Singapore unveils first look at new cybersecurity laws

Singapore has unveiled the first draft of a proposed cybersecurity bill, which aims to provide a framework to monitor and manage the country's cybersecurity wellbeing and empower authorities to carry out their functions.

New legislations were necessary to enable the relevant authorities to take proactive measures to protect local critical information infrastructures (CIIs) and swiftly respond to threats and incidents. The proposed new laws also would facilitate information sharing across critical sectors, said Singapore's Ministry of Communications and Information (MCI) and Cyber Security Agency (CSA), in a joint statement Monday.

The Singapore government had listed 11 sectors considered to own CIIs, including water, healthcare, maritime, media, infocom, energy, and aviation. The public sector itself was part of this category.

Because the country was one of the world's most digital connected, serious cyberattacks would have significant impact of its CIIs were affected, according to the statement, which noted that the government had set up the CSA in April 2015 as well as unveiled a national cybersecurity strategy in moves to beef up Singapore's security posture.

Pointing to growing cyberattacks, which also were increasingly sophisticated and damaging, they added that the recent WananCrya and Petya malware attacks were "stark reminders of Singapore's vulnerability" to cyber threats. Furthermore, attacks worldwide had targeted utility plants, transportation networks, healthcare institutions, and other essential services, stressing the need to safeguard Singapore's CIIs.

The proposed cybersecurity bill aimed to establish a framework to help monitor and manage national cybersecurity efforts as well as empower CSA to carry out its functions, according to the statement.

CSA Chief Executive David Koh noted that the country's current legislation, the Computer Misuse and Cybersecurity Act, focused primarily on cybercrime. A more multi-faceted bill was necessary to oversee a cybersecurity landscape that continued to evolve, Koh said.

Amongst the proposed bill's key components was a regulatory framework targeted at CII owners, which formalised the duties of such providers in securing systems under their responsibility, including before a cybersecurity had occurred. The bill would detail CII owners' responsibilities, which would include providing information on the technical architecture of the CII, carrying out regular risk assessments of the CII, complying with codes of practice, reporting of cybersecurity incidents "within the prescribed period" after the event.

CII owners also were required to have the necessary "mechanisms and processes...to detect any cybersecurity threat in respect of its critical information", the proposed bill stated. Should they breach any mandate outlined in the legislation, they faced a fine of up to S$100,000 or imprisonment of up to two years, or both.

The bill also would provide "specific powers" to CSA officers so they could more quickly deal with cybersecurity threats. The new laws also would offer a framework to facilitate the sharing of information with and by CSA officers, for the purpose of "preventing, detecting, countering or investigating" cybersecurity threats or incidents.

In addition, the bill would introduce a licensing model for the regulation of selected cybersecurity services providers as well as individuals, including those that offered penetration testing as well as managed security operations centre (SOC) services. According to the proposed bill, "no person [may] carry out or perform licensable investigative cybersecurity service without license".

Commenting on the proposed bill, KPMG in Singapore's cybersecurity head Daryl Pereira said its focus on CII aimed to "level the playing field and raise the maturity and preparedness" of all industries in the country.

Pereira noted that small and midsize businesses and sectors such as healthcare traditionally invested less money and attention into cybersecurity, compared to industries such as banking. This had prompted more attackers to target CIIs such as hospitals.

Singapore's cybersecurity bill, hence, would increase local cybersecurity readiness and establish a robust foundation for Singapore to become a digital economy, he said.

David Siah, Trend Micro's Singapore country manager, adde: "The new cybersecurity bill is timely given the major ransomware attacks that have occurred over the first half of the year. These attacks--vicious and contagious in nature--have served as a wakeup call across nations and organisations alike.

"The new proposals place greater emphasis on CII-related sectors such as transport, energy, and healthcare, [which are] important sectors for smart city development. As the bill lays bare what the industry needs to do, we hope it can ease the anxiety surrounding cyberattacks, decode how we can tackle the issue better, and herald a new spring for the cybersecurity industry in Singapore," Siah said.

Public feedback on the proposed bill should be submitted to CSA by August 3, 2017.

Singapore to collaborate with Germany in cybersecurity

In a separate announcement, CSA said it had inked a joint declaration with Germany to boost cybersecurity collaboration between both countries.

This encompassed cooperation in areas such as joint training and research, sharing of best practices, and regular information sharing. Both nations also pledged to promote voluntary norms of responsible state behaviour in cyberspace.