SINGAPORE: A bill aimed at strengthening the protection of computer systems providing essential services against cyber-attacks passed in Parliament on Monday (Feb 5).
Under the Cybersecurity Bill, owners of computer systems directly involved in the provision of essential services for national security, defence, foreign relations, economy, public health, public safety or public order will have to report cybersecurity incidents related to these systems, and comply with other statutory obligations .
The owners of these systems - called Critical Information Infrastructure (CII) - have to comply with codes of practice and standards of performance, conduct cybersecurity audits and risk assessments, and participate in cybersecurity exercises under the Bill.
No action will be taken against CII owners for cybersecurity breaches if they comply with their obligations, Minister for Communications and Information Yaacob Ibrahim said during the second reading of the Bill on Monday (Feb 5). However, non-compliance will be an offence that will entail a maximum penalty of S$100,000, two years in jail, or both, he said.
The Bill also authorises the Cyber Security Agency of Singapore (CSA) to prevent and respond to cybersecurity threats and incident.
The chief executive of the CSA will be appointed as the Commissioner of Cybersecurity to administer the Bill. The Bill allows the Commissioner to designate as a CII any computer or computer system that is necessary for the continuous delivery of an essential service.
LICENSING FRAMEWORK FOR TWO SERVICES
The Bill also prescribes a licensing framework, which will apply to providers of two types of cybersecurity services- penetration testing and managed security operations centre monitoring.
“These providers have access to sensitive information from their clients, and the services are also relatively mainstream in our market, and hence have a significant impact on the overall cybersecurity landscape,” Dr Yaacob said.
The requirement will not apply to in-house work, and providing licensable services to related companies, he said. Failure to get a licence for a licensable service will mean a maximum penalty of S$50,000 fine, two years in jail, or both.
For a start, the licensing framework will be “light-touch” as this is a new initiative and there is a need to strike a good balance between industry development and cybersecurity needs, Dr Yaacob said.
In explaining the need for legislation in cybersecurity, Dr Yaacob pointed to a debilitating impact on the economy and society caused by cyber-attacks in other countries.
He gave the example of how the United Kingdom’s National Health Service (NHS) had to cancel at least 6,900 appointments due to the “WannaCry” ransomware attack., and how the hacking of power grids in the Ukrainian capital, Kiev, led to power disruptions that affected more than 200,000 citizens during winter.
MPs RAISE QUESTIONS ON PRIVACY, COST OF COMPLIANCE
MP for Bishan-Toa Payoh GRC Saktiandi Supaat said some people hold reservations that the authorities, while conducting their investigations, would intrude on personal privacy. He asked if there are there safeguards in place for the broad investigation powers to ensure that there is no misuse in authority, whether unintentional or not.
MP for Aljunied GRC Pritam Singh noted that the Bill gives the Commissioner and any authorized officer the power to take, remove or make copies of a hard disk, even if it is only to assess the impact or potential impact of a cybersecurity threat.
He asked what qualifies as an incident major enough for such powers to be exercised “so that the House is assured the Commissioner's powers will be used very judiciously and not against government critics and individuals”.
Responding to similar questions by several MPs, Dr Yaacob said: “Let me assure the House that the powers under the Bill are not intended to intrude into privacy,” adding that the measures and requirements are mainly technical, operational or procedural in nature.
For example, CII owners may be required to implement network perimeter defence devices such as firewalls, or to perform regular vulnerability scanning of their systems to identify potential loopholes. These measures are non-intrusive with respect to personal privacy, he said.
MPs also asked about costs that will be incurred by companies implementing cybersecurity measures. MP for West Coast GRC Patrick Tay asked if there any measures in place to ensure that the cost of compliance with CII requirements do not trickle down extensively to the consumer.
Dr Yaacob said that many owners of CIIs have put in place cybersecurity measures arising from regulations within their sectors.
There will be cost implications for some CII owners who will have to strengthen the cybersecurity posture of their computer systems to meet the requirements of the Bill, Dr Yaacob said.
However, while the Government will work with sector regulators to streamline the cybersecurity audit and incident reporting processes in order to harmonise cybersecurity requirements under the Bill in the respective sectors wherever possible, no funding will be provided, he said.
“If organisations follow good security-by-design practices, they will spend less overall in the long-run to fix cybersecurity issues,” he said.