Home/ Pressroom/ News + Stories

Pressroom

News + Stories

INTRODUCTION

1.     Mr Speaker, the honourable Members have raised valid concerns and good suggestions on the Cybersecurity Bill. Let me address each area in detail.

KEY AREAS

Scope of Bill

2.     Some Members [Mr Zaqy Mohamad, Mr Pritam Singh and Ms Sun Xueling] asked how the Bill will apply to systems that are providing essential services but located overseas.

3.     The Bill allows the Commissioner to designate CII, computers and computer systems necessary for the continuous delivery of essential services in Singapore. Overall, a significant majority of such systems are based wholly or partly in Singapore. Owners of CII that are partly located in Singapore will still have to comply with their obligations under the Bill.

4.     Given Singapore’s interconnectivity, it is inevitable that some computer systems serving important functions in Singapore are connected globally and may also be located wholly outside Singapore. These computer systems could also be operated by international organisations based abroad.

5.     While Singapore may be able to work with these international organisations to ensure the cybersecurity of the systems in question, we cannot control such systems by designating them as CII under the Bill as they are outside our jurisdiction. There may also be potential conflicts with other countries’ regulatory regimes.

6.     To facilitate investigations of cybersecurity threats and incidents that may originate overseas, the Government has made significant efforts to develop strong international partnerships and linkages with overseas Computer Emergency Response Teams (CERTs). CSA will work closely with its foreign counterparts for such investigations.

7.     Ms Joan Peirera and Mr Melvin Yong asked if the cybersecurity of CII would be affected, if their owners choose not to impose requirements on their vendors or if such vendors were not regulated.

8.     CSA will work with the sector regulators and CII owners to define the boundaries of the systems that will be designated as CII, on a case-by-case basis. CII owners are ultimately responsible for the cybersecurity of their respective CII. Many engage third-party vendors to support their CII. In deciding which vendors to engage and what conditions to impose on their vendors, CII owners should carry out the necessary risk assessments and due diligence to ensure that their obligations under the Bill are complied with.

9.     CII owners will be required under the Bill to conduct regular cybersecurity audits to ensure that their obligations are met. This provides an added layer of assurance that the CII would be in compliance with cybersecurity codes of practice and standards of performance, as required under the Bill.

10.     Ms Thanaletchimi suggested establishing an accredited framework for a national cybersecurity audit for CII stakeholders. Audit is an important aspect of good corporate governance. There are already multiple layers of IT audit regimes established within the 11 sectors. We are mindful that another layer of national cybersecurity audit could potentially result in CII stakeholders experiencing audit fatigue. For now, CSA plans to tap on existing sector audit regimes to ensure that the security measures are effective in protecting the CII. To ensure an acceptable standard of practice, CSA will provide audit guidance to auditors and track the audit outcomes.

Determination of Essential Services and CII

11.     Mr Darryl David asked how CII and essential services are determined, while Assoc Prof Daniel Goh suggested that higher education and research institutions be considered essential services.

12.     In arriving at the list of essential services in the First Schedule, we took reference from Section 15A of the Computer Misuse and Cybersecurity Act (CMCA). We also studied the definition of “essential services” in other jurisdictions, before identifying a total of 11 sectors in Singapore delivering essential services. These sectors provide services that are essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.

13.     For each sector, CSA worked closely with the relevant sector regulator to identify the essential services within the sector, as well as the computers and computer systems that would be CII. CII are identified as computers and computer systems that are necessary for the continuous delivery of essential services, the loss or compromise of which would have a debilitating effect on the availability of the essential services in Singapore.

14.     Higher education and research institutions are not considered essential services at this point in time. Nonetheless, we do not preclude that new essential services may arise in the future, and the Minister may amend the list of essential services in the First Schedule if necessary.

15.     Mr Patrick Tay asked if there is a mechanism in place whereby organisations can check with the CSA on whether they are CII owners.

16.     There is no need for organisations to make self-assessments as to whether their computer or computer systems fulfil the criteria of a CII. Prior to designating a computer or computer system as a CII, CSA will consult its owner and the relevant sector regulator to identify whether it is responsible for the provision of any of the essential services listed in the First Schedule. Organisations whose computers or computer systems are designated as CII will be notified in writing.

