Singapore’s Ministry of Communication and Information (MCI) and the Cyber Security Agency of Singapore (CSA) are seeking feedback on a proposed cybersecurity bill that will place security breach prevention responsibilities on those that own and operate critical information infrastructure (CII).
CII includes computer systems essential to continuous service delivery of Singapore’s essential services. For the purposes of this Bill, there are eleven CIIs: Banking and finance, energy, government, healthcare, infocomm, land transport, maritime, media, secutiry and emergency services and water.
According to Check Point, the most significant measure listed in the Bill is that CII senior executives are no accountable for security incidents, with more oversight from the CSA.
"A licensing framework for the regulation of penetration testing and managed security service providers to ensure that only licensed vendors provide such services will also be introduced. Once again, the Singapore government is on the forefront of providing the legal framework for investigations into and responses for all cybersecurity incidents," Check Point explains.
KPMG Singapore’s head of cyber security, Daryl Pereira, says that SMEs and healthcare have been somewhat ignored as the banking sector takes the security limelight.
He believes this gap has allowed attackers to go after CII such as healthcare providers and hospitals.
“The proposed Cybersecurity Bill, specifically the framework for the protection of CII, seeks to level the playing field and raise the maturity and preparedness of all sectors in Singapore to a common baseline,” he says.
“This Cybersecurity Bill will help to form a strong foundation for Singapore to transform itself into a digital economy, powered by innovation and enabled by cybersecurity readiness.”
According to Check Point, each CII owner is expected to comply with measures.
"These include undertaking regular risk assessments and engaging with approved third parties for the purpose of system audits. Should the CII owners not possess the required skills internally, it will be necessary to undergo the necessary training and/or hire individuals with the desired skill sets," Check Point states.
It should be noted that the measures imposed by the Cyber Security Bill fall mainly within the scope of governance, risk management and compliance (GRC) activities. This aims to ensure each CII owner will perform the necessary due diligence to safeguard the security of the critical infrastructure we depend on. CII owners will also be expected to work collaboratively with the Commissioner of Cyber Security," Check Point continues.
The bill says that as cyber attacks become faster and sophisticated, Singapore is vulnerable to threats such as ransomware and the APT attacks that hit two of the country’s universities.
“Around the world, attacks on systems that run utility plants, transportation networks, hospitals and other essential services are growing. Successful attacks can and have resulted in significant financial losses and disruptions to daily lives. Hence, the protection of our Critical Information Infrastructure (CIIs) which are necessary for the continuous delivery of Singapore’s essential services is a cornerstone of the proposed Bill,” MCI states.
MCI remains committed to Singapore’s cybersecurity: In April 2015 the Government launched CSA and in October 2016, Prime Minister Lee Hsien Loong launched the country’s Cybersecurity Strategy.
The proposed bill aims to accomplish four tasks:
- To provide a framework for CII owners (CIIOs). CIIOs will become responsible for CIIs under their care before an incident has occurred. The government believes this will also empower sector leads to raise cybersecurity levels in their own sectors.
- To give CSA powers to manage and respond to cybersecurity threats and incidents. CSA will be able to take charge of threats, rather than going through a Minister to authorise specific powers.
- To provide a framework for information sharing and its protection through CSA. CSA will be able to share information with relevant stakeholders to prevent, detect, counter or investigate security threats or incidents
- To regulate ‘selected’ cybersecurity providers with a ‘light-touch licensing framework’. Specifically, the bill seeks to licence penetration testing and security operations centre services. The move is not to stifle competition, but to provide greater safety and security services to consumers, address conflicting industry information and improve security provider standards.
Public consultations are open now and close on August 3, 2017 at 5pm. Interested parties can find out more from reach.gov.sg and csa.gov.sg.