New codes of practice to require online platforms to have systems covering child safety and others

SINGAPORE: The Government is looking to introduce new codes of practice that will require online platforms to put in place systems to ensure a safer online environment, said Minister for Communications and Information Josephine Teo on Friday (Mar 4).

These proposed new codes will cover three areas: Child safety, user reporting and platform accountability, the minister announced in a speech at her ministry’s Committee of Supply debate.

On child safety, the new codes will require online platforms to have robust systems in place to minimise the exposure of children and young people to harmful content. 

These include content filters for child accounts, as well as mechanisms for parents to supervise and guide their children online.

On user reporting, online platforms will have to set up “easy-to-access mechanisms” for users to report harmful content. They are also required to be responsive in evaluating and acting on these reports, while informing users of the actions taken in a timely manner. 

Mrs Teo said this will empower users to highlight harmful content that they come across and prevent further spread.

She added that members of the Sunlight Alliance for Action - an alliance formed by the Ministry of Communications and Information (MCI) last year to tackle online harms - want Internet platforms to be diligent in assessing flagged content and removing those that are harmful without delay.

“But many social media platforms tell us that they cannot be fully aware of all the content that needs moderation. Much of it is user-generated and the quantity voluminous,” the minister said.

“User reporting is therefore an important way to close the awareness gap and promote prompt follow-up action.”

Lastly, the new codes will require online platforms to provide information on what they are doing to keep users safe.

This will include the prevalence of harmful online content on their platforms, user reports they have received and acted upon, as well as the systems and processes they have to address such content.

“Users can then compare the approaches taken by platforms and make informed decisions about which to engage or disengage,” Mrs Teo said.

The new codes of practice will have the force of law, similar to the existing codes administered by the Infocomm Media Development Authority (IMDA).

“We will study how the codes can be effectively enforced, including through appropriate legislative updates,” said the minister.

Mrs Teo noted that more needs to be done to protect Singaporeans, especially the young and vulnerable, from harmful online content.

Governments worldwide have responded with new laws, she said, citing Germany and Australia as examples.

Currently, Singapore already requires Internet content providers to comply with the Internet code of practice. Under the code, IMDA has powers to take down content that goes against public interest, public morality, public order and national harmony. IMDA can also direct Internet service providers to block access to prohibited websites.

When it comes to managing children’s access to websites and online services, IMDA requires Internet service providers to offer filtering services for parents to subscribe to.

“But with the growing risks of online harms, we must step up efforts to keep online spaces safe, especially for our children,” Mrs Teo said.

Online platforms accessible by users in Singapore “can and must take greater responsibility for user safety”, she said, adding that they should “endeavour to keep online spaces free from harmful content”. 

MCI is also working with the Ministry of Home Affairs to provide Singaporeans with more protection from illegal activities carried out online, Mrs Teo added.

This includes strengthening levers to tackle online scams and the broader suite of criminal activities taking place online, such as child pornography, terrorism and content that incite violence.

“MCI has frequent engagements with our international and industry partners on issues relating to user safety. We will continue to consult extensively as we develop these new codes,” said the minister, noting that an evolving digital domain “will always test the way” regulations are designed.

“We must be prepared to regularly update these codes, introduce new ones or streamline outdated ones, to deal with emerging issues and new technologies.”

REVIEW OF CYBERSECURITY ACT

There is also the need to bolster Singapore’s cybersecurity as cyber threats become more prevalent, said Mrs Teo.

Between 2020 and 2021, Singapore saw a 73 per cent increase in reported data breach and ransomware incidents.

“As our digital realm expands, so too the threat surface. The scale and impact of such attacks elsewhere have also become more serious," she said.

There are also “heightened risks” given the crisis in Ukraine.

“Singapore is gravely concerned over the cyberattacks against Ukraine’s government websites and national banks. It illustrates how essential services can be disrupted remotely and quite easily,” Mrs Teo told the House.

Singapore “cannot disregard the potential knock-on effects” that could arrive on its shores, which is why it has advised local organisations to beef up their cybersecurity posture earlier this week, she added.

The Cyber Security Agency of Singapore (CSA) has embarked on a review of the Cybersecurity Act to ensure that the legal framework remains in line with the demands and threats of a fast-changing digital world.

In doing so, there are key questions to be addressed, said Mrs Teo. One of which is to consider what should be deemed a critical information infrastructure (CII).

“The Act currently recognises physical networks and systems as CII. With the shift to virtualisation, we must be able to recognise virtual assets as CII too, such as systems hosted on the cloud.

“We need to ensure these virtual assets are properly protected too, including those that may not be hosted in Singapore,” she said.

CSA, in a separate factsheet to the media, said it will explore expanding the Cybersecurity Act to cover “foundational digital infrastructure and key digital services”. These include cloud services and apps that are important for the country’s digital economy.

Mrs Teo said digital infrastructure and services form the backbone of the country’s connectivity, computing and data storage needs. There could be serious knock-on effects if these are disrupted or compromised.

As such, authorities will consider how to apply “a risk-based approach” to protect this infrastructure and services, and for them to recover quickly when attacked.

Authorities intend to complete the review by 2023, factoring in stakeholder and public consultations. The Act will be updated thereafter.

UPDATE OF CYBERSECURITY CODE OF PRACTICE

The CSA is also updating the Cybersecurity Code of Practice for the 11 CII sectors, it said in its media factsheet.

“As cyber threats continue to evolve and grow in sophistication, foundational cyber hygiene practices may no longer be sufficient for CII owners to defend against such threats,” the agency said.

In particular, ransomware has evolved into “a massive and systemic threat” which can pose concerns to national security and disrupt critical services.

Every CII sector also faces cybersecurity risks specific to their digital terrains, such as migration to the cloud or the use of 5G technologies, which cannot be addressed by “generic” cyber hygiene practices.

CSA said it intends to enhance the existing Cybersecurity Code of Practice to achieve three objectives – help CIIs improve their odds of defending against cyber threat actors using sophisticated threats; allow CIIs to be more agile in responding to emerging risks in specific domains; and enhance coordinated defences between the Government and private sectors against cyber threats and attacks.

Examples of the enhancements include adopting a “threat-based approach” to identify common tactics and techniques used in a cyber-attack lifecycle by threat actors. 

This will allow CSA to identify actions, develop new practices and enhance existing practices to counter and impede the activities of threat actors in a cyber-attack.

Another enhancement is allowing relevant CII sectors and specific CII owners the flexibility of adding “domain-specific practices”, such as the use of 5G technologies, on an ad-hoc basis. This will help to increase the agility of these sectors in addressing emerging risks.

Key CII stakeholders have been briefed and consulted on the enhancements, CSA said, adding that their feedback will be factored in before the enhanced Cybersecurity Code of Practice is issued next month.