A recent amendment to Singapore’s Computer Misuse Act is designed to enable a “nimble and comprehensive response” to the threat of cyber-attacks. But some argue that the new Government powers are too broad and are open to abuse. We examine the key provisions of the new law and what it might mean for organisations in Singapore and beyond.
“Sophisticated and malicious”. “A real and present danger”. “A broad spectrum of attacks and threats”. These are not sensationalist headlines but comments from the Singapore Government’s Second Reading Speech on the Computer Misuse (Amendment) Bill. The language used underlines the level of concern with which the Government views the threat of cyber-attacks. And the Singapore Government is not alone. With the recent high profile hack of the New York Times, and attacks like “Stuxnet” and “Flame” making the news and the World Economic Forum ranking cyber-attacks among the top five global risks, the issue is rapidly moving up the legislative agenda for governments around the world. As such, the new Singapore law could be a glimpse of things to come in other jurisdictions. So what are the key changes to the old legislation and what action might organisations be required to take?
The headline provision of the new law is a broad right for the Singapore Government to compel action in the defence against cyber-attacks. Specifically, the Government can require any person or organisation to “take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”.
This power to compel a person or organisation to take action is the key change that the new law brings into effect. Under the previous legislation, the Government was only entitled to authorise a person or organisation to take action. The right to authorise was of course dependent on the relevant person or organisation actually electing to take the measures in question at its discretion. In short, the new law has teeth where the old law did not. But exactly what kinds of measures might organisations be required to take?
Proactive and reactive
The legislation is drafted broadly. The Government can require the taking of “measures” and compliance with “requirements”. The only condition is that the measures are “as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”.
The scope, therefore, is both proactive (to “prevent”) and reactive (to “detect” and “counter”) and could potentially cover both offensive (whether pre-emptive or retaliatory) and defensive actions. But organisations will want to know what this could mean in practice. The legislation is quite helpful in this respect because it includes a non-exhaustive list of the kinds of measures that could be required. An organisation might, for example, be required to provide information about the design, configuration, operation or security of its IT systems, or details of any breaches or attempted breaches of the security of those systems. In practice, this could include information about firewall rules, anti-virus protection and network architecture. Potentially an even greater burden on an organisation would be if the Government were, on a “preventative” basis, to mandate the implementation by that organisation of certain minimum data security standards.
A further power conferred on the Government is to authorise an organisation to direct a third party to provide the relevant information. For example, the Government might authorise an organisation to direct its hosting or cloud services provider to provide the required information.
Broad powers – but when can they be exercised?
Although the powers conferred on the Government are broad, the legislation does limit them in the sense that they can only be exercised where the Minister of Home Affairs is “satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the national security, essential services or defence of Singapore or foreign relations of Singapore”. Clearly, this is something of a subjective test and will do little to address concerns about the potential for abuse of power.
The concept of “essential services” for these purposes is another aspect of the previous legislation that has been broadened. In addition to the elements which were already part of this definition (communications infrastructure, banking and finance, public utilities, transportation, key infrastructure and emergency services such as police or civil defence), “essential services” now also includes aviation, shipping and health services.
Foreign relations of Singapore
The reference to “foreign relations of Singapore” is also important. The Singapore Government has shown a willingness to cooperate with enforcement organisations in other parts of the world, which is perhaps an indication of the fact that communications infrastructure, and therefore the associated threat of cyber-attacks, is, by its nature, not limited to territorial boundaries. The Government has already announced that it is working with the European Cybercrime Centre (or “EC3”), which itself was only launched on 14 January 2013. As such, the ability for the Singapore Government to exercise its powers under the new legislation in relation to “a threat to the…defence of…foreign relations of Singapore” could be a useful one for the Government’s cooperative efforts. But for Singapore organisations, it means that they could, for example, be required to disclose information in relation to an actual or potential cyber-attack beyond Singapore’s borders – whether in Europe or elsewhere.
There are also implications for organisations outside of Singapore. Where an offence is committed under the legislation by “any person in any place outside Singapore”, that person “may be dealt with as if the offence had been committed within Singapore” where, for the offence in question, “the accused was in Singapore at the material time or…the computer, program or data was in Singapore at the material time”. So for organisations that have any kind of presence in Singapore (whether a physical presence or a digital presence), or which do business with Singapore (for example, with Singapore-based cloud services, IT security or software providers), there is the potential to be pulled within the scope of the new law.
Enforcing the new law
To further underline the concern with which the Singapore Government views this issue, the new law attaches criminal liability to a failure to comply. Unless there is a “reasonable excuse”, there is the threat of a fine not exceeding $50,000 or, perhaps more concerning for senior management of organisations that could be affected, imprisonment for up to 10 years, or both. So organisations will certainly need to take any Government request under the legislation seriously.
