SINGAPORE: The public consultation for the draft Cybersecurity Bill has closed, and attracted a more-than-expected 92 submissions from a “wide and diverse range of stakeholder groups”, according to the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA).
When the public consultation was first launched, the agencies said the protection of the country’s critical information infrastructures (CIIs) in 11 key sectors is a cornerstone of the Bill, and the sectors are: Government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
In a joint press release on Monday (Nov 13), the authorities said respondents generally shared the Government’s concerns on the impact of increasingly sophisticated cyberattacks which could potentially cause major disruptions or cripple the country’s economy.
“Respondents acknowledged the timeliness and importance of the Bill in setting the necessary legislative framework for pro-active oversight and response to cyber threats and incidents,” they said, adding that there were some reservations over some parts of the draft such as the designation of CIIs and the licensing framework.
As a result, the agencies said they intend to refine the Bill in several aspects:
- Provide more clarity over the designation of CIIs: The draft will be amended to clarify that only systems which have been explicitly designated by the Commissioner will be considered CIIs. These CIIs have already informed for some time, and have been involved in exercises with the CSA, so those that have not been informed are not on the initial list.
- Removing need for CII designations to be under Official Secrets Act: There was feedback regarding the practicality of doing so by the public, so authorities are removing the need to do, saying it is more important to ensure the technical and operational details of each CII are kept confidential.
- Ensuring regulatory requirements are streamlined: Respondents had suggested that any codes of practices and standards of performance required under the new bill should account for existing sectoral ones. This was acknowledged and the agencies said the appointment of Assistant Commissioners to oversee CIIs in each sector will “ensure that the bill requirements are sensible and take into account existing sector-specific requirements”, including international ones.
- Requirements of licensing regime: The original draft proposed to license both individuals and companies in the provision of cybersecurity services, but several respondents were against licensing in any form as this could impact the development of the ecosystem here.
As a response, the agencies said they intend to simplify the framework by doing away with the need to license individual professionals and remove distinction between “investigative and “non-investigative” types of licensing. They add that only penetration testing and managed security operations centre monitoring service providers will be required to get a license at this point. Doing so gives it room for changes in the fast-evolving industry.
The agencies said they would continue to work closely with stakeholders in finalising the Bill, which they intend to introduce in Parliament in early 2018.
STEP IN RIGHT DIRECTION
Cybersecurity company FireEye was one of those who gave feedback during the consultation window, and it told Channel NewsAsia that, as a whole, the CSA has done a “good job” in factoring in public feedback.
Mr Bryce Boland, the company’s Asia Pacific CTO, told Channel NewsAsia in a phone interview that intended changes such as removing the need for OSA designations would “reduce compliance-related overheads significantly”.
The removal of the need to license individuals was also lauded, as on an operational level, he felt that it would be quite impossible to implement, given that these professionals could be freelancers or consultants roped in for specific projects, and not with the company on a permanent basis.
Mr Boland added that Singapore’s proposed bill is “unique” from other countries’ such as China because this bill does what it sets out to do – improve the cyber resilience of CIIs that the Singaporean people rely on. By contrast, other countries are “very focused” on establishing cyber sovereignty or a surveillance state with their cybersecurity laws.
“I hope that other countries will introduce similar legislation to address (today’s) cybersecurity risks,” he said.