Singapore's parliament has successfully passed the country's Cybersecurity Bill into law this week after months of drafting and feedback from the public.
Singapore's overall cybersecurity strategy puts data protection, critical information infrastructure, threat intelligence and international partnerships at the forefront of its agenda and the Cybersecurity Bill is now one part of that strategy.
The Cybersecurity Bill is mainly concerned with strengthening the resilience and cybersecurity in Singapore's 11 critical infrastructure sectors.
These sectors are:
- Banking and finance
- Security and emergency services
- Land transport
The Bill aims to appoint a Commissioner and make critical infrastructure (CII) providers more responsible for Singapore's CII security.
At a parliamentary sitting this week, Minister for Communication and Information Dr Yaacob Ibrahim explained the bill in detail – and some of the concerns it may bring to the table.
Its first aim is to appoint a Commissioner of Cybersecurity and Assistant Commissioners of Cybersecurity
These Commissioners will oversee and maintain Singapore's security and work across 13 areas of responsibility including threat monitoring, threat awareness and working to identify and develop codes of practice for critical information infrastructures (CIIs).
Ibrahim says that the chief executive of the Cyber Security Agency of Singapore (CSA) will be appointed Commissioner. The Assistant Commissioners will represent their sectors and most CIIs will interact with the Assistant Commissioner within their sector.
Some MPs questioned the Commissioner's powers and whether they would be a concern for privacy, however Ibrahim says the investigation powers are calibrated and limited depending on the threat.
Another aim is to identify CIIs, their owners and form strict security protocols for CII operations
This applies to the Singapore Government's existing engagement with CII stakeholders. It has already consulted regulators and potential CII owners and will contact any new owners before they are designated. Those potential owners are free to appeal to the Minister against the decision.
CIIs will have increased responsibilities for operation; maintenance; incident reporting; audits; participation in national cybersecurity exercises; and they must comply with written direction from the Commissioner.
One MP pointed out that CII owners could feel burdened by reporting responsibilities. All CII owners will need to report incidents that occur on or affect their CIIs. Non-compliance could result in fines of up to $100,000 or two years in prison. In some cases, both may be handed down as sentences.
“As mentioned in my opening speech, we do not intend to take action under the Bill against CII owners for cybersecurity breaches so long as they comply with their obligations thereunder,” Ibrahim responds.
Third party supply chain organisations that supply services to those designated as CIIs are not considered an owner of that CII and do not have any extra responsibilities.
“Cybersecurity is a collective responsibility, and we must all do our part. Much of the cost of strengthening cybersecurity protection and enhancing responses to cybersecurity threats and incidents at the national level are borne directly by the Government,” Ibrahim says.
Read Ibrahim's entire closing speech on MCI's website here.