The new law is certainly not without controversy. Concerns are focused on four areas: confidentiality and data privacy, implications for third parties, potential for abuse and cost of compliance.
Confidentiality and privacy
The first key concern that has been raised is about the prospect of organisations being required to disclose highly-sensitive commercial information such as network architecture and software source code. This concern applies not only in relation to disclosure of information to the Government but also if a third party is required to provide information through the organisation that is the subject of the Government’s request (for example – if a software vendor is required to disclose information to a telco that has received the request from the Government). There is also concern that the new law could potentially require the disclosure of personal data, whether it is relevant to the threat in question or not.
The Government sought to address these issues by including in the legislation various safeguards to protection the information obtained. The information obtained is to be used or disclosed only for the purpose of preventing, detecting or countering the threat. Otherwise, written permission would be required. Failure to comply with such obligations is itself an offence, carrying a maximum fine of $10,000 or imprisonment for up to 12 months, or both. The only exception to the obligation to disclose information is information that is subject to legal privilege. However, given the broad scope for which information could potentially be used (“preventing, detecting or countering”), these provisions may do little to address the confidentiality and privacy concerns.
Implications for third parties
What, meanwhile, about an organisation’s legal or contractual obligations to third parties? The new law seeks to address this, too. It provides an organisation with immunity for acts done in good faith pursuant to Government directions. However, although the immunity from civil and criminal liability may be helpful in freeing up the organisation to take the required action, it is not likely to be good news for businesses with which they contract. This is perhaps less relevant for the issue of confidentiality, since standard contractual boilerplate often contains an exception to confidentiality obligations in the event of a governmental or regulatory intervention. However, what about a failure to perform to required service levels? For example, if a hosting provider is required by the Government to take certain actions to target a particular piece of malware and those actions result in service degradation or disruption constituting a failure by that provider to meet the service levels required in a customer contract, the provider could claim immunity in legal proceedings against them by the customer. Without recourse to ordinary “breach of contract” remedies, customers doing business with Singapore providers may seek to include alternative contractual mechanisms. This might, for example, include a right of termination if the provider becomes the subject of an action to which the new law relates. Alternatively, at the more extreme end of the scale, a potential customer with knowledge of the new law and its implications might think twice about selecting a Singapore-based provider.
Open to abuse?
Given the broad scope of powers and the broad right to exercise them, there has been concern in some quarters that the law is open to abuse. Christopher de Souza, MP, commented: “It might be beneficial, it might be prudent, both for the public, as well as the government, to explain what threshold must be met, or what factors will play in the minds of the Ministry of Home Affairs, before the power to issue directions, is exercised”. However, the legislation is deliberately broad in scope, so it seems unlikely that the Government will provide any more detailed guidance. What the Government has offered is the prospect of pre-consultation. In its Second Reading Speech, the Government stated that, “Before a certificate is issued by the Minister, CII [Critical Information Infrastructure] stakeholders will be consulted on the implications, where practicable”. The “where practicable” would appear to be key here, since given the “rapidly evolving nature and complexity of the threat” (to use the Government’s description), it may well decide in many cases that pre-consultation is not appropriate. In Parliamentary debate, some MPs argued that a panel should be set up to review decisions after execution to safeguard against abuse. This was rejected by the Government, “given the sensitivity and nature of the content” in question.
Cost of compliance
What, meanwhile, of the costs of complying with the new law? The Government’s Second Reading Speech indicates that these costs are unlikely to be borne by the Government: “It is…in the interests of a CII stakeholder to proactively invest in preventive cybersecurity measures. This is because a successful cyber attack could lead to significant financial loss and reputational damage for the CII stakeholder. Hence…CII stakeholders will generally be expected to bear the cost of these measures”. The prospect of bearing the cost of an action requested by the Government is potentially an onerous burden that organisations will need to bear in mind.
Conclusions: Singapore and beyond
Singapore has moved quickly in passing this legislation given that the amendments were only proposed just over two months ago. However, it seems likely that similar legislation will follow in a number of other jurisdictions. Brussels, for example, is reportedly finalising a bill that, amongst other things, would require the EU’s member states to set up local cyber-security agencies. Whether equivalent legislation in other jurisdictions will be as broad (both in terms of the scope of powers and the circumstances in which they can be exercised) as that which is now on the statute books in Singapore remains to be seen. But with the issue climbing legislative agendas around the world, and given the global nature of the perceived threat, it seems certain that the approach to cyber-security is going to require an integrated approach from organisations’ legal, compliance and technical teams – both in Singapore and beyond.
This article by Olswang’s Rob Bratby and Matt Pollins was originally featured in E-Commerce Law and Policy.