Singapore’s Ministry of Communication and Information (MCI) and the Cyber Security Agency of Singapore (CSA) are seeking feedback on a proposed cybersecurity bill that will place security breach prevention responsibilities on those that own and operate critical information infrastructure (CII).
CII includes computer systems essential to continuous service delivery of Singapore’s essential services. For the purposes of this Bill, there are eleven CIIs: Banking and finance, energy, government, healthcare, infocomm, land transport, maritime, media, secutiry and emergency services and water.
According to Check Point, the most significant measure listed in the Bill is that CII senior executives are no accountable for security incidents, with more oversight from the CSA.
"A licensing framework for the regulation of penetration testing and managed security service providers to ensure that only licensed vendors provide such services will also be introduced. Once again, the Singapore government is on the forefront of providing the legal framework for investigations into and responses for all cybersecurity incidents," Check Point explains.
KPMG Singapore’s head of cyber security, Daryl Pereira, says that SMEs and healthcare have been somewhat ignored as the banking sector takes the security limelight.
He believes this gap has allowed attackers to go after CII such as healthcare providers and hospitals.
“The proposed Cybersecurity Bill, specifically the framework for the protection of CII, seeks to level the playing field and raise the maturity and preparedness of all sectors in Singapore to a common baseline,” he says.
“This Cybersecurity Bill will help to form a strong foundation for Singapore to transform itself into a digital economy, powered by innovation and enabled by cybersecurity readiness.”
According to Check Point, each CII owner is expected to comply with measures.
"These include undertaking regular risk assessments and engaging with approved third parties for the purpose of system audits. Should the CII owners not possess the required skills internally, it will be necessary to undergo the necessary training and/or hire individuals with the desired skill sets," Check Point states.
It should be noted that the measures imposed by the Cyber Security Bill fall mainly within the scope of governance, risk management and compliance (GRC) activities. This aims to ensure each CII owner will perform the necessary due diligence to safeguard the security of the critical infrastructure we depend on. CII owners will also be expected to work collaboratively with the Commissioner of Cyber Security," Check Point continues.
The bill says that as cyber attacks become faster and sophisticated, Singapore is vulnerable to threats such as ransomware and the APT attacks that hit two of the country’s universities.
“Around the world, attacks on systems that run utility plants, transportation networks, hospitals and other essential services are growing. Successful attacks can and have resulted in significant financial losses and disruptions to daily lives. Hence, the protection of our Critical Information Infrastructure (CIIs) which are necessary for the continuous delivery of Singapore’s essential services is a cornerstone of the proposed Bill,” MCI states.
MCI remains committed to Singapore’s cybersecurity: In April 2015 the Government launched CSA and in October 2016, Prime Minister Lee Hsien Loong launched the country’s Cybersecurity Strategy.
The proposed bill aims to accomplish four tasks:
Public consultations are open now and close on August 3, 2017 at 5pm. Interested parties can find out more from reach.gov.sg and csa.gov.sg.