New Singapore Cybersecurity Bill released for public consultation
Broad cybersecurity governance
24 July 2017
On 10 July 2017, the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) released a proposed Cybersecurity Bill (Bill) for public consultation. The draft Bill aims to be a broad, omnibus cybersecurity law, instead of relying only on sector- specific legislation to govern cybersecurity. It demonstrates that cybersecurity continues to be a top priority for the Singapore Government.
The CSA was set up by the Singapore Government in April 2015 as the central agency to oversee and coordinate all aspects of cybersecurity for the nation. The CSA has spent almost two years working on the Bill, which seeks to effectively address the increasingly sophisticated cyber threats to Singapore's national cyberspace.
The Bill has four objectives:
- to provide a framework for the regulation of critical information infrastructure (CII);
- to provide the CSA with powers to manage and respond to cybersecurity threats and incidents;
- to establish a framework for the mutual sharing of cybersecurity information with the CSA, and the protection of such information; and
- to establish a light-touch licensing framework for cybersecurity service providers.
Commissioner of cybersecurity
The Bill proposes the appointment of a Commissioner of Cybersecurity (Commissioner) who will be responsible for the administration of the Bill (after it is passed). The Commissioner would also have other duties, including overseeing Singapore's cybersecurity.
Critical information infrastructure
A cornerstone of the proposed Bill is the protection of CII which is deemed to be necessary for the continuous delivery of Singapore's essential services. The security of CII was also referenced in the Singapore Cybersecurity strategy launched by the Singapore Prime Minister in October 2016.
In the Bill, CII is defined as a computer or a computer system that is necessary for the continuous delivery of "essential services". A list of "essential services" is included in the Bill and includes, amongst others, commercial banking services and payments clearing and settlement services, electricity generation services, water supply services, healthcare services and retail. New "essential services" may be designated by the Minister from time to time.
The Bill also allows the Commissioner to designate a computer or computer system as CII, thereby subjecting such computer or computer system to the regulatory regime in the Bill.
Who is a CII owner?
Under the Bill, an owner of CII (CII owner) is defined as a person who (i) has effective control over the operations of CII and has the ability and right to carry out changes to CII; or (ii) is responsible for ensuring the continuous functioning of CII.
A CII owner will receive a written notice from the Commissioner designating its computer or computer system as CII. CII owners who are aggrieved by the Commissioner's decision may, within 30 days of such designation, appeal against the designation to the Minister-in-charge of Cybersecurity (Minister), whose decision will be final.
Obligations of a CII owner
The Bill proposes that CII owners be subject to certain duties, including:
- a duty to appoint a contact person for the CII;
- a duty to report cybersecurity incidents in respect of the CII;
- a duty to conduct regular audits;
- a duty to conduct regular risk assessments of the CII;
- a duty to participate in cybersecurity exercises as required by the Commissioner;
- a duty to comply with such codes of practice or directions as issued by the Commissioner; and
- a duty to provide the Commissioner with information. This would include, for example, information on the technical infrastructure of the CII.
Regulation of cybersecurity service providers
Licensing of cybersecurity service providers
The Bill also seeks to introduce a light-touch licensing regime for cybersecurity service providers in Singapore. Two types of cybersecurity service licences are proposed: (i) Investigative Cybersecurity Service; and (ii) Non- Investigative Cybersecurity Service.
A licence for investigative cybersecurity services is required for cybersecurity services, which: (i) involve circumventing the controls implemented in another person's computer or computer system; or (ii) require the person performing the service to obtain a deep level of access to the computer or computer system in respect of which the service is being performed, or to test the cybersecurity defences of the computer or computer system. This includes penetration testing, and services to search for or exploit cybersecurity vulnerabilities in the computer or computer system of another person for the purpose of improving the cybersecurity of the computer or computer system.
A licence for non-investigative cybersecurity services is required for cybersecurity services which include managed security operations centre monitoring services, and services monitoring the cybersecurity of a computer or computer system of another person or assessing or monitoring the compliance of an organisation's cybersecurity policy.
In-house provision of cybersecurity services will be exempted from having to obtain a licence.
The Bill provides that providers of cybersecurity services who operate without a licence shall be guilty of an offence and may be liable to a fine of up to S$50,000 and/or imprisonment of a term of up to two years.
Requirements for licensed cybersecurity service providers
It is also proposed that licensed service providers (both investigative and non- investigative) be subject to requirements including:
- ensuring that key executive officers are fit and proper persons. The criteria for considering whether a person is fit and proper includes, amongst others, honesty, integrity and financial soundness;
- retaining service records for five years (e.g. client information, service provided, name of employee who provided the service);
- complying with a Code of Ethics (e.g. maintaining the confidentiality of client information); and
- implementing a process to ensure that employees performing the licensable services are fit and proper.
The CSA will conduct audits from time to time to ensure that licensing requirements are met. The Bill provides that a licensee who fails to comply with any licence condition shall be guilty of an offence and may be liable to a fine of up to S$10,000 and/or imprisonment of a term of up to one year.
The CSA will conduct further consultations with the industry before the licensing framework becomes operational.
Powers to investigate cybersecurity threats and incidents
Under the Bill, the Commissioner and Minister will be given a range of powers which may be exercised depending on the severity of the situation. There are three proposed scenarios for the exercise of power:
All cybersecurity threats and incidents
Where the Commissioner has information regarding a cybersecurity threat or incident, the Commissioner may examine anyone relevant to the investigation, take statements and require the provision of relevant information.
A person so examined who, in good faith, discloses any information to an investigating officer shall not be treated as being in breach of any restriction upon the disclosure of information imposed by law, contract or rules of professional conduct.
Serious cybersecurity threats and incidents
Where the Commissioner receives information regarding a serious cybersecurity incident, the Commissioner may direct persons to carry out remedial measures and assist with the investigation, enter premises where relevant computers and computer systems are located, access such computers, and scan computers for cybersecurity vulnerabilities.
The Commissioner may also seize any computer or equipment for the purpose of carrying out further examination and analysis, if: (i) it is necessary for the investigation; (ii) there is no less disruptive way of achieving the investigation's purposes; and (iii) the Commissioner is of the view that the benefit from so doing outweighs the detriment caused to the owner of the computer system.
A cybersecurity threat or incident is deemed serious if: (i) it creates a real risk of significant harm being caused to CII; (ii) it creates a real risk of disruption being caused to the delivery of an essential service; (iii) it creates a real threat to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore; or (iv) the cybersecurity threat is of a severe nature, in terms of the severity of harm that may be caused or the number of computers or value of information put at risk, whether or not the computers or computer systems put at risk are of the nature of CII.
Emergency measures and requirements
The Minister may authorise any person or organisation to take such measures or comply with such requirements as may be necessary to prevent and detect, or counter any threat to a computer or computer service or any class of computers or computer services.
To do so, the Minister must be satisfied that such measures are necessary to prevent, detect or counter any threat to the essential services or national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
The Bill demonstrates the Singapore Government's commitment to national cybersecurity. It will apply to any CII located wholly or partly in Singapore.
As an indication of the seriousness with which cybersecurity is viewed, the Bill proposes that officers of a body corporate may also be liable, if the offence which the body corporate is guilty of, was committed with: (i) the consent or connivance of the officer; or (ii) attributable to any neglect on the officer's part.
The MCI and CSA have invited all industry members and members of the public to comment on the draft Bill by 3 August 2017. We will be preparing a response, and invite comments for inclusion in (or expansion upon) our response.