A landmark Bill to strengthen cybersecurity in Singapore and safeguard its essential services from cyber attacks was passed into law on Monday.
With the new law, owners of critical information infrastructure (CII) in 11 key sectors will have to report cybersecurity incidents to the Commissioner of Cybersecurity—the chief executive of the Cyber Security Agency (CSA) of Singapore, a government agency under the Prime Minister's Office which has centralised oversight of national cybersecurity policy.
The Commissioner has the power to demand information and seize computer terminals from entities if they are essential for investigations.
The sectors are those dealing with energy, water, banking and finance, healthcare, transport (including land, maritime and aviation), infocomm, media, security and emergency services, and government.
Some Members of Parliament expressed concerns during the parliamentary debate on the Bill—these included, among others, compliance costs which would weigh especially heavy on Small and Medium Enterprises, the wide-ranging powers of the Commissioner and safeguards to protect consumer privacy.
Dr Yaacob Ibrahim, Singapore Minister for Communications and Information, addressed each of these concerns during his closing speech after the three hour debate.
“To minimise regulatory costs, we will work with sector regulators to streamline the cybersecurity audit and incident reporting processes in order to harmonise cybersecurity requirements under the Bill and in their respective sectors, wherever possible.
“It is also in the interest of CII owners and their vendors to spend adequately on cybersecurity measures. They should consider not only the upfront cost of such measures, but also the cost of potential breaches, including the intangible costs arising from any damage to their reputation. If organisations follow good security-by-design practices, they will spend less overall in the long-run to fix cybersecurity issues,” he said.
He also assured the MPs that where it came to privacy concerns, information collected will be carefully scoped, primarily technical and not personal in nature. CSA would notify the computer system owners wherever possible prior to deploying intrusive investigation tools.
“The Bill protects information disclosed to CSA under the Bill by requiring persons who obtain it in the course of performing their functions or discharging their duties under the Bill to keep it confidential, and by specifying the circumstances under which it can be disclosed. Misuse of the information by the Commissioner or other specified officers will be a criminal offence,” he added.
Failure to comply with incident reporting requirements or orders from the Commissioner could result in a maximum penalty of $100,000 or 2 years’ imprisonment or both.
The new cybersecurity law also features a licensing framework for providers of penetration testing and managed security operations centre monitoring services. Public consultation on the draft Bill took place from July to August 2017 and drew over 90 responses. MCI and the CSA responded to the feedback in November, clarifying questions such as designation of CIIs and duties of CII owners, prior to the passing of the Bill.