CSA conducts public consultation on draft Cybersecurity (Amendment) Bill

30 January 2024

The Cyber Security Agency of Singapore (“CSA”) conducted a public consultation between 15 December 2023 and 15 January 2024 on a draft Cybersecurity (Amendment) Bill (“draft Bill”). The draft Bill seeks to ensure that Singapore’s cybersecurity laws remain fit-for-purpose and can address emerging challenges in cyberspace.

The draft Bill will amend the Cybersecurity Act 2018 (“Act”) to introduce new provisions relating to critical information infrastructure (“CII”), foundational digital infrastructure (“FDI”), entities of special cybersecurity interest (“ESCIs”), and systems of temporary cybersecurity concern (“STCC”).

A summary of the key proposed changes is set out below.

Critical information infrastructure (CII)

In the first iteration of the Act in 2018, a framework was established to protect and safeguard the cybersecurity of Singapore’s CII, and this culminated in Part 3 of the Act. CII are computers or computer systems that are necessary for the continuous delivery of essential services in Singapore. Since 2018, the technological and business contexts for the delivery of essential services have changed. Advances in virtual computing and the availability of a wider and more sophisticated range of computing services today have unlocked greater business efficiency and service quality.

To facilitate new business models involving the use of computing, CSA is proposing a new Part 3A to the Act to facilitate the use of computing vendors. However, the responsibility for the cybersecurity of the essential service must still, ultimately, rest with the provider of essential service. The proposed new Part 3A will allow the Commissioner of Cybersecurity (“Commissioner”) to subject such providers of essential services to duties that are designed to ensure that the same cybersecurity outcomes that Part 3 was designed to bring about will continue to hold even if they choose to make use of non-provider-owned CII from a computing vendor.

Under the proposed Part 3A, the provider of essential services will be required to obtain legally binding commitments from their computing vendor to ensure that the provider of the essential service is able to discharge its duties under the Act.

Foundational digital infrastructure

CSA’s position is that major providers of digital infrastructure that provide infrastructural services of a foundational nature should bear the responsibility for ensuring the cybersecurity and resilience of the foundational digital infrastructure (“FDI”) service they provide. As the Government’s national cybersecurity authority, CSA seeks to ensure that appropriate cybersecurity safeguards are in place.

CSA proposes to introduce a new Part 3B to the Act to empower:

  • the Minister to specify the types of services that would be regulated as FDI services in a new Third Schedule to the Act, provided that the service is one that promotes the availability, latency, throughput or security of digital services;
  • the Commissioner to designate a provider of FDI services as a major FDI service provider, if the Commissioner is satisfied that the FDI service provider provides an FDI service to or from Singapore, and the impairment or loss of the provision of the FDI service could lead to or cause disruption to a large number of businesses or organisations that rely on or are enabled by the FDI service;
  • the Commissioner to grant a time extension to the designation of a major FDI service provider before the expiry of the designation if the Commissioner is of the opinion that the designation criteria continue to be fulfilled; and
  • the Commissioner to withdraw the designation of a major FDI service provider if the Commissioner is of the opinion that the designation criteria is no longer fulfilled.

Once designated, a major FDI service provider would be subject to several duties.

Entities of special cybersecurity interest (ESCIs)

There are certain types of entities that are particularly attractive targets of malicious threat actors seeking to compromise a state because of the sensitive data that they possess or the function that they perform.

CSA proposes to introduce a new Part 3C to the Act to empower the Commissioner to:

  • designate an entity as an ESCI, if the entity stores sensitive information; or, if the entity uses computers to perform a function which, if disrupted, is likely to have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety, or public order of Singapore;
  • grant a time extension to the designation of an ESCI before the expiry of the designation if the Commissioner is of the opinion that the designation criteria continue to be fulfilled; and
  • withdraw the designation of an ESCI if the Commissioner is of the opinion that the designation criteria is no longer fulfilled.

Once designated, an ESCI would be subject to several duties.

Systems of temporary cybersecurity concern (STCC)

There have been and will be times when a computer or computer system is critical to Singapore for a time-limited period, and for that period, are at high risk of cyber-attacks. It is important to ensure the cybersecurity of these systems during these critical periods. To achieve this, CSA proposes to introduce a new Part 3D within the Act to allow the Commissioner to designate these systems and impose duties on the persons responsible for such STCC in order to enhance CSA’s situational awareness of the cybersecurity threats and incidents targeting the STCC and ensure that appropriate cybersecurity measures are taken to secure these STCC. Once designated, the owner of the STCC would be subject to several duties.

Other amendments

CSA is also proposing to amend the Act in relation to the monitoring powers of licensing officers and the protection of CSA-related symbols.

Reference materials

The following materials are available on the CSA website www.csa.gov.sg and REACH consultation portal www.reach.gov.sg: