Singapore upgrades its cyber-defences
Feb14

Singapore upgrades its cyber-defences

A recent amendment to Singapore’s Computer Misuse Act is designed to enable a “nimble and comprehensive response” to the threat of cyber-attacks. But some argue that the new Government powers are too broad and are open to abuse. We examine the key provisions of the new law and what it might mean for organisations in Singapore and beyond. “Sophisticated and malicious”. “A real and present danger”. “A broad spectrum of attacks and threats”. These are not sensationalist headlines but comments from the Singapore Government’s Second Reading Speech on the Computer Misuse (Amendment) Bill. The language used underlines the level of concern with which the Government views the threat of cyber-attacks. And the Singapore Government is not alone. With the recent high profile hack of the New York Times, and attacks like “Stuxnet” and “Flame” making the news and the World Economic Forum ranking cyber-attacks among the top five global risks, the issue is rapidly moving up the legislative agenda for governments around the world. As such, the new Singapore law could be a glimpse of things to come in other jurisdictions. So what are the key changes to the old legislation and what action might organisations be required to take? New teeth The headline provision of the new law is a broad right for the Singapore Government to compel action in the defence against cyber-attacks. Specifically, the Government can require any person or organisation to “take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”. This power to compel a person or organisation to take action is the key change that the new law brings into effect. Under the previous legislation, the Government was only entitled to authorise a person or organisation to take action. The right to authorise was of course dependent on the relevant person or organisation actually electing to take the measures in question at its discretion. In short, the new law has teeth where the old law did not. But exactly what kinds of measures might organisations be required to take? Proactive and reactive The legislation is drafted broadly. The Government can require the taking of “measures” and compliance with “requirements”. The only condition is that the measures are “as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”. The scope, therefore, is both proactive (to “prevent”) and reactive (to “detect” and “counter”) and could potentially cover both offensive (whether pre-emptive or retaliatory) and defensive actions. But...

Read More