Story image

Singapore passes Cybersecurity Bill for nation's critical infrastructure providers

07 Feb 2018

Singapore’s parliament has successfully passed the country’s Cybersecurity Bill into law this week after months of drafting and feedback from the public.

Singapore’s overall cybersecurity strategy puts data protection, critical information infrastructure, threat intelligence and international partnerships at the forefront of its agenda and the Cybersecurity Bill is now one part of that strategy.

The Cybersecurity Bill is mainly concerned with strengthening the resilience and cybersecurity in Singapore’s 11 critical infrastructure sectors.

These sectors are:

  • Info-communications
  • Water
  • Healthcare
  • Banking and finance
  • Security and emergency services
  • Aviation
  • Land transport
  • Maritime
  • Government
  • Media

The Bill aims to appoint a Commissioner and make critical infrastructure (CII) providers more responsible for Singapore’s CII security.

At a parliamentary sitting this week, Minister for Communication and Information Dr Yaacob Ibrahim explained the bill in detail – and some of the concerns it may bring to the table.

Its first aim is to appoint a Commissioner of Cybersecurity and Assistant Commissioners of Cybersecurity

These Commissioners will oversee and maintain Singapore’s security and work across 13 areas of responsibility including threat monitoring, threat awareness and working to identify and develop codes of practice for critical information infrastructures (CIIs).

Ibrahim says that the chief executive of the Cyber Security Agency of Singapore (CSA) will be appointed Commissioner. The Assistant Commissioners will represent their sectors and most CIIs will interact with the Assistant Commissioner within their sector.

Some MPs questioned the Commissioner’s powers and whether they would be a concern for privacy, however Ibrahim says the investigation powers are calibrated and limited depending on the threat.

Another aim is to identify CIIs, their owners and form strict security protocols for CII operations

This applies to the Singapore Government’s existing engagement with CII stakeholders. It has already consulted regulators and potential CII owners and will contact any new owners before they are designated. Those potential owners are free to appeal to the Minister against the decision.

CIIs will have increased responsibilities for operation; maintenance; incident reporting; audits; participation in national cybersecurity exercises; and they must comply with written direction from the Commissioner.

One MP pointed out that CII owners could feel burdened by reporting responsibilities. All CII owners will need to report incidents that occur on or affect their CIIs. Non-compliance could result in fines of up to $100,000 or two years in prison. In some cases, both may be handed down as sentences.

“As mentioned in my opening speech, we do not intend to take action under the Bill against CII owners for cybersecurity breaches so long as they comply with their obligations thereunder,” Ibrahim responds.

Third party supply chain organisations that supply services to those designated as CIIs are not considered an owner of that CII and do not have any extra responsibilities.

“Cybersecurity is a collective responsibility, and we must all do our part. Much of the cost of strengthening cybersecurity protection and enhancing responses to cybersecurity threats and incidents at the national level are borne directly by the Government,” Ibrahim says.

Read Ibrahim’s entire closing speech on MCI’s website here.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.