INTRODUCTION: CYBERSECURITY LANDSCAPE
1. Mr Speaker, Sir, I beg to move, “That the Bill be now read a second time.”
2. Digitalisation has opened up new possibilities to enhance our modern lives, but they have also exposed us to cybersecurity threats. In recent years, we have not only seen an increasing number of cyber-attacks worldwide, but also a wider range of targets, including individuals, large organisations like Equifax, and government agencies.
3. Singapore remains an attractive target to attackers because of our high dependence on internet-based transactions. In 2017 alone, we saw attacks against our government agencies, universities, financial institutions, both large and small enterprises and individuals who had their computers locked by ransomware.
THE NEED FOR CYBERSECURITY LEGISLATION
4. Sir, protection against cyber-attacks needs to start with organisations and individuals taking responsibility for the cybersecurity of their own computer systems. However, it is also important for us to work collectively, especially in protecting our essential services against cyber-attacks. As we have seen in other countries, such cyber-attacks can have a debilitating impact on the economy and society:
a. Last year the UK’s National Health Service (NHS) had to cancel at least 6,900 appointments due to the “WannaCry” ransomware attack.
b. In the Ukrainian capital of Kiev, the power grids were hacked twice by cyber attackers in 2015 and 2016, leading to power disruptions that affected over 200,000 citizens during winter.
c. In 2015, a massive cyber-attack that reportedly intended to destroy important national communication channels took the French TV network, TV5Monde, off the air for several hours.
5. Computer systems directly involved in the provision of essential services are termed Critical Information Infrastructure or CII. There is an urgent need for the Government to be more actively involved with the CII owners in defending against cyber-attacks.
6. We have identified CII in 11 sectors: Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, and Security and Emergency Services, and Government.
7. Even with efforts to protect CII, we cannot expect to detect and foil every cyber-attack. This is why it is also necessary to investigate cybersecurity threats and incidents, and to mitigate the consequences of successful attacks.
8. Currently, Section 15A of the Computer Misuse and Cybersecurity Act, or the CMCA in short, empowers the Minister for Home Affairs to issue a certificate to authorise or direct a person or an entity to take measures to comply with requirements necessary to prevent, detect or counter a threat to any class of computers or computer services, if the Minister is satisfied that it is necessary to do so for the purpose of preventing, detecting or countering any threat to the national security, essential services, defence or foreign relations of Singapore. However, the CMCA, which mainly deals with cybercrimes such as the unauthorised access of computer material, does not provide a regulatory framework for the routine and proactive protection of CII.
9. Therefore, the Cybersecurity Bill seeks to establish a legal framework for the oversight and maintenance of national cybersecurity in Singapore, with an emphasis on the proactive protection of CII against cyber-attacks. The Bill has three key objectives:
a. First, to strengthen the protection of CII against cyber-attacks.
b. Second, to authorise the Cyber Security Agency of Singapore (CSA) to prevent and respond to cybersecurity threats and incidents.
c. Third, to establish a licensing framework for cybersecurity service providers.
10. Parts 3 and 4 of the Bill set out a framework for CSA to request for cybersecurity information on CII and during investigations of cybersecurity threats and incidents. The Bill protects such information by requiring specified persons who obtain it when performing their functions or discharging their duties to keep it confidential, and by specifying the circumstances where it can be disclosed.
11. The Cybersecurity Bill does not provide powers to prosecute cyber criminals. The CMCA and other relevant legislation will continue to govern the investigation and prosecution of cybercrime perpetrators and the detection and apprehension of such offenders.
12. The Bill is intended to apply concurrently with other laws and regulations enacted in Singapore, including existing sectoral laws.
13. In formulating this Bill, the Ministry of Communications and Information (MCI) and CSA studied cybersecurity legislation which other countries such as Germany, Estonia, the USA, Thailand and Vietnam have implemented or are considering. These laws cover areas such as:
a. Imposing obligations on CII owners to protect their CII;
b. Requiring cybersecurity audits to be conducted;
c. Making the reporting of cybersecurity incidents mandatory;
d. Encouraging companies to share cybersecurity information with the government;
e. Prevention of cybersecurity attacks; and
f. Industry regulations.
Our Bill is in line with these international developments.
14. We also consulted industry associations, cybersecurity professionals, sector regulators, potential key CII stakeholders and the general public. In response to requests for more time to provide feedback, we extended our public consultation to six weeks. Respondents were generally supportive of the Bill. They shared the Government’s concerns on cybersecurity threats and the impact of cyber-attacks on Singapore. Respondents also provided useful feedback that allowed us to identify aspects of the Bill that could be refined when drafting the Bill, including simplifying the licensing framework. I would like to thank all respondents for their feedback and suggestions.
15. Mr Speaker, Sir, allow me to now go through the key proposals of the Bill.
ASSISTANT COMMISSIONERS TO BE APPOINTED FROM SECTOR REGULATORS
16. Clause 4 of the Bill allows the Minister-in-charge of Cybersecurity to appoint a Commissioner of Cybersecurity to administer the Bill. The appointment will be held by the Chief Executive of CSA.