17.     CII owners will be given an opportunity to submit representations to the Commissioner if they disagree with the Commissioner’s decision. They may also appeal to the Minister against the designation. The Minister’s decision on an appeal will be final.

18.     I would like to assure Members that the identification of CII is a considered and consultative process. MCI and CSA have already consulted with the sector regulators in identifying potential CII, and engaged potential CII owners twice since July 2016. Hence, potential CII owners would already know who they are.

19.     The process for identifying and designating new CII in the future will be similarly considered and consultative.

Obligations of CII Owners

20.     Some Members [Mr Zaqy Mohamad, Assoc Prof Daniel Goh, Mr Saktiandi Supaat and Ms Sun Xueling] asked whether the incident reporting and investigation requirements under the Bill could be too onerous for CII owners, especially when they are potential victims of cyber-attacks.

21.     As mentioned in my opening speech, we do not intend to take action under the Bill against CII owners for cybersecurity breaches so long as they comply with their obligations thereunder.

22.     Given the importance of CII to Singapore, it is necessary to provide for their proactive protection. For example, Clause 14 requires CII owners to establish mechanisms and processes to detect cybersecurity threats and incidents in respect of the CII. CII owners are also required to promptly report to CSA, cybersecurity incidents in relation to their CII and any computer or computer system connected with the CII that are under their control. This will enable CSA to have better oversight of incidents happening across sectors, and to take the necessary actions.

23.     There is no obligation for a CII owner to report a cybersecurity incident in respect of other infrastructure that it owns, where such infrastructure is not connected to the CII.

24.     Under Clauses 19 and 20, CII owners are required to cooperate with CSA during the investigation of cybersecurity threats and incidents. I will elaborate on CSA’s exercise of investigation powers later in my speech.

25.     Mr Pritam Singh asked about the incident reporting threshold for CII owners.

26.     All CII owners, regardless of whether they are local or foreign companies, will need to report to CSA cybersecurity incidents that occur on or that affect their CII. As mentioned earlier, reporting cybersecurity incidents in respect of CII is a requirement under Clause 14, and any non-compliance without reasonable excuse will be an offence. The maximum penalty is $100,000 or 2 years’ imprisonment or both.

27.     A cybersecurity incident on a CII is defined as an act or activity carried out without lawful authority on or through the CII, that jeopardises or adversely affects its cybersecurity. As Mr Pritam Singh pointed out, details of what constitutes a prescribed incident and the form and manner of reporting will be set out in subsidiary legislation.

28.     When exercising these powers, the Commissioner will be mindful that the owners of the computer systems in question are typically also victims. CSA will be providing further details to guide CII owners in incident reporting, such as relevant forms and guidelines.

29.     On the other hand, Assoc Prof Daniel Goh and Mr Louis Ng called for mandatory reporting of all cybersecurity incidents to the CSA for more holistic protection of Singapore’s cyberspace.

30.     Making the reporting of cybersecurity incidents a requirement under the Bill will be both resource intensive for CSA as well as companies in Singapore especially our SMEs. Today, all companies, including owners of computer systems that are not CII, can already voluntarily report cybersecurity incidents to CSA through SingCERT. On top of this, the Bill will provide CSA with powers to investigate cybersecurity threats and incidents pertaining to computer systems in Singapore, including computer systems that are not CII.

31.     Ms Jessica Tan and Mr Patrick Tay asked whether there are programmes to help CII owners comply with their obligations under the Bill, while Ms Thanaletchimi suggested that staff of organisations that own CII attend cybersecurity awareness programmes. On the other hand, Ms Sun Xueling and Mr Desmond Choo asked about the time that CII owners will be given to implement cybersecurity measures.

32.     To assist CII owners and their staff in getting ready for the implementation of the Bill, CSA has developed a Cybersecurity Legislation Initialisation Programme for Sector Leads, also termed as CLIPS, to work with the CII sector regulators to prepare CII owners for their obligations under the Bill.

33.     CLIPS will focus on establishing clarity on the roles and responsibilities between the sector regulators and the CII owners, and identifying and resolving any operational issue pertaining to the respective sectors. For example, these include harmonising policies, and streamlining audits and incident reporting processes.

