Story image

Singapore passes Cybersecurity Bill for nation's critical infrastructure providers

07 Feb 18

Singapore’s parliament has successfully passed the country’s Cybersecurity Bill into law this week after months of drafting and feedback from the public.

Singapore’s overall cybersecurity strategy puts data protection, critical information infrastructure, threat intelligence and international partnerships at the forefront of its agenda and the Cybersecurity Bill is now one part of that strategy.

The Cybersecurity Bill is mainly concerned with strengthening the resilience and cybersecurity in Singapore’s 11 critical infrastructure sectors.

These sectors are:

  • Info-communications
  • Water
  • Healthcare
  • Banking and finance
  • Security and emergency services
  • Aviation
  • Land transport
  • Maritime
  • Government
  • Media

The Bill aims to appoint a Commissioner and make critical infrastructure (CII) providers more responsible for Singapore’s CII security.

At a parliamentary sitting this week, Minister for Communication and Information Dr Yaacob Ibrahim explained the bill in detail – and some of the concerns it may bring to the table.

Its first aim is to appoint a Commissioner of Cybersecurity and Assistant Commissioners of Cybersecurity

These Commissioners will oversee and maintain Singapore’s security and work across 13 areas of responsibility including threat monitoring, threat awareness and working to identify and develop codes of practice for critical information infrastructures (CIIs).

Ibrahim says that the chief executive of the Cyber Security Agency of Singapore (CSA) will be appointed Commissioner. The Assistant Commissioners will represent their sectors and most CIIs will interact with the Assistant Commissioner within their sector.

Some MPs questioned the Commissioner’s powers and whether they would be a concern for privacy, however Ibrahim says the investigation powers are calibrated and limited depending on the threat.

Another aim is to identify CIIs, their owners and form strict security protocols for CII operations

This applies to the Singapore Government’s existing engagement with CII stakeholders. It has already consulted regulators and potential CII owners and will contact any new owners before they are designated. Those potential owners are free to appeal to the Minister against the decision.

CIIs will have increased responsibilities for operation; maintenance; incident reporting; audits; participation in national cybersecurity exercises; and they must comply with written direction from the Commissioner.

One MP pointed out that CII owners could feel burdened by reporting responsibilities. All CII owners will need to report incidents that occur on or affect their CIIs. Non-compliance could result in fines of up to $100,000 or two years in prison. In some cases, both may be handed down as sentences.

“As mentioned in my opening speech, we do not intend to take action under the Bill against CII owners for cybersecurity breaches so long as they comply with their obligations thereunder,” Ibrahim responds.

Third party supply chain organisations that supply services to those designated as CIIs are not considered an owner of that CII and do not have any extra responsibilities.

“Cybersecurity is a collective responsibility, and we must all do our part. Much of the cost of strengthening cybersecurity protection and enhancing responses to cybersecurity threats and incidents at the national level are borne directly by the Government,” Ibrahim says.

Read Ibrahim’s entire closing speech on MCI’s website here.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.