25 January, 2018
On 8 January 2018, the Government introduced in Parliament for first reading the long expected Cybersecurity Bill (the “Bill”).
Here are four things to know about the proposed new legislation.
The role and powers of the Commissioner for Cybersecurity (the “Commissioner”)
The Commissioner is given broad statutory responsibilities for overseeing and promoting cybersecurity in Singapore. His role is primarily to monitor and deal with cybersecurity threats and incidents, identify and regulate critical information infrastructures, and licence and regulate certain types of cybersecurity service providers.
Critical Information Infrastructures will come under regulation
Under the new Cybersecurity Act (the “Act”), the Commissioner will be able to designate, by notice in writing, any computer or computer system as a Critical Information Infrastructure (“CII”) if he is satisfied that the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of which will have a debilitating effect on the availability of the essential service. An “essential service” is any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. The list is specified in the First Schedule to the Act.
CIIs may be subject to codes of practices and standards of performance issued by the Commissioner and are also subject to the general directive powers of the Commissioner. They must report various matters to the Commissioner and may be required to undertake periodic cybersecurity audits and risk assessments, and also to participate in cybersecurity exercises.
What is not quite clear (at least on the face of the Bill) is whether the expenses associated with such matters are to be borne by the owner of the CII or the Government might help to co-fund some parts of this.
A Consolidated Legal Regime to deal with Cybersecurity Threats and Incidents will be established
In general, the Commissioner has broad powers to investigate and prevent cybersecurity threats and incidents, including obtaining information and records in various forms.
In the case of cybersecurity threats and incidents (that meet a defined severity threshold), the Commissioner has the power to take pre-emptive action, including entry into premises (upon giving reasonable notice to the owner or occupier), perform scans and even (in exceptional circumstances) take possession of any computer or other equipment.
In exceptional emergency situations (which are defined as serious and imminent threat to the provision of any essential service or to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore), Singapore’s Minister-In-Charge Of Cyber Security (the “Minister”) is able to take the political decision to step in. The Minister can issue a certificate and authorise further extraordinary action to be taken to prevent, detect or counter any threat to any computer or computer system, or any class thereof. The wording of the statute appears to extend to permitting the Minister to even authorise computer hacking, provided that this is necessary to identify, detect or counter the threat.
4. Cybersecurity service providers will come under licensing and regulation The following cybersecurity services are licensable:
(a) Managed Security Operations Centre (SOC) Monitoring Service – This is defined as a service for the monitoring of the level of cybersecurity of a computer or computer system of another person by acquiring, identifying and scanning information stored in, processed by or transmitted through the computer or computer system.
(b) Penetration Testing Service – This is defined as a service for assessing, testing and evaluating the level of cybersecurity of a computer or computer system by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system.
The shape of the licensing regime for such service providers follows the typical structure of a licensing regime. The service provider must put in an application, which will be assessed by the Commissioner as the licensing officer. Upon being licensed, the service provider will be required to comply with various business conduct requirements on an ongoing basis, including the keeping of records and so on.