34.     The need to step up protection of CII is urgent, but where necessary, CSA will also give CII owners sufficient time to undertake preparations and planning, prior to issuing the cybersecurity codes of practice or standards of performance for each sector. Assistant Commissioners, also known as ACs, are senior officers appointed from the 11 CII sectors and will be able to advise the Commissioner on the necessary requirements, taking into consideration the unique contexts and complexities of their respective sectors.

35.     Mr Zaqy Mohamad provided many useful suggestions to help CII owners meet their obligations under the Bill, including sharing best practices and benchmarks, and providing support for their R&D efforts. He also asked if the cybersecurity readiness of the CII owners will be benchmarked. Today, CSA assesses the cybersecurity readiness of the CII sectors and shares this information with CII owners to help them improve the cybersecurity of their CII. We will consider Mr Zaqy Mohamad’s other suggestions.

36.     I agree with Ms Thanaletchimi that we need to establish mechanisms to inform organisations if they are potential targets, and advise them on precautionary measures that they could take. CSA currently shares information on cybersecurity threats and vulnerabilities with the CII sectors so that appropriate actions can be taken promptly. The CERTs overseeing specific sectors also issue advisories to the operators in their respective sectors.

Cost Implications for CII Owners

37.     Several Members [Mr Pritam Singh, Mr Zaqy Mohamad, Mr Saktiandi Supaat, Ms Sun Xueling and Mr Desmond Choo] asked about the costs that CII owners and other businesses may have to incur in implementing cybersecurity measures, while Mr Patrick Tay asked whether there are any measures to ensure that compliance costs do not trickle down to consumers.

38.     Cybersecurity is a collective responsibility, and we must all do our part. Much of the cost of strengthening cybersecurity protection and enhancing responses to cybersecurity threats and incidents at the national level are borne directly by the Government. This includes resourcing national-level cybersecurity infrastructure and manpower, conducting regular cybersecurity exercises to validate cybersecurity incident management processes, and deploying National Cyber Incident Response Teams (NCIRT) to respond to cybersecurity incidents.

39.     Today, many CII owners have already put in place cybersecurity measures arising from regulations in sectors such as banking and finance and infocomm. The Bill aims to strengthen the cybersecurity of CII in all sectors, including those that currently do not have any cybersecurity requirements. The requirements under the Bill have been carefully scoped and are considered not too onerous.

40.     There will be cost implications for some CII owners who will have to strengthen the cybersecurity posture of their computer systems to meet the requirements of the Bill. To minimise regulatory costs, we will work with sector regulators to streamline the cybersecurity audit and incident reporting processes in order to harmonise cybersecurity requirements under the Bill and in their respective sectors, wherever possible.

41.     It is also in the interest of CII owners and their vendors to spend adequately on cybersecurity measures. They should consider not only the upfront cost of such measures, but also the cost of potential breaches, including the intangible costs arising from any damage to their reputation. If organisations follow good security-by-design practices, they will spend less overall in the long-run to fix cybersecurity issues. As Mr Ganesh Rajaram mentioned, cybersecurity will actually help companies protect their bottom line.

42. Therefore, on balance, MCI and CSA will not provide funding to offset the costs of CII obligations which are regulatory requirements.

Cybersecurity Bill Vis-à-Vis Existing Regulations

43.     Ms Sun Xueling and Mr Saktiandi Supaat asked how the Cybersecurity Bill is intended to interact with existing legislation that have cybersecurity or data protection requirements. Mr Darryl David asked how the Bill will be administered in view of existing agencies with cybersecurity roles.

44.     The Bill will apply concurrently with other laws and regulations enacted in Singapore, including existing sectoral laws. For example, in the event of a cybersecurity incident, the Telecommunications Act will continue to govern licensees under that Act for resulting telecommunications service disruptions, while the Personal Data Protection Act will continue to govern companies and individuals in the area of personal data breaches.

45.     As mentioned earlier, there are already some laws and regulations in Singapore that deal with various aspects of cybersecurity such as in the banking and finance, and infocomm sectors. In certain cases, such sectoral requirements may be more stringent or wider in scope than those in the Cybersecurity Bill. The Assistant Commissioner from the sector will play a key role in ensuring that CII owners do not face conflicting requirements under the Cybersecurity Bill and in sectoral regulations. This will help minimise the regulatory burden on CII owners.

