S’pore amends cyber-security law to boost oversight of national interests, essential services

Lawmakers on May 7 passed a Bill that seeks to expand the oversight of Singapore’s cyber-security watchdog over any computer system that is critical to the nation and at high risk of cyber attacks.

This includes temporary systems set up to support the distribution of vaccines and host key international summits and other high-profile events.

For instance, during the Covid-19 pandemic, many governments worldwide developed temporary systems to support the distribution of vaccines and many of these systems were targeted by bad actors, said Senior Minister of State for Communications and Information Janil Puthucheary in Parliament on May 7.

The expanded oversight of the Cyber Security Agency of Singapore (CSA) comes as threats can often be obscured with increased digitalisation.

Tabling the Cybersecurity (Amendment) Bill, the first changes to the Cybersecurity Act since it came into force in 2018, Dr Janil said that the Act had to be updated to keep up with evolving tech and business models, which often rely on outsourced digital services that can also span across borders.

“When the Act was first written, it was the norm for CII (critical information infrastructure) to be physical systems held on premises and entirely owned or controlled by the CII owner. But the advent of cloud services has challenged this model,” he said.

Under the amended Cybersecurity Act, CII operators in Singapore will need to declare any cyber-security outage and attack faced on their premises or along their supply chain, as long as it affects their services. The proposed law will also add new categories of entities whose digital defences will be audited by the authorities, including autonomous universities, which may hold sensitive data or perform significant functions.

The Bill was passed in Parliament with unanimous support from the House even though many questions on how CSA will designate entities of cyber-security interest, what information is deemed sensitive, and its ability to manage the increased scope of reports surfaced during the three-hour debate.

Bad actors are increasingly finding ways to target supply chains or adjacent systems. This is seen overseas, said Dr Janil, citing how in 2019, hackers introduced malicious code into an IT monitoring tool from US software firm SolarWinds, which serviced thousands of organisations. Over several months, the attackers gained access to the data of more than 30,000 public and private firms in the US.

Greater oversight over cyber incidents is also needed as digital services take root in everyday life, with more than nine in 10 residents communicating online, and the technology adoption rate among firms here growing to 94 per cent in 2022, up from 74 per cent in 2018, said Dr Janil.

“More of us are now online for longer and online for more varied purposes,” he said. “This means that we are exposed to more cyber risks, as every digital technology we use, every transaction we make, every connection made between computers, is a possible route for attack.”

Other nations are adopting a similar approach, he said, referring to the European Union, Malaysia, the United Kingdom and the US, which have introduced cyber-security laws to address these concerns.

The definition of “computers” will include virtual systems that are rising in usage. 

Dr Janil said: “Our interest is in the computer or computer system that is necessary for the continuous delivery of the essential service, whether it is physical or virtual.”

On the matter of third-party vendors, Dr Janil said that providers of essential services here must still be responsible for the cyber security of computer systems that they rely on. “They cannot outsource this responsibility, even if they rely on a third party’s computer system,” he said.

He clarified that CSA does not seek to regulate third-party vendors, but the providers of essential services must ensure that the systems they rely on meet the cyber-security standards mandated by Singapore.

CII operators in the essential services sectors remain answerable to CSA for any lapses. The sectors are: energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security and emergency services, and government.

CSA will create two new classes of regulated entities – entities of special cyber-security interest and foundational digital infrastructure, which will be subjected to “light touch” regulations as they are not critical information infrastructure. Among the potential entities are autonomous universities, which may hold sensitive information of national interest, such that their disruption could cause potential adverse effects on Singapore.

The full list of entities will not be disclosed due to security reasons, Dr Janil said.

The Government will also be able to designate “systems of temporary cyber-security concern” – computer systems that are critical to Singapore and are at high risk of cyber attacks.

Organisers of key events of national significance – akin to the 2018 North Korea-US summit in Singapore or the Youth Olympic Games – can also be required to disclose their cyber-security measures, similar to the obligations imposed on CII owners.

CII owners who do not comply can face criminal penalties, as well as civil penalties, depending on the incident, said Dr Janil.

CSA will work with entities of special cyber-security interest to assess whether it is appropriate for them to fall under the enhanced regulations, said Dr Janil, responding to Nominated MP Razwana Begum’s concerns about whether organisations will be given ample time to ramp up their cyber-security measures and understand how the regulations will impact them.

Associate Professor Razwana, who was among 16 members who raised questions, said it may be useful for the authorities “to undertake an engagement campaign, alerting providers to the new obligations and offering technical, practical and financial support advice as needed”.

MPs, including Mr Louis Ng (Nee Soon GRC), also asked whether there are safeguards in place to prevent abuse of power, such as to obtain secrets.

Dr Janil said the power of inspection can be used only for the specific purposes set out by the law, and that any entity that has received a designation notice can appeal against it.

Existing laws also require CSA to preserve the secrecy of stipulated matters, including the commercial and official affairs of any person and identities of informants, he added.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

MAS to ensure DBS identifies root cause of recent disruptions and addresses it effectively ADV: SAL-INSEAD Legal Leadership and Strategy Programme 2024