Overview of Singapore’s draft Cybersecurity Bill

August 1, 2017

On 10 July 2017, the Singapore Government released a draft Cybersecurity Bill for public consultation up to 24 August 2017.

According to the accompanying Public Consultation Paper on the Draft Cybersecurity Bill (“Consultation Paper”), the Bill has four objectives:

(a) to provide a framework for the regulation of critical information infrastructure (“CII”);

(b) to provide the Cyber Security Agency of Singapore (“CSA”) with powers to manage and respond to cybersecurity threats and incidents;

(c) to establish a framework for the sharing of cybersecurity information with and by the CSA, and the protection of such information; and

(d) to establish a light-touch licensing framework for cybersecurity service providers.

This document provides an overview of the key provisions of draft Bill.

Regulation of CII

Under the Bill, CII is defined as:

A computer or a computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.

So far, the government has identified essential services in 11 critical sectors – these are listed in the First Schedule to the Bill. They are: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, medial, land transport, air transport, and maritime.

The Bill allows the Commissioner for Cybersecurity to designate a computer or computer system as CII. It also gives the Commissioner the power to obtain information from organisations to make this determination. 

The term “owner of a critical information infrastructure” is defined in the Bill as “a person who (a) has effective control over the operations of the [CII] and has the ability and right to carry out changes to the [CII]; or (b) who is responsible for ensuring the continuous functioning of the [CII]”. 

Under the Bill, owners of CII have six key duties:

(a) To provide information on the CII’s technical architecture.

(b) To comply with codes of practice, standards of performance or directions issued by the Commissioner.

(c) To notify the Commissioner of cybersecurity incidents in respect of CII, or computers under their control that are interconnected with or that communicate with the CII.

(d) To conduct regular audits of the compliance of the CII with the Bill, codes and standards.

(e) To conduct regular risk assessments of the CII.

(f) To participate in cybersecurity exercises.

CII owners are also required to inform the Commissioner of any change of ownership of the CII, or “material changes” to the “design, configuration, security or operation” of the CII.

Response to cybersecurity threats and incidents

The Bill gives the CSA powers to investigate, respond to and prevent cybersecurity threats and incidents. These powers may be exercised in respect of any computer or computer system in Singapore, and not just CIIs.

The Commissioner’s powers vary depending on the severity of the cybersecurity situation. For all threats and incidents, the Commissioner may examine anyone relevant to the investigation and take statements, and require the provision of relevant information.

For serious threats and incidents, the Commissioner has powers that are more intrusive. The Commissioner may:

  • direct persons to carry out remedial measures, for example cleaning up malware-infected computers, and temporarily disconnecting infected computers from the network;
  • require CII owners to assist with investigations, which may include monitoring, scanning or preserving the state of the computer, and allowing investigating officers to install software on it; 
  • entering premises where relevant computers are located; and
  • taking possession of computers to carry out further examination or analysis, if certain conditions are met.

Lastly, in the case of emergency cybersecurity events, the Minister effectively has the power to take any measures necessary to prevent, detect or counter any threat.

Perhaps as a form of reassurance, the Consultation Paper states that there will be an internal governance process within the CSA to ensure that all of these powers are exercised responsibly and in accordance with the Bill, and only by qualified persons.

Regulation of cybersecurity service providers

The Bill requires service providers to obtain a license for two types of cybersecurity services: investigative and non-investigative.

The term “investigative cybersecurity service” is defined as involving the circumventing of controls in a computer, the obtaining of a deep level of access to a computer, or the testing of the cybersecurity defences of a computer. An example is searching for or exploiting cybersecurity vulnerabilities in a computer to improve its cybersecurity.

A “non-investigative cybersecurity service” means any cybersecurity service that is not investigative. Examples are monitoring the cybersecurity of a computer, assessing the compliance of an organisation’s cybersecurity policy, and providing advice on cybersecurity solutions. 

However, a person will not be held to be providing a cybersecurity service only because that person:

(a) sells self-install computer programs intended for the protection of the cybersecurity of a computer; and

(b) provides services for the management of a computer network or system, that is aimed at ensuring the availability of or enhancing the performance of the computer network or system.

Finally, licensed cybersecurity providers will have to keep records in relation to each occasion on which they are engaged to provide services, and retain those records for 3 or 5 years depending on the type of license that they hold.

Penalties

The penalties for offences under the Bill include fines of up to S$100,000 and imprisonment for up to 10 years.

Comments and public sentiment

However, some refinement may first be necessary. For example, at this stage, it is uncertain if organisations have an obligation to self-assess whether any of their computers are CII. Neither is there currently any avenue for an organisation to request that the Commissioner make a determination as to whether their computer is a CII. Given the penalties involved, providing for such a process would pave the way for certainty and put many minds at ease.

Another concern is the expansive definition of the term “owner of CII”. Under its current form, a single CII may have more than one “owner” – perhaps one of them having “effective control” over the CII’s operations and the “ability and right to carry out changes to the CII”, and the other or others having responsibility “for ensuring the continuous functioning of the CII”. In such a case, can the owners pool their resources and conduct a single instance of whatever audit or risk assessment is necessary? Or is each owner required to conduct their own audits and risk assessments (which might mean a duplication of work and unnecessary waste of money).

In interviews with the local media, some lawyers wondered about the cost of compliance, and if that cost would be passed down to consumers. Cybersecurity experts called for greater clarity on what kinds of cybersecurity services will be licensable. It has also been suggested that more should be done to encourage the sharing of cyber threat information, and that the Bill could provide safe harbour from liability for organisations that share such information.

Nevertheless, given the recent massive ransomware attacks that spanned the globe, various local stakeholders have hailed the Bill as timely and a solid first step.

Darren Grayson Chng is our International Associate Editor for Singapore