46.     I wish to clarify that we are not establishing a new agency under the Bill – the Chief Executive of CSA will be appointed as the Commissioner, and he will be supported by CSA staff and the Assistant Commissioners who are intended to be senior officers from the sector regulators. In many instances, the CII owners will interact with the Assistant Commissioners appointed from their sectors. For example, CII owners in the banking and finance sector will interact with an Assistant Commissioner, who will be a senior officer appointed from MAS, for requirements under the Bill.

47.     I want to highlight that information shared with CSA under the Cybersecurity Bill cannot be used for enforcement action against the CII owners under sectoral regulations.

48.     Mr Zaqy Mohamad and Mr Saktiandi Supaat asked about the relationship between the Cybersecurity Bill and the Computer Misuse Act (CMA). Mr Darryl David asked how the Government would deal with individuals who hack into a website to spread falsehoods, while Mr Henry Kwek asked for a re-examination of the penalties for misuse of access to data especially if the perpetrators are cybersecurity professionals.

49.     The Cybersecurity Bill and CMA are complementary, given that cybersecurity and cybercrime are closely related. The Cybersecurity Bill provides for investigation powers in Clauses 19 and 20. These investigation powers apply only to the assessment of the impact of cybersecurity threats and incidents, and to the prevention of further harm and further incidents from arising. The investigation of cybercrimes and prosecution of their perpetrators are different issues covered by the CMA. Hence, it is important that the Cybersecurity Bill and the CMA are kept separate.

50.     The Bill provides for the protection of CII in Singapore and ensures that CII owners maintain a necessary level of cybersecurity awareness, protection and vigilance against cybersecurity threats and incidents. This would also make them less vulnerable to cybercrime.

51.     The unauthorised access to or modification of computer material and the unauthorised use of computer service are cybercrimes which are offences under the CMA. The CMA is under the purview of the Ministry of Home Affairs (MHA) and the Police. Depending on the facts of the case, cybersecurity professionals who misuse their access to data may be prosecuted under the CMA. CSA, with the investigation powers under the Cybersecurity Bill, will work with MHA and the Police to better protect computer systems in Singapore, especially CII, against cybersecurity incidents.

52.     However, neither the CMA nor this Bill is intended to address the threat of fake news.

Safeguards on Commissioner’s Powers

53.     Several MPs [Mr Zaqy Mohamad, Mr Patrick Tay, Mr Desmond Choo, Ms Sun Xueling, Mr Darryl David, Mr Pritam Singh and Mr Saktiandi Supaat] asked about the broad investigation powers provided to the Commissioner by the Bill, including whether such powers would curtail innovation or intrude into personal privacy and how such powers would be used judiciously.

54.     As mentioned in my opening speech, the investigation powers under Part 4 of the Bill are calibrated and there are limits to the investigation powers that can be exercised depending on the severity of the threat or incident. How an incident will be classified depends on the facts of the case at hand. To be clear, all organisations, regardless of whether they are local or foreign, are required to cooperate with CSA during the investigation of cybersecurity threats and incidents pertaining to computers or computer systems in Singapore.

55.     We recognise the need to balance operational expediency with the proportionate and judicious exercise of power. Investigation officers cannot investigate and remove equipment “at any time”.

56.     For example, the Commissioner’s authorisation is required before cybersecurity officers and authorised officers can exercise more intrusive investigation powers under Clause 20. There will be a governance process within CSA to ensure that the investigation powers are exercised responsibly and in accordance with the Bill. CSA will also consider providing guidelines to the public, to advise owners of computer systems on what they should do during such investigations of cybersecurity threats or incidents.

57.     Also, the Commissioner will determine the appropriate measures to take during investigations of cybersecurity threats and incidents, in consultation with the owner of the computer or computer system wherever possible. To address Asst Prof Mahdev Mohan’s point, this will be the case regardless of the type of computer system or technology involved including cloud services.

58.     For example, the Commissioner may take possession of any computer or equipment to carry out further examination or analysis with the consent from the owner. However, if there is no consent from the owner, Clause 20(5) clearly sets out the conditions that must be met before the Commissioner can authorise the exercise of this power. The conditions are as follows:

a.     First, this is necessary for the purposes of the investigation;
b.     Second, there is no less disruptive method of achieving the purpose of the investigation; and
c.     Third, this can only be done after consultation with the owner, and having considered the importance of the computer to the business and operational needs of the owner, that the benefit of the action outweighs the detriment caused to the owner.


