Singapore issues ISP code of practice

update SINGAPORE--The government has issued several mandatory security measures that designated Internet service providers (ISPs) must comply with as part of efforts to safeguard the country's Internet infrastructure.

According to ICT regulator, the Infocomm Development Authority of Singapore (IDA), the Resilient Internet Infrastructure Code of Practice has been issued to designated ISPs in the country--specifically, SingNet and StarHub Online--and will come into effect Apr. 30 this year.

The ISPs, however, will have until Jan. 31, 2013, to ensure full compliance, IDA said, noting that it will conduct periodic audits to monitor adoption of the code.

In an e-mail interview with ZDNet Asia, an IDA spokesperson explained that SingNet and StarHub Online were selected as licensees that must comply with code of practice because both ISPs have "effective oversight" over the country's Internet infrastructure. "This ensures the vast majority of subscribers to broadband services in Singapore are protected. The intention is to ensure the balance of effective oversight without placing unnecessary burden on the industry," she said.

SingNet is the ISP arm of local carrier Singapore Telecommunications (SingTel), while StarHub Online is a fully-owned subsidiary under StarHub providing broadband Internet services.

The spokesperson added that IDA will continue to monitor and assess how other entities involved in the national Internet infrastructure can be designated to observe the code of practice.

Operated under Singapore's telecommunications regulatory framework, the code outlines specific security controls and outcomes that ensure the right processes are in place to address current and emerging cyber threats.

"The code allows ISPs and IDA to make more informed decision so that early warning to emerging cyber threats can be developed and appropriate pre-emptive measures can be taken," IDA said in a statement. "Consumers of ISPs' services also benefit from a more coherent and effective response to cyber threats. ISPs will also put in place measures to better protect businesses and end-users from cyber attacks such as distributed denial-of-service attacks."

The mandatory measures include protection of core Internet infrastructure comprising routers, switches and other critical network components, as well as detail objectives and controls necessary to prevent, detect and respond to security incidents. These are consistent with internationally recognized standards and best practices, the ICT regulator said.

The IDA spokesperson added that designated ISPs, starting Apr. 30, will need to progressively implement essential security measures before reaching full compliance end-January 2013. "This is in recognition that they will need time to adjust their existing systems and processes," she said.

Under the code, she noted that ISPs will be required to report and provide information on security incidents, threats and vulnerabilities to the ICT regulator.

Errant ISPs to be penalized
According to the spokesperson, IDA can issue warnings or impose financial penalties of up to S$1 million (US$785,923) for any violation of the code. The ISP's license can also be suspended or revoked, she said.

She added that the code was drafted "with IDA's security imperatives" in mind, as well as with the feedback of the designated ISPs.

Leong Keng Thai, IDA's deputy chief executive and director-general of telecoms and post, said in the statement: "Cyber attacks are getting more sophisticated and large-scale cyber attacks can bring down the Internet infrastructure of nations.

"To enhance the security of the Internet infrastructure, many countries have or are in the process of requiring their Internet infrastructure service providers to put in place security requirements to protect their Internet infrastructure. IDA has worked with the designated ISPs to forge an effective code of practice that will bolster the security of our Internet Infrastructure," Leong added.

In a previous ZDNet Asia report, IDC analyst Patrick Chan called for mandatory regulations to be established in Asia to stipulate how ISPs handle infected computers on their network.

"Governments can mandate a holistic e-security code of conduct for ISPs. This is crucial for Singapore as we are shaping well in terms of infrastructure capability and capacity for cloud computing service providers," Chan said. "The last thing we want is a big-scale attack on these servers damaging the assets of clients."

Minister for Information, Communications and the Arts Lui Tuck Yew had first alluded to the Singapore government's plans to establish a code of practice during his address at the Information Security Seminar in March last year.

In October 2009, a new government agency was set up exclusively to address IT security and cyber terrorism threats.