27 February 2018
On 5 February 2018, the Cybersecurity Bill (“Bill”) was passed in Parliament. Introduced in Parliament on 8 January 2018, the Bill seeks to establish a framework for the protection of critical information infrastructure (“CII”) against cybersecurity threats, the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore, and the regulation of providers of licensable cybersecurity services. Although passed, the Bill is not yet in force.
Key highlights of speeches delivered at second reading of Bill
The Minister for Communications and Information, Dr Yaacob Ibrahim, gave an Opening Speech and a Closing Speech during the second reading of the Bill in Parliament. Set out below are the key highlights of the two speeches:
- Chief Executive of CSA to administer Bill as Commissioner: The Chief Executive of CSA will administer the Bill as the Commissioner of Cybersecurity (“Commissioner”) to be appointed by the Minister-in-charge of Cybersecurity (“Minister”).
- CSA working closely with foreign counterparts to investigate cybersecurity threats and incidents originating overseas: To facilitate investigations of cybersecurity threats and incidents that may originate overseas, significant efforts have been made to develop strong international partnerships and linkages with overseas Computer Emergency Response Teams (CERTs). CSA will work closely with its foreign counterparts for such investigations.
- Powers of Commissioner to designate CII: The Bill allows the Commissioner to designate as CII, computers and computer systems necessary for the continuous delivery of essential services in Singapore. Overall, a significant majority of such systems are based wholly or partly
in Singapore and owners of CII that are partly located in Singapore will still have to comply with their obligations under the Bill.
For computer systems serving important functions in Singapore that are located wholly outside Singapore, while Singapore may be able to work with relevant international organisations to ensure the cybersecurity of the systems in question, Singapore cannot control such systems by designating them as CII under the Bill as they are outside Singapore’s jurisdiction.
- No need for organisations to make self-assessments on whether computer or computer systems fulfil CII criteria: There is no need for organisations to make self-assessments as to whether their computer or computer systems fulfil the criteria of a CII.
- Consultative process for designation of CII and avenue for appeal against designation: Prior to designating a computer or computer system as a CII, CSA will first consult its owner and the relevant sector regulator to identify whether the computer or computer system is responsible for the provision of any of the essential services listed in the Bill. Organisations whose computers or computer systems are designated as CII will be notified in writing. MCI and CSA have already consulted with the sector regulators in identifying potential CII, and engaged potential CII owners twice since July 2016. Hence, potential CII owners would already know who they are.
The process for identifying and designating new CII in the future will be similarly consultative.
CII owners will be given an opportunity to submit representations to the Commissioner if they disagree with the Commissioner’s decision. They may also appeal to the Minister against the designation, whose decision will be final.
- CSA to rely on existing sector audit regimes, provide audit guidance and track audit outcomes: CII owners are required under the Bill to conduct regular cybersecurity audits to ensure their obligations are met. CSA plans to tap on existing sector audit regimes to ensure that the security measures are effective in protecting CII. To achieve an acceptable standard of practice, CSA will provide audit guidance to auditors and track the audit outcomes.
- No need to report cybersecurity incident concerning infrastructure not connected to CII: All CII owners, regardless of whether they are local or foreign companies, will need to report to CSA cybersecurity incidents that occur on or that affect their CII. There is no obligation for a CII owner to report a cybersecurity incident in respect of other infrastructure that it owns, where such infrastructure is not connected to the CII.
- CSA to provide further guidance on incident reporting: A cybersecurity incident on a CII is defined as an act or activity carried out without lawful authority on or through the CII, that jeopardises or adversely affects its cybersecurity. When exercising its powers, the Commissioner will be mindful that the owners of the computer systems in question are typically also victims. CSA will be providing further details to guide CII owners on incident reporting, such as the relevant forms and guidelines to refer to.
- CSA has developed Cybersecurity Legislation Initialisation Programme for Sector Leads: To assist CII owners and their staff in getting ready for the implementation of the Bill, CSA has developed a Cybersecurity Legislation Initialisation Programme for Sector Leads, or CLIPS, to work with the CII sector regulators to prepare CII owners for their obligations under the Bill.
- No funding from MCI and CSA to offset compliance costs: MCI and CSA will not provide funding to offset the costs of CII obligations which are regulatory requirements.
- Information shared under Bill cannot be used for enforcement under sectoral regulations: Information shared with CSA under the Bill cannot be used for enforcement action against the CII owners under sectoral regulations. However, the Bill provides for the sharing of information in certain circumstances, such as for the purposes of prosecution under the Bill, or to disclose to the police any information which discloses the commission of an offence under the Computer Misuse Act.
- CSA to consider providing guidelines on what to do during investigations of cybersecurity threats or incidents: The investigation powers under the Bill are calibrated and there are limits to the investigation powers that can be exercised depending on the severity of the threat or incident. How an incident will be classified depends on the facts of the case at hand. There will be a governance process within CSA to ensure investigation powers are exercised responsibly and in accordance with the Bill. CSA will also consider providing guidelines to the public, to advise owners of computer systems on what they should do during such investigations of cybersecurity threats or incidents.
- Owner of computer or computer system to be consulted or notified in investigations: The Commissioner will determine the appropriate measures to take during investigations of cybersecurity threats and incidents, in consultation with the owner of the computer or computer system wherever possible, regardless of the type of computer system or technology involved including cloud services. Prior to deploying more intrusive investigation tools such as network-scanning software which are necessary when responding
to cybersecurity incidents, CSA will wherever possible notify the computer system owners and follow appropriate protocols.
- Information to be provided is primarily technical and not personal in nature: The powers under the Bill are not intended to intrude into privacy. The measures and requirements are mainly technical, operational or procedural in nature. Any information required under the Bill to deal with cybersecurity threats or incidents will be primarily technical and not personal in nature. For example, to aid in the detection of cybersecurity threats, information such as network logs, indicators of compromise as well as system event and audit logs may be requested.
- Light-touch licensing framework: The licensing framework is deliberately light-touch in view of the need to strike a good balance between industry development and cybersecurity needs. All providers of licensable cybersecurity services (penetration testing and managed security operations centre (SOC) monitoring), regardless of whether they are companies or individuals directly engaged for such services or third-party vendors that support these companies, will need to be licensed. However, companies providing such services to their related companies are not required to be licensed.
- MCI and CSA to engage industry on implementation details for licensing: MCI and CSA will be engaging the industry in working out the implementation details for licensing, including licensing conditions for licensable cybersecurity service providers. Feedback will be sought from
the industry on the licensing regime as the cybersecurity ecosystem evolves.
- Cybersecurity Bill
- Opening speech for second reading on Cybersecurity Bill
- Closing speech for second reading on Cybersecurity Bill