59.     Prior to deploying more intrusive investigation tools such as network-scanning software which are necessary when responding to cybersecurity incidents, CSA will wherever possible notify the computer system owners and follow appropriate protocols.

60.     Let me assure the House that the powers under the Bill are not intended to intrude into privacy. The measures and requirements are mainly technical, operational or procedural in nature. For example, CII owners may be required to implement network perimeter defence devices such as firewalls, or to perform regular vulnerability scanning of their systems to identify potential loopholes. These measures are non-intrusive with respect to personal privacy.

61.     I would also like to assure Members that any information required under the Bill to deal with cybersecurity threats or incidents will be primarily technical and not personal in nature. For example, to aid in the detection of cybersecurity threats, information such as network logs, indicators of compromise as well as system event and audit logs may be requested.

62.     Furthermore, the Commissioner’s requests for information from CII owners are carefully scoped for specific purposes, such as information pertaining to the technical design and configuration of a CII. The Commissioner does not have direct or continuous access to the data of any CII owner.

63.     As mentioned in my opening speech, the Bill protects information disclosed to CSA under the Bill by requiring persons who obtain it in the course of performing their functions or discharging their duties under the Bill to keep it confidential, and by specifying the circumstances under which it can be disclosed. Misuse of the information by the Commissioner or other specified officers will be a criminal offence.

64.     With the exception of Clause 23, the Bill does not require persons to disclose any information that is prohibited by any other law. The powers under Clause 23, which are for emergency cybersecurity measures, are not new and were taken from S15A of the CMCA.

65.     We have also further scoped Clause 23 to be tighter than the existing S15A of the CMCA, to make clear that action can only be taken against serious and imminent threats, and not just any cyber threat to the national security, essential services, defence or the foreign relations of Singapore. The Minister is constrained by the language of Clause 23 when exercising his powers. His discretion is not unfettered.

Scope of Licensing Framework and Cybersecurity Ecosystem Development

66.     Mr Christopher de Souza asked whether the Bill would cover less mainstream cybersecurity services such as white-hat or ethical hackers, while Mr Melvin Yong asked if the Ministry could consider encouraging a local community of white-hats.

67.     On the other hand, Mr Saktiandi Supaat asked whether cybersecurity freelancers need to be regulated, while some Members [Mr Zaqy Mohamad and Ms Joan Peirera] spoke about the missed opportunity and risks of not regulating individual cybersecurity professionals.

68.     It is clear from the debate that there are diverse views on the issue of licensing cybersecurity service providers and growing the cybersecurity ecosystem. On the one hand, there is a call for even individual professionals to be regulated, while on the other hand, some expressed concerns over potential cost implications for businesses.

69.     As I have mentioned in my opening speech, for a start, the licensing framework is deliberately light-touch in view of the need to strike a good balance between industry development and cybersecurity needs.

70.     Furthermore, given the global nature of the cybersecurity industry, we recognise that there are currently practical challenges to requiring individual cybersecurity professionals to be licensed, especially for service providers who deploy employees from overseas to serve clients in Singapore.

71.     Our focus is on more mainstream or mature cybersecurity services with the potential to cause significant impact on the overall cybersecurity landscape. We have identified two categories of services, penetration testing and managed security operations centre (SOC) monitoring, as licensable cybersecurity services, which are set out in the Second Schedule. Nonetheless, other cybersecurity services will still need to comply with other laws in Singapore, such as the CMA.

72.     All providers of licensable cybersecurity services, regardless of whether they are companies or individuals directly engaged for such services or third-party vendors that support these companies, will need to be licensed. However, we do not intend to require companies to be licensed for providing such services to their related companies.

73.     Under the Bill, no person may engage in the business of providing any licensable cybersecurity services to other persons, except under and in accordance with a licence granted or renewed under Clause 26. CSA will encourage consumers of such cybersecurity services to only procure services from licensed cybersecurity service providers by publishing a list of licensees online. Companies can also inform CSA of any unlicensed service providers.

