, to raise the level of cybersecurity awareness and develop the cybersecurity ecosystem in Singapore.

Lastly, he also noted that cybersecurity is not just the Government’s responsibility. Instead, all members of the society need to play a role.