Introducing Singapore’s new draft Cybersecurity Bill
Jul12

Introducing Singapore’s new draft Cybersecurity Bill

On 10 July 2017, Singapore’s long-awaited draft Cybersecurity Bill was introduced. This is a timely development, especially in view of recent cybersecurity attacks such as the Advanced Persistent Threat attacks targeting two of Singapore’s universities and the global WannaCry and Petya / Petna malware attacks. As a small and highly connected nation, Singapore is dependent on info-communications technology, and cybersecurity threats need to be taken seriously. Attacks on critical information infrastructure (CII) systems that manage utilities, healthcare, transportation and other essential services can lead to disruptions that can cripple Singapore’s economy and lead to loss of life. Even though the current Computer Misuse and Cybersecurity Act (CMCA) already has some provisions on cybersecurity, it primarily concerns cybercrime such as e-commerce scams and hacking. This draft Cybersecurity Bill caters more broadly to the security of a computer or computer system against unauthorised access or malicious acts, to preserve their availability and integrity, or the confidentiality of information stored or processed in them. The intention behind the draft Cybersecurity Bill is to have a coordinated national approach to cybersecurity, and ensure that CIIs across all sectors are protected consistently. Its provisions will apply equally to both public and private sectors. The following are the key provisions under the draft Cybersecurity Bill: Appointment of Commissioner and Powers. The powers of the Cybersecurity Bill will vest in the Commissioner of Cybersecurity, who has various functions including the overseeing and maintenance of cybersecurity in Singapore. Critical Information Infrastructure. CIIs are computers or computer systems that are necessary for the continuous delivery of essential services that Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. Currently, essential services have been identified in 11 sectors, including utilities, banking and finance, media, info-communications, healthcare and transportation. The owners of CIIs, which are defined as persons with, amongst others, effective control over the operations of the CII, have certain statutory duties, including the duty to comply with codes and directions, to conduct audits and risk assessments, to report cybersecurity incidents including any incident that occurs in respect of the CII and any incident that occurs in respect of any computer or computer system under the owner’s control that is interconnected with or communicates with the CII, and to participate in cybersecurity exercises. Responses to Cybersecurity Threats and Incidents. If there is a cybersecurity threat or incident, the Commissioner can choose to investigate it in order to determine its impact, to prevent further harm and to prevent further incidents. These investigative powers can be delegated to authorised...

Read More
Singapore upgrades its cyber-defences
Feb14

Singapore upgrades its cyber-defences

A recent amendment to Singapore’s Computer Misuse Act is designed to enable a “nimble and comprehensive response” to the threat of cyber-attacks. But some argue that the new Government powers are too broad and are open to abuse. We examine the key provisions of the new law and what it might mean for organisations in Singapore and beyond. “Sophisticated and malicious”. “A real and present danger”. “A broad spectrum of attacks and threats”. These are not sensationalist headlines but comments from the Singapore Government’s Second Reading Speech on the Computer Misuse (Amendment) Bill. The language used underlines the level of concern with which the Government views the threat of cyber-attacks. And the Singapore Government is not alone. With the recent high profile hack of the New York Times, and attacks like “Stuxnet” and “Flame” making the news and the World Economic Forum ranking cyber-attacks among the top five global risks, the issue is rapidly moving up the legislative agenda for governments around the world. As such, the new Singapore law could be a glimpse of things to come in other jurisdictions. So what are the key changes to the old legislation and what action might organisations be required to take? New teeth The headline provision of the new law is a broad right for the Singapore Government to compel action in the defence against cyber-attacks. Specifically, the Government can require any person or organisation to “take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”. This power to compel a person or organisation to take action is the key change that the new law brings into effect. Under the previous legislation, the Government was only entitled to authorise a person or organisation to take action. The right to authorise was of course dependent on the relevant person or organisation actually electing to take the measures in question at its discretion. In short, the new law has teeth where the old law did not. But exactly what kinds of measures might organisations be required to take? Proactive and reactive The legislation is drafted broadly. The Government can require the taking of “measures” and compliance with “requirements”. The only condition is that the measures are “as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”. The scope, therefore, is both proactive (to “prevent”) and reactive (to “detect” and “counter”) and could potentially cover both offensive (whether pre-emptive or retaliatory) and defensive actions. But...

Read More