74.     The proposed licensing framework is intended to reduce the safety and security risks that cybersecurity service providers can pose. The service providers are required to ensure that their key executive officers are fit and proper persons when applying for a licence. Any applicant who is not fit and proper may be refused a licence under Clause 26.

75.     Similarly, a cybersecurity service provider’s licence may be revoked or suspended, if the service provider is no longer fit and proper, among other factors under Clause 30. In addition, the service provider will be required to keep records on the cybersecurity services it has provided to its clients, including details of the employee providing the service, for not less than 3 years for accountability and traceability in the event of foul play.

76.     Mr Henry Kwek also asked whether the Government could create a certification system that favours cybersecurity professionals who have a vested interest in Singapore.

77.     CSA intends to work with the industry and professional association partners to establish voluntary accreditation and certification regimes for cybersecurity service providers and professionals, to raise the quality of cybersecurity services and further improve their standing. For example, in partnership with CSA and the Association of Information Security Professionals (AISP), CREST, a non-profit international organisation, established a Singapore chapter to introduce penetration testing certifications and accreditation in Singapore.

78.     Given the nascent nature of our industry, we should remain open, and take reference from internationally recognised standards where possible. It would not be in our interest to favour only those professionals who have a vested interest in Singapore. Likewise, we would want our local cybersecurity professionals to be recognised in other markets, based on their professional expertise and experience.

79.     The regulatory regime needs to strike a balance between security needs and the development of a vibrant cybersecurity ecosystem. This is the best balance that we can find at this point in time.

80.     MCI and CSA will be engaging the industry in working out the implementation details for licensing, including licensing conditions for licensable cybersecurity service providers. We will also continue to take in feedback from the industry on the licensing regime as the cybersecurity ecosystem evolves.

Cybersecurity Manpower Development

81.     Several MPs [Mr Zaqy Mohamad, Ms Jessica Tan, Mr Henry Kwek, Mr Melvin Yong and Mr Desmond Choo] asked about the Government’s plans to grow and develop the pool of cybersecurity professionals.

82.     I would like to assure Members that Singaporeans will continue to be an important part of our cybersecurity workforce. The Government is collaborating with the industry to grow the cybersecurity workforce in Singapore. For example, under the Cyber Security Associates and Technologists (CSAT) programme, CSA and IMDA partner the industry and Institutes of Higher Learning (IHLs) to attract new graduates and convert existing professionals from related fields to a career in cybersecurity.

83.     Under CSA’s Cybersecurity Professional Scheme (CSPS), officers will be recruited and trained in areas such as cyber forensics and vulnerability assessment, before being deployed to public agencies overseeing CII sectors to assist companies in these sectors with their cybersecurity capabilities.

84.     Assoc Prof Daniel Goh asked about the potential to build greater synergy in civilian and military cybersecurity capabilities.

85.     Today, CSA already works closely with MINDEF on cybersecurity matters. For example, CSA can call on MINDEF for support when responding to cybersecurity incidents, as MINDEF is part of NCIRT. CSA and MINDEF also collaborate in areas such as the sharing of operational lessons and threat information, technology cooperation and participation in joint exercises such as Exercise CYBER KNIGHTS 2017.

86.     Last year, MINDEF announced the establishment of a new Cyber Defence vocation. I understand that they are looking into better harnessing the cybersecurity skills of National Servicemen to defend our military networks and contribute to the national cybersecurity effort. CSA and MINDEF will continue to find more ways to cooperate in this area.

87.     I also agree with Mr Patrick Tay that we need to bring together various partners to assist cybersecurity professionals in areas such as continual learning and career development. We need to continually upgrade our cybersecurity defences and training as cyber-attacks are getting more sophisticated. CSA, through its Academy, is leading efforts to boost the skills of cybersecurity professionals working in the Government and CII sectors such as energy and healthcare. On this, I look forward to the labour movement’s support.

Global Development and Standards

88.     Ms Sun Xueling asked how the Bill would take into account global developments and evolving standards to tackle cybersecurity threats, while Mr Azmoon Ahmad spoke about the need to regularly review the regulatory framework given the fast changing internet landscape.

89.     In formulating this Bill, we studied cybersecurity legislation which other countries have implemented or are considering. Our Bill has taken into consideration these international developments.

90.     During the implementation of the Bill, we will take reference from internationally recognised standards when developing codes of practice and standards of performance for the different sectors.

