On 10 July 2017, the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) announced the commencement of a public consultation exercise on the proposed Cybersecurity Bill.
The much-awaited release of the draft Bill follows the Government's announcement in May 2016 that a new, standalone Cybersecurity Act would be tabled in Parliament this year. Prior to the publication of the draft Bill, the Government had provided insights on the impending Cybersecurity Act.
Firstly, Part 2 of the draft Bill addresses the administration of the Act.
Section 4 provides that the Minister-in-charge of Cybersecurity may appoint a Commissioner of Cybersecurity, who is responsible for administering the Act. The position will be held by the Chief Executive of the CSA. The Minister may further appoint a Deputy Commissioner, as well as a number of Assistant Commissioners to enforce the protection requirements for critical information infrastructure (CII) owners. Moreover, the Minister may appoint public sector officers from the CSA and sector regulators to carry out the Act.
The proposed changes ensure coordinated oversight of Singapore's cybersecurity framework, thereby facilitating the consistent protection of CIIs across all sectors. This whole-of-government approach marks a departure from the Computer Misuse and Cybersecurity Act (CMCA), which vests the requisite powers in the Minister.
Next, section 10 of the draft Bill subjects CII owners to new statutory duties, as follows:
- providing the Commissioner with information on the technical architecture of the CII;
- complying with codes of practice and directions;
- notifying the Commissioner of cybersecurity incidents;
- conducting regular audits;
- performing regular risk assessments of the CII; and
- participating in cybersecurity exercises.
In addition, section 7 empowers the Commissioner to identify and designate new systems as CII for the purposes of the Act.
This is a welcome inclusion as the CMCA does not delineate the security obligations of organisations. From a practical standpoint, the proactive measures envisioned by the Bill will be important in mitigating the impact of cybersecurity incidents.
With regard to the scope of investigative powers, Part 4 of the Bill provides a comprehensive framework for the authorities to investigate cybersecurity threats and incidents.
At present, section 15A of the CMCA empowers the Minister to direct an organisation to take cybersecurity measures in relation to threats to national security or essential services.
The draft Bill expands on the applicability and intrusiveness of these powers.
Under section 20 of the draft Bill, if the Commissioner has received information on a cybersecurity breach, the Commissioner may examine anyone relevant to the investigation and take statements, and require the provision of relevant information. In relation to serious cybersecurity threats, section 21 empowers the Commissioner to exercise more intrusive measures, including directing persons to carry out remedial measures; entering premises where the relevant computers are located; accessing the computers in question; and seizing the computers for further examination. As for emergency cybersecurity measures and requirements, section 24 adapts the wording of section 15A of the CMCA.
The new provisions provide a more robust framework for responding to cyber threats, which have increased in frequency and complexity. In recent months, large-scale ransomware attacks have affected numerous organisations around the world. Accordingly, the wide investigative powers under Part 4 will equip the authorities to effectively prevent and respond to cybersecurity incidents at the national level.
Finally, Part 5 of the Bill addresses the regulation of cybersecurity service providers. For a start, the CSA is proposing to license penetration testing service providers and individuals under an investigative cybersecurity service license, and managed security operations centre monitoring service providers under a non-investigative cybersecurity service license.
In this regard, the draft Bill looks to improve assurances on the security and safety of cybersecurity service providers, who may have significant access to their clients' computer systems. In the long term, these measures would help to ensure that service providers meet baseline quality requirements, thereby addressing the information asymmetry faced by buyers which are unable to identify credible service providers.
The public consultation exercise will close on 3 August 2017. Going forward, it will be interesting to see if the current iteration of the draft Bill remains materially unchanged thereafter. In the meantime, business owners would be prudent to ensure that they are cognisant of their impending statutory duties, which are likely to be far more onerous than existing legal obligations.