SINGAPORE: The public are invited to provide feedback on the proposed Cybersecurity Bill, which aims to provide the Cyber Security Agency of Singapore (CSA) with the powers to manage and respond to cybersecurity threats, and sets out the responsibilities for owners of critical information infrastructure (CII) in key sectors.
In a joint press release on Monday (Jul 10), the Ministry of Communications and Information and CSA said the recent Advanced Persistent Threat (APT) attacks targeting the country's two universities and global ransomware incidents which reached Singapore serve as "stark reminders" of its vulnerability to online threats.
They added that attacks on systems that run utility plants, transportation networks, hospitals and other essential services are "growing", so the protection of the country's CII in 11 key sectors is a "cornerstone" of the proposed bill.
The 11 key sectors are: Government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
The proposed bill will specifically:
- Provide a framework for the regulation of CII owners. This formalises the duties of these owners in ensuring the security of their computer networks, even before an incident occurs.
- Provide CSA with powers to manage and respond to cybersecurity threats and incidents. The powers of the Bill shall be vested in a Commissioner of Cybersecurity, and this position will be held by the CSA's chief executive.
It would also give the Commissioner the ability to investigate the threat or incident, with the objectives to (i) determine the impact or potential impact of the threat or incident (ii) prevent further harm from arising from the same incident and (iii) prevent further cybersecurity incidents from arising from the threat or incident.
"The level of intrusiveness of powers that may be exercised will depend on the severity of the situation," according to the consultation paper.
- Establish a framework for the sharing of cybersecurity information with and by CSA officers, and the protection of such information. Under the Bill, CSA officers will be able to receive and share information with relevant parties for the purpose of "preventing, detecting, countering or investigating any cybersecurity threat or incident", the press release said.
- To introduce a lighter touch licensing framework for the regulation of selected cybersecurity service providers. For a start, the Bill proposes licensing the provision of penetration testing and managed security operations centre (SOC) services and there will be two types - imvestigative cybersecurity service and non-investigative cybersecurity service.
There were also penalties proposed for various cybersecurity incidents.
For instance, the maximum penalty for Section 20, which applies to "all cybersecurity threats and incidents" was proposed to be S$5,000 or jail of up to six months. The penalties for "serious cybersecurity threats and incidents" was proposed to be S$25,000 or imprisonment of up to two years, according to the consultation paper.
"In many cases, the people that CSA will be dealing with during cybersecurity threats and incidents will likely be the “victims” – these are the owners of computer systems that have been compromised. The penalties are not intended to penalise these owners for cybersecurity breaches," it elaborated.
"Rather, the penalties will be levied only in cases of wilful non-compliance of instructions or wilful refusal to provide information."
MCI and CSA said the public consultation paper is available on the REACH portal and CSA's website. Submissions of the feedback can be sent from Monday and is to reach either agency no later than Aug 3 at 5pm, they added.