The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) invite the public to provide feedback on the proposed Cybersecurity Bill. The public consultation exercise will run from 10 July to 3 August 2017.
Fast-evolving cybersecurity landscape
2 Cyber-attacks are getting increasingly frequent, sophisticated and impactful. Globally, we have also seen a surge in the number of cybersecurity incidents, such as ransomware, cyber theft, banking fraud, cyber espionage and disruptions to Internet services. In Singapore, the recent Advanced Persistent Threat (APT) attacks targeting two of our universities, and the occurrence of the global WannaCry and Petya/Petna ransomware attacks which also reached our shores, serve as stark reminders of Singapore’s vulnerability to cyber threats.
3 Around the world, attacks on systems that run utility plants, transportation networks, hospitals and other essential services are growing. Successful attacks can and have resulted in significant financial losses and disruptions to daily lives. Hence, the protection of our Critical Information Infrastructure1 (CIIs) which are necessary for the continuous delivery of Singapore’s essential services is a cornerstone of the proposed Bill.
The need for a new Cybersecurity Bill
4 As a small nation with one of the highest levels of digital connectivity in the world, a major cyber-attack, especially if our CIIs are affected, will have significant impact on Singapore and our people.
5 Singapore takes cybersecurity threats seriously and has taken steps to address these threats. In April 2015, the Government set up the Cyber Security Agency of Singapore (CSA), as the central agency to oversee and coordinate all aspects of cybersecurity for the nation. In October 2016, Prime Minister Lee Hsien Loong launched Singapore’s Cybersecurity Strategy with the aim to create a resilient and trusted cyber environment for Singapore and our residents.
6 Against the backdrop of proliferating cyber incidents globally and locally, it is imperative that we take a pro-active and holistic approach to strengthen our resilience against cyber-attacks, especially for CIIs. For Singapore to effectively address increasingly sophisticated threats to national cybersecurity, a new cybersecurity legislation is needed.
7 The proposed Cybersecurity Bill will establish a framework for the oversight and maintenance of national cybersecurity in Singapore, and will empower CSA to carry out its functions. The Bill also aims to minimise the risks of cybersecurity threats, and ensure that we can better deal with attacks when they happen. The Bill has four objectives:
a. To provide a framework for the regulation of CII owners (CIIOs). This formalises the duties of CIIOs in ensuring the cybersecurity of CIIs under their responsibility, even before a cybersecurity incident has occurred. The CIIOs’ responsibilities in protecting their respective CIIs will be spelt out, and the Act will empower sector leads to raise the level of cybersecurity within their own sectors.
b. To provide CSA with powers to manage and respond to cybersecurity threats and incidents. The powers in section 15A of the current Computer Misuse and Cybersecurity Act (CMCA), which pertain to cybersecurity, were enacted before the formation of CSA. Specific powers will be vested in CSA officers as sitting powers, instead of the current mode of exercise that requires a Minister to authorise each and every use of such powers. This will allow CSA officers to deal with fast-moving cybersecurity threats and incidents expediently.
c. To establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information. Information sharing is key to cybersecurity. Under the Cybersecurity Bill, CSA will be able to receive and share information with relevant parties, for the purpose of preventing, detecting, countering or investigating any cybersecurity threat or incident.
d. To introduce a light-touch licensing framework for the regulation of selected cybersecurity service providers. For a start, the Bill proposes licensing the provision of penetration testing and managed security operations centre (SOC) services. The need for credible cybersecurity services will grow as cybersecurity risks become more mainstream. The proposed licensing framework aims to help provide greater assurance of safety and security to consumers of cybersecurity services, address information asymmetry in the industry and provide for improving the standards of cybersecurity service providers and professionals.
Submission of feedback
8 The public consultation paper and procedures for submission of feedback are available on the REACH public consultation portal at https://www.reach.gov.sg and CSA’s official website at www.csa.gov.sg from 10 July 2017. Public may provide feedback to email@example.com. All submissions should reach MCI/CSA no later than 3 August 2017, 5 pm.
9 Please refer to Annex for the full public consultation document.
1 A critical information infrastructure (“CII”) is a computer or computer systems that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the security, economy, public health, public safety or public order of Singapore. CIIs may be owned by public or private organisations and may be located wholly or partly in Singapore. Today, the CIIs fall under 11 critical sectors: (1) Aviation, (2) Banking & Finance, (3) Energy, (4) Government, (5) Healthcare, (6) Infocomm, (7) Land Transport, (8) Maritime, (9) Media, (10), Security and Emergency Services, (11) Water.
MINISTRY OF COMMUNICATIONS AND INFORMATION AND CYBER SECURITY AGENCY OF SINGAPORE
For media clarifications, please contact:
Cyber Security Agency of Singapore
Chen Jingxuan, Senior Manager, Communications and Engagement Office
DID: +65 6323 5112 | Email: CHEN_Jingxuan@csa.gov.sg
Connie Lee, Senior Assistant Director, Communications and Engagement Office
DID: +65 6323 5010 | Email: Connie_lee@csa.gov.sg
28 July 2017
In response to requests to extend the deadline for the submission of responses to the “Public Consultation Paper on the Draft Cybersecurity Bill”, MCI and CSA have decided to extend the deadline for submissions to 12 noon, 24 August 2017. We look forward to receiving feedback on the draft bill.