17. Today, CSA works with sector regulators to coordinate cybersecurity efforts to protect CII within their respective sectors. The sectors have varying levels of cybersecurity readiness, and sector regulators have varying legislative powers to regulate CII within their sectors on cybersecurity matters. The Cybersecurity Bill will provide CSA with the necessary powers to proactively protect our CII and respond to cybersecurity threats and incidents.
18. Clause 4 allows the Minister to appoint Assistant Commissioners, or ACs, to assist the Commissioner to oversee and enforce cybersecurity requirements on the CII owners. The intention is to appoint senior officers from sector regulators as ACs to perform this role in respect of CII in their respective sectors. This is because such officers understand the unique contexts and complexities in their sectors, and will be best-placed to advise the Commissioner on the necessary requirements so as to strike a balance between their sectors’ operational needs and national cybersecurity considerations.
STRENGTHENING PROTECTION OF CII AGAINST CYBERSECURITY THREATS AND INCIDENTS (PART 3)
19. Clause 7 allows the Commissioner to designate as a CII, any computer or computer system that is necessary for the continuous delivery of an essential service set out in the First Schedule, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service. This clause also requires the Commissioner to inform the CII owner how he can submit representations against the designation.
20. CSA has worked closely with sector regulators to identify the list of essential services as set out in the First Schedule. An essential service is defined in Clause 2 as any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. New essential services may be added from time to time to the First Schedule by the Minister exercising powers under the Bill if necessary.
21. The Bill will require CII owners to comply with statutory obligations to ensure the cybersecurity of their CII. All owners of CII, whether from the public or private sector, will be subjected to the same statutory obligations under the Bill. These obligations include:
a. Furnishing primarily technical information relating to CII (Clause 10);
b. Complying with codes of practice and standards of performance (Clause 11);
c. Complying with written directions (Clause 12);
d. Informing the Commissioner of the change in ownership of CII (Clause 13);
e. Reporting cybersecurity incidents in respect of CII (Clause 14);
f. Conducting cybersecurity audits and risk assessments of CII (Clause 15); and
g. Participating in cybersecurity exercises (Clause 16).
22. No action under the Bill will be taken against CII owners for cybersecurity breaches so long as they comply with their obligations thereunder. Non-compliance with CII-related obligations under Part 3 of the Bill will be an offence. The maximum penalty is $100,000 or 2 years’ imprisonment or both.
23. CII owners who disagree with particular decisions of the Commissioner, such as the CII designation, may appeal to the Minister. This is provided for in Clause 17.
ENHANCING CSA’S ABILITY TO PREVENT AND RESPOND TO CYBERSECURITY THREATS AND INCIDENTS (PART 4)
24. To strengthen CSA’s ability to prevent and respond effectively to cybersecurity threats and incidents, Part 4 of the Bill empowers the Commissioner to investigate cybersecurity threats and incidents. These powers in Clauses 19 and 20 are calibrated according to the severity of the cybersecurity threat or incident and measures required for response. The Commissioner may authorise incident response officers to exercise these investigation powers. In addition, the Minister has powers to require cybersecurity measures under Clause 23 for the purpose of countering serious and imminent threats.
25. The key intent is to provide for powers to respond to cybersecurity threats or incidents affecting CII. But because of the interconnected nature of computer systems, the powers will also be used for investigating major cybersecurity threats and incidents on computer systems that are not CII, for example, large-scale cyber-attacks affecting multiple sectors. It is not our intent to use these powers to respond to each and every cybersecurity threat or incident in Singapore, as computer owners are ultimately responsible for the cybersecurity of their own computers.
26. Clause 19 allows the Commissioner to request persons to furnish specified information that is necessary for the investigation of cybersecurity threats or incidents, for the purpose of:
a. Assessing their impact or potential impact;
b. Preventing any or further harm arising from the same cybersecurity incident; and
c. Preventing a further cybersecurity incident.
27. The maximum penalty under Clause 19 is $5,000 or 6 months’ imprisonment or both, for offences such as wilfully misstating information or refusing to provide required information without reasonable excuse.
28. Clause 20 allows the Commissioner to authorise incident response officers to exercise more intrusive investigative powers as are necessary to investigate and prevent serious cybersecurity threats or incidents. For example, the Commissioner may require the owner of a computer to scan the computer for cybersecurity vulnerabilities. Clause 20(3) prescribes a set of criteria for determining what constitutes a “serious” cybersecurity threat or incident, such as when it creates a risk of significant harm being caused to a CII.
29. The Commissioner may under Clause 20(5) take possession of any computer or equipment without the owner’s consent for the purpose of further examination and analysis, if the Commissioner is satisfied that –
a. this is necessary for the purpose of the investigation;
b. there is no less disruptive method of achieving the purpose of the investigation; and
c. after consultation with the owner, and after considering his business and operational needs, the benefit from doing so outweighs the detriment caused to him.
30. Such powers are necessary given the potential impact from serious cybersecurity threats and incidents, which can disrupt our essential services, potentially cause physical damage and harm, and affect our economy and way of life. The Bill clearly spells out how these powers may be exercised. These powers are calibrated, and there are safeguards built into the Bill such as what I have just described.