91.     We also recognise that the environment that we operate in may change with changes in industry and technological trends. Therefore, we will need to keep abreast of international developments, and review and adjust our laws to address new and emerging issues moving forward.

92.     Asst Prof Madev Mohan asked what MCI and CSA had done with respect to cybersecurity internationally and regionally. CSA has been an active participant at international fora and discussions to develop international cyber norms including at the UN. Bilaterally, we had signed MOUs with countries such as the US, UK, France and Australia on cybersecurity cooperation and capability development. Regionally, we have launched the ASEAN Cyber Capacity Building Programme with ASEAN member states and Dialogue Partners to build cybersecurity capacity in the region. We will continue to pursue efforts on this front.

Public Education and Assistance for SMEs

93.     Several Members [Mr Patrick Tay, Mr Saktiandi Supaat, Mr Louis Ng, Ms Joan Peirera, Mr Melvin Yong and Mr Darryl David] asked whether there are plans to assist businesses including our SMEs and to educate the public on how to prevent and respond to cybersecurity threats and incidents.

94.     Through the Cyber Security Awareness Alliance, CSA works closely with representatives from public- and private-sector organisations, and industry associations, to reach out to businesses including SMEs, and to promote awareness and adoption of cybersecurity practices. This is done through organising cybersecurity talks and conferences, and developing online cybersecurity resources, which are available on CSA’s GoSafeOnline website. CSA also publishes an annual Singapore Cyber Landscape report for public awareness.

95.     In addition, SMEs can also tap on IMDA’s SMEs Go Digital programme to adopt cybersecurity solutions and seek technical advice on cybersecurity and other digital concerns from IMDA’s SME Digital Tech Hub.

96.     Besides these initiatives, businesses and members of the public can also sign up for SingCERT’s advisories and alerts on cybersecurity threats and incidents. For example, when D-Link routers were found to have security vulnerabilities in September last year, SingCERT and the Info-communications Singapore Computer Emergency Response Team (ISG-CERT) under IMDA issued a joint advisory which contained information on the affected products and the steps that affected consumers should take.

97.     CSA also collaborated with the PDPC to develop a series of Student Activity Books to raise awareness of the importance of Cybersecurity and Personal Data Protection among our students. The Silver Infocomm Junctions, an initiative by IMDA, provides seniors with infocomm training, which includes cybersecurity. We will continue to work with our partners in our efforts to raise cybersecurity awareness among the public.

98.     Mr Zaqy Mohamad asked whether the Government could consider cybersecurity as another pillar of Total Defence.

99.     CSA has been working with MINDEF to incorporate cybersecurity messages in each of the existing five pillars of Total Defence.

100.     On this, I agree with Ms Jessica Tan that people are the weakest link, but also our strongest asset. If we each do our part to use our computer systems and devices responsibly, collectively we can help to protect Singapore’s cyberspace.

CONCLUSION

101.     Sir, many of the issues raised by Members are among those that we have considered, in developing a Cybersecurity Bill that takes into account the interests of the different stakeholders and Singapore’s needs. The MPs also raised questions that do not relate directly to the Bill, but rather to the larger cybersecurity ecosystem that we are developing. I understand their concerns and agree that these are important issues to address.

102.     My Ministry will continue to work with stakeholders from the public and private sectors to ensure that our laws remain robust and relevant, and beyond this Bill, to raise the level of cybersecurity awareness and develop the cybersecurity ecosystem in Singapore. As Mr Ganesh Rajaram mentioned, cybersecurity is not just the Government’s responsibility. Everyone needs to play a role, including Members in this Chamber.

103.     Members of the House will agree that this is an important legislation to protect our critical information infrastructure and safeguard our essential services from disruption by cyber-attacks. I hope that we can support the Bill.

104.     Lastly, I would like to take this opportunity to thank my colleagues from MCI and CSA for working on this landmark Bill. In particular, I would like to make special mention of Mr Chng Ho Kiat, Director of the Cybersecurity and Resilience Division in MCI, who passed away less than two weeks ago. In his time at MCI, Ho Kiat made significant contributions towards the strengthening of cybersecurity in Singapore – he played a pivotal role in developing the national cybersecurity strategy and this Bill.

105.     Thank you.