Story image

Singapore Govt seeks feedback on cybersecurity bill for critical information infrastructure

11 Jul 2017

Singapore’s Ministry of Communication and Information (MCI) and the Cyber Security Agency of Singapore (CSA) are seeking feedback on a proposed cybersecurity bill that will place security breach prevention responsibilities on those that own and operate critical information infrastructure (CII).

CII includes computer systems essential to continuous service delivery of Singapore’s essential services. For the purposes of this Bill, there are eleven CIIs:  Banking and finance, energy, government, healthcare, infocomm, land transport, maritime, media, secutiry and emergency services and water.

According to Check Point, the most significant measure listed in the Bill is that CII senior executives are no accountable for security incidents, with more oversight from the CSA.

"A licensing framework for the regulation of penetration testing and managed security service providers to ensure that only licensed vendors provide such services will also be introduced. Once again, the Singapore government is on the forefront of providing the legal framework for investigations into and responses for all cybersecurity incidents," Check Point explains.

KPMG Singapore’s head of cyber security, Daryl Pereira, says that SMEs and healthcare have been somewhat ignored as the banking sector takes the security limelight.

He believes this gap has allowed attackers to go after CII such as healthcare providers and hospitals.

“The proposed Cybersecurity Bill, specifically the framework for the protection of CII, seeks to level the playing field and raise the maturity and preparedness of all sectors in Singapore to a common baseline,” he says.

“This Cybersecurity Bill will help to form a strong foundation for Singapore to transform itself into a digital economy, powered by innovation and enabled by cybersecurity readiness.”

According to Check Point, each CII owner is expected to comply with measures.

"These include undertaking regular risk assessments and engaging with approved third parties for the purpose of system audits. Should the CII owners not possess the required skills internally, it will be necessary to undergo the necessary training and/or hire individuals with the desired skill sets," Check Point states.

It should be noted that the measures imposed by the Cyber Security Bill fall mainly within the scope of governance, risk management and compliance (GRC) activities. This aims to ensure each CII owner will perform the necessary due diligence to safeguard the security of the critical infrastructure we depend on. CII owners will also be expected to work collaboratively with the Commissioner of Cyber Security," Check Point continues.

The bill says that as cyber attacks become faster and sophisticated, Singapore is vulnerable to threats such as ransomware and the APT attacks that hit two of the country’s universities.

“Around the world, attacks on systems that run utility plants, transportation networks, hospitals and other essential services are growing. Successful attacks can and have resulted in significant financial losses and disruptions to daily lives. Hence, the protection of our Critical Information Infrastructure (CIIs) which are necessary for the continuous delivery of Singapore’s essential services is a cornerstone of the proposed Bill,” MCI states.

MCI remains committed to Singapore’s cybersecurity: In April 2015 the Government launched CSA and in October 2016, Prime Minister Lee Hsien Loong launched the country’s Cybersecurity Strategy.

The proposed bill aims to accomplish four tasks:

  • To provide a framework for CII owners (CIIOs). CIIOs will become responsible for CIIs under their care before an incident has occurred. The government believes this will also empower sector leads to raise cybersecurity levels in their own sectors.
  • To give CSA powers to manage and respond to cybersecurity threats and incidents. CSA will be able to take charge of threats, rather than going through a Minister to authorise specific powers.
  • To provide a framework for information sharing and its protection through CSA. CSA will be able to share information with relevant stakeholders to prevent, detect, counter or investigate security threats or incidents
  • To regulate ‘selected’ cybersecurity providers with a ‘light-touch licensing framework’. Specifically, the bill seeks to licence penetration testing and security operations centre services. The move is not to stifle competition, but to provide greater safety and security services to consumers, address conflicting industry information and improve security provider standards.

Public consultations are open now and close on August 3, 2017 at 5pm. Interested parties can find out more from and

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.
SolarWinds extends database anomaly detection
As organisations continue their transition from purely on-premises operations into both private and public cloud infrastructures, adapting their IT monitoring and management capabilities can pose a significant challenge.
Adura launches new SOC and MSP in Singapore
The new SOC focuses on the needs of businesses to gain insight into their organization’s security posture and increase their ability to react promptly.