31. The maximum penalty under Clause 20(7) is $25,000 fine or 2 years’ imprisonment or both, for offences such as failure without reasonable excuse to comply with a direction or requirement of an incident response officer, under Clause 20(2)(b) or (c).
32. Clause 23 allows the Minister to authorise or direct any person or organisation to take measures for the purpose of countering serious and imminent threats. Clause 23 is a re-enactment with slight modifications of section 15A of the CMCA. This section will be repealed. The CMCA will correspondingly be renamed as the Computer Misuse Act, or the CMA in short, at the same time that the Cybersecurity Bill is passed.
33. The offences and penalties under Clause 23 are the same as those under Section 15A of the CMCA.
PROTECTION OF INFORMATION SHARED
34. The Bill recognises that information disclosed to CSA under the Bill is often confidential. Information disclosed to CSA may be used to determine if a computer system is a CII (Clause 8), technical information relating to a CII (Clause 10), or information given pursuant to an investigation into a cybersecurity threat or incident (Clause 19 or 20).
35. Therefore, under Clause 43, the Commissioner and other specified persons must preserve the secrecy of information that may come to their knowledge as a result of performing their functions or discharging their duties under the Bill. Such information includes matters relating to a computer system, as well as the identity of persons who furnished the information. It will be a criminal offence under Clause 43(4) if specified persons fail to preserve the secrecy of such information or unlawfully discloses such information. The maximum penalty is $10,000 or 1 year’s imprisonment or both.
36. However, Clause 43 provides for the sharing of information in certain circumstances, such as for the purposes of prosecution under the Bill, or to disclose to the police any information which discloses the commission of an offence under the CMA.
37. We recognise other persons may have information on whether CII owners are complying with their obligations specified in Part 3 of the Bill, and we want to encourage the disclosure of such information to the Commissioner. Clause 45 provides for the protection of these informers in relation to proceedings for an offence under Part 3 of the Bill.
LICENSING FRAMEWORK FOR CYBERSECURITY SERVICE PROVIDERS (PART 5)
38. As cybersecurity risks become more widespread, the demand for credible cybersecurity services will grow. Some cybersecurity services can be sensitive because the service providers performing them can have significant access into their clients’ computer systems and networks and gain a deep understanding of the cybersecurity vulnerabilities. Such services, if abused, can compromise and disrupt the clients’ operations even after the service provider’s job has been completed. Furthermore, there is asymmetry of information; many organisations, especially smaller ones, may not know which cybersecurity service providers are ethical or offer reliable services.
39. Part 5 of the Bill provides for a licensing framework for cybersecurity service providers that service the Singapore market. For a start, the licensing framework will be light-touch in view that this is a new initiative and that there is a need to strike a good balance between industry development and cybersecurity needs. Only providers of two types of cybersecurity services will be licensed - namely penetration testing and managed security operations centre (SOC) monitoring. These providers have access to sensitive information from their clients, and the services are also relatively mainstream in our market, and hence have a significant impact on the overall cybersecurity landscape.
40. Clause 24 requires providers of licensable cybersecurity services that are specified in the Second Schedule to apply for a licence. It will be an offence to provide such services without a licence. The maximum penalty is $50,000 fine or 2 years’ imprisonment or both.
41. We do not intend to require companies to be licensed for providing licensable cybersecurity services to their related companies. In addition, the term “cybersecurity service” as defined in Clause 2 only covers a service provided by a person for reward to another person, and excludes a service provided in-house to an employer.
42. Financial penalties may be imposed under Clause 32 for non-compliance with licensing conditions or for other regulatory breaches that are not an offence, such as the failure to keep and retain proper records. The maximum financial penalty is $10,000 for each non-compliance, but not exceeding in the aggregate $50,000.
43. The licensing officer is required under Clause 33 to give licensees an opportunity to submit representations before the imposition of financial penalties. Under Clause 35, cybersecurity service providers may appeal to the Minister against specific decisions of the licensing officer such as the refusal to grant a licence and licensing conditions.
PARTNERSHIP WITH STAKEHOLDERS
44. Sir, the Government cannot achieve a more secure cyberspace alone. We will partner public and private-sector stakeholders in the journey to strengthen the protection of CII.
45. CSA will adopt a deliberate process for the designation of CII across the different sectors, in consultation with their owners and the relevant sector regulators where possible. CSA will also implement programmes to help the sector regulators assist CII owners in getting ready to fulfil their obligations under the Bill.
46. We will also engage the industry further on the licensing conditions for licensed cybersecurity service providers under Clause 27 of the Bill. The licensing framework will be operationalised at a later stage, after the rest of the Bill.
47. The Cybersecurity Bill is one part of Singapore’s Cybersecurity Strategy to strengthen the nation’s cybersecurity posture. With cyber threats growing globally, the Bill is timely to empower CSA to safeguard essential services from disruptions by cyber-attacks, prevent and respond to cybersecurity threats and incidents, and to establish a licensing framework to improve the credibility of cybersecurity services in Singapore.
48. Sir, I beg to move.