The Ongoing Pursuit of Cybersecurity – Singapore Looks to Enhance Cybersecurity Act

I. Introduction

Singapore holds a position as one of the most digitally competitive countries in the world, with individuals and institutions enjoying high levels of connectivity and with the ubiquitous adoption of digital solutions for business, transactions and essential operations.

However, with the increasing reliance on technology and the internet, the risks of cyber threats have also grown. Incidents of cyber attacks such as phishing, malware, ransomware, and denial-of-service attacks are constantly on the rise, with new threats emerging each day. Singapore in particular stands as an attractive target to cyber criminals, having seen attacks against our Government agencies, universities, financial institutions, and enterprises.

Cybersecurity is thus a fundamental priority at a national level to protect individuals, businesses, and institutions from unauthorised access, theft, and damage to their sensitive information and systems. A strong cybersecurity framework is essential to safeguard against cyber attacks that can disrupt critical infrastructure and services.

The Cybersecurity Act, which came into force in August 2018, is the law that governs the oversight and maintenance of national cybersecurity in Singapore. It establishes a framework for: (i) the protection of critical information infrastructure ("CII") against cybersecurity threats; (ii) the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore; and (iii) the regulation of providers of licensable cybersecurity services.

However, cybersecurity needs are constantly changing. Businesses are adopting new technological models such as cloud computing, and are increasingly engaging vendors and service providers in the supply chain. Combined with the increasing connectivity and data storage needs arising from Singapore’s rapid digitalisation, it has become necessary to keep Singapore’s cybersecurity framework up to date.

The Cybersecurity Agency of Singapore ("CSA") has thus introduced the draft Cybersecurity (Amendment) Bill ("Draft Bill"), which seeks to update the Cybersecurity Act to address emerging challenges, including the growing importance of digital infrastructure such as cloud storage services and data centres. In particular, the Draft Bill focuses on the importance of entities in charge of key digital infrastructure other than CII, and seeks to prevent widespread service disruption by increasing oversight over their cybersecurity and requiring compliance with minimum standards.

Essentially, the Draft Bill seeks to:

• Update existing laws pertaining to CII;
• Extend the Commissioner of Cybersecurity’s ("Commissioner") oversight; and
• Enable a greater situational awareness of the cybersecurity threats to foundational digital infrastructure, and the power to mandate relevant baseline cybersecurity standards.

CSA held a public consultation on the Draft Bill from 15 December 2023 to 15 January 2024. While the results of the consultation are pending, it would be worthwhile to examine the potential impending changes.

This article provides an overview of the Cybersecurity Act as it currently stands and highlights the key amendments proposed in the Draft Bill.

II.  Cybersecurity Act

The Cybersecurity Act was initially formulated by studying cybersecurity legislation from other countries such as Germany, Estonia, the US, Thailand and Vietnam, and by consultation with industry associations, cybersecurity professionals, sector regulators, potential key CII stakeholders and the general public. It stands as a landmark piece of legislation in the context of Singapore's digital economy, demonstrating an emphasis on the proactive protection of CII against cyber-attacks.

The Cybersecurity Act currently serves the following main functions.

• Protection of CII – CII are computer systems directly involved in the provision of essential services. The Cybersecurity Act provides a framework for the designation of CII, and provides CII owners with clarity on their cybersecurity. The CII sectors are: Energy, Water, Banking and Finance, Healthcare, Transport, Infocomm, Media, Security and Emergency Services, and Government.

The duties of an owner of a CII include:

• • to provide the Commissioner with information relating to the CII;
  • to comply with codes of practice, standards of performance or written directions as may be issued by the Commissioner;
  • to notify the Commissioner of any change in ownership;
  • to notify the Commissioner of any prescribed cybersecurity incidents;
  • to cause regular audits of the compliance of the CII;
  • to carry out regular cybersecurity risk assessments; and
  • to participate in cybersecurity exercises as required by the Commissioner.

• Empowering CSA – The Cybersecurity Act empowers CSA and the Commissioner to investigate cybersecurity threats and incidents to determine their impact and prevent further harm or cybersecurity incidents from arising. This includes the power to order attendance and examination and the production of documents and information.

For cybersecurity threats or incidents which cross the severity threshold, the Commissioner may exercise a set of more intrusive powers, including the power to: (i) direct remedial measures or cessation of activity; (ii) order assistance in investigations; (iii) access, inspect and check the operation of affected computers; and (iv) take possession of computers or equipment.

• Cybersecurity service providers – The Cybersecurity Actadopts a light-touch approach to license designated cybersecurity service providers. Currently, this covers two categories of service providers – penetration testing and managed security operations centre monitoring.

III.  Draft Bill

CSA has stated that the broad purposes of the amendments in the Draft Bill are to:

• Keep pace with developments in technology and industry practices;
• Look beyond CII to ensure the cybersecurity of other important systems and infrastructure; and
• Respond to evolving cybersecurity challenges by updating regulations to ensure that the Commissioner has early and timely information of the cybersecurity vulnerabilities, threats, and incidents that affect CIIs, and other identified systems and infrastructure.

With regard to CII, the Draft Bill seeks to facilitate advances in computing services (such as cloud computing), as well as to improve operationalisation of the provisions governing CII cybersecurity.

• Computing vendors – The Cybersecurity Act currently imposes duties on the owners of CII on the basis that providers of essential services tend to own the CII used to deliver such essential services. However, CSA has acknowledged new business models where an essential service provider may use virtual computers or other vendors to help provide the essential services. To facilitate this, and to maintain cybersecurity outcomes, the Draft Bill introduces a new Part 3A for essential service providers that choose to make use of non-provider-owned CII from a computing vendor. The Draft Bill allows the Commissioner to subject such essential service providers to duties in relation to the non-provider-owned CII, which are designed to ensure the same cybersecurity outcomes as the duties imposed on CII owners. This includes the following duties:
  • To provide the Commissioner with information on the non-provider-owned CII;
  • To comply with relevant codes of practice, standards of performance or written directions;
  • To notify the Commissioner of any change in the ownership of the non-provider-owned CII;
  • To notify the Commissioner of any prescribed cybersecurity incident involving the non-provider-owned CII;
  • To cause regular audits and risk assessments of the non-provider-owned CII; and
  • To participate in cybersecurity exercises.

• Incident reporting – The Draft Bill proposes to expand the types of cybersecurity incidents regarding provider-owned CII, such as those in respect of computer systems under the control of a supplier that is interconnected or communicates with the provider-owned CII. It also proposes reporting duties for providers of essential services in respect of non-provider-owned CII.

Apart from CIIs, the Draft Bill recognises other nationally important computer systems that face heightened risks and entities of special cybersecurity interest. It proposes to extend the CSA's oversight over these entities and to ensure that they meet an adequate level of cybersecurity.

• Designation of entities – Under the Draft Bill, the Minister or Commissioner is empowered to designate certain prescribed categories of entities:

• • Foundational digital infrastructure ("FDI") services that promote the availability, latency, throughput or security of digital services;

• • Major FDI service providers where the impairment or loss of the FDI service could lead to disruption to a large number of businesses or organisations;

• • Entities of special cybersecurity interest ("ESCIs") that store sensitive information or use computers to perform a function which, if disrupted, is likely to have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety, or public order of Singapore; and

• • Systems of temporary cybersecurity concern ("STCC") where the risk of a cyber-attack is high, and their loss or compromise would have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. A STCC may be designated as such for a period of up to one year.

• Duties – Once designated, a major FDI service provider, ESCI or STCC would be subject to several duties, including the following:

• • Provision of information related to their cybersecurity;

• • Compliance with codes of practice, standards of performance or written directions; and

• • Notification of prescribed cybersecurity incidents:
    • FDI – Incidents that result in a disruption or degradation to the continuous delivery of the FDI service, or incidents that have a significant impact on the major FDI provider’s business operations in Singapore.
    • ESCI – Incidents that result in a breach of the availability, confidentiality or integrity of the ESCI’s data, or incidents that have a significant impact on the business operations of the ESCI .
    • STCC – Prescribed cybersecurity incidents in respect of: (i) the STCC; (ii) any computer or computer system under the owner’s control, that is interconnected with or that communicates with the STCC; and (iii) any computer or computer system under the control of a supplier to the owner that is interconnected with or communicates with the STCC.

IV.  Concluding Remarks

The proposed amendments in the Draft Bill demonstrate a forward-looking approach by the Singapore regulators, as well as an awareness of industry practices and the emerging cybersecurity risks that accompany changing circumstances. Much as technology does not stop advancing, the legislative framework governing the relevant threats must also adapt to keep pace with developments.

The Draft Bill would potentially affect stakeholders such as cloud service providers and data centre operators in its designation of new categories of entities falling within the scope of the Cybersecurity Act, and for the imposition of a series of duties over such entities. It would thus bear observation as to the form the Draft Bill eventually takes when introduced in Parliament.

AUTHOR INFORMATION:

Rajesh Sreenivasan is Partner and Head of Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: rajesh@rajahtann.com

Steve Tan is Partner and Deputy Head of Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: steve.tan@rajahtann.com

Benjamin Cheong is Partner and Deputy Head of Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: benjamin.cheong@rajahtann.com

Lionel Tan is a Partner in the Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: lionel.tan@rajahtann.com