Questions remain over the kinds of services that will require a license and government officials’ liability, but the proposed legislation is clear in one thing–that cybersecurity must now be a top priority for any business operating critical infrastructures in Singapore.
Singapore’s proposed cybersecurity bill has prompted the need for clarification around the licensing of service providers, government liability, and customer confidentiality, but its aim to push cybersecurity as a top priority for all businesses is certainly now accomplished.
The Singapore government on Monday unveiled details of the draft bill, outlining new legislations that would require operators of local critical information infrastructures (CIIs) to take steps to safeguard their systems and swiftly report threats and incidents. Released by the Ministry of Communications and Information (MCI) and Cyber Security Agency (CSA) , the proposed new laws also would facilitate information sharing across critical sectors and require selected service providers as well as individuals to be licensed.
The bill listed 11 « essential services » sectors considered to operate CIIs: water, healthcare, maritime, media, infocommunications, energy, banking and finance, security and emergency services, land transport, aviation, and the government.
So what would organisations need to take note of to ensure compliance?
For a start, businesses in CII sectors would need to appoint a « CII owner », which the bill had identified to be responsible for the protection of CIIs in their organisation, said Daryl Pereira, cybersecurity head at KPMG in Singapore.
The bill defined CII owners as those who had control over the operations of CII infrastructures and the ability to carry out changes to such infrastructures and who were responsible for ensuring « the continuous functioning » of CII Infrastructures.
In the government sector, CII owners would refer to the ministry’s permanent secretary, who was responsible for budget approvals related to CII, or the chief executive or equivalent of a statutory body.
Pereira said CII owners would need to ensure their organisation fulfilled its statutory duties, which included reporting cybersecurity incidents to CS, participating in national cybersecurity exercises, and conducting regular audits on CIIs.
In particular, he noted, they should be mindful of the mandate to swiftly report cybersecurity threats and incidents as well as take appropriate actions to reduce further harm to the organisation and wider industry, should the threat have widespread impact.
« The proposed bill provides an impetus for the industry to take ownership of protecting their CII by placing emphasis on the appointment of CII owners at the individual level, rather than at the company level, » he explained. « In many cases, the highest ranking person in the organisation may likely be the appointed CII owner. »
This would have « far reaching effects » on the how roles and responsibilities within such organisations were designed, he said. « It will drive more visibility of cybersecurity matters at the board and c-suite levels and, ultimately, will increase the investment on cybersecurity readiness across all sectors in Singapore, » Pereira said.
Citing KPMG’s surveys, he said countries in Europe and US achieved higher cybersecurity readiness when there was appreciation that cyber risk was a business issue and when both business and IT heads assumed joint ownership of such initiatives.
Asked about his thoughts on the proposed bill, Quann’s managing director Foo Siang-tse said establishing a national regulatory and licensing regime was a right step forward, particularly in a threat landscape that was increasingly complex.
The local security vendor was unable to reveal the number of CII owners it supported, but confirmed it offered services to various businesses including regulators and owners in the CII sectors.
Foo said the bill « rightfully » placed the responsibility on CII owners to safeguard their cybersecurity, charging them with the duty to conduct key initiatives such as audits and risk assessments.
These would ensure the companies had robust cybersecurity policies, infrastructures, and capabilities, he added, noting that it also scrutinised those that had « skewed market preference » for security devices while neglecting audits and processes.
He noted that professional standards of cybersecurity service providers and personnel would be tightened through certification and code of ethics, background screening, and skills certification. These would further ensure enterprises were well informed and properly protected, he said.
Foo said: « To address the information asymmetry in the market, especially for buyers, cybersecurity service providers should be subject to regulation over misconduct, such as provision of false representations and recommendations made without basis. »
CenturyLink’s Asia-Pacific vice president of IT services and managed hosting, Francis Thangasamy, concurred: « This bill seems to be with the intent of driving clearer accountability across the industry, consistency across the public and private sectors, and proactive cybersecurity measures. »
Asked how many CII operators it supported here, Thangasamy also declined to reveal details. He said the US vendor was still evaluating the bill to determine if it needed to acquire a license, and would do so if required.
Foo, too, called for more details to be provided about the kinds of services that would be considered under the bill. Noting that Singapore was one of the first few countries in the world to regulate cybersecurity service providers, he said: « Given the wide spectrum of cybersecurity services available in the market, from penetration testing, security monitoring, incident response, to forensics investigation, clarity is needed on what constitutes the two kinds of services, especially non-investigative cybersecurity services. »
Under the proposed bill, vendors providing both investigative and non-investigative cybersecurity work would require a license. These included organisations as well as employees that provided penetration testing services and managed security operations centres (SOCs) .
The bill outlined investigative services as those that involved « circumventing the controls implemented in another person’s computer or computer system » or where people performing the service had « a deep level of access to the computer or computer system, in respect of which the service is being performed, or to test the cybersecurity defences of the computer or computer system ».
Investigative services included conducting forensic examination of systems, assessing, testing or evaluating the cybersecurity of systems, and searching for vulnerabilities in systems.
Individuals offering investigative services also would need a license. Failure to obtain one could result in a fine of up to S$50,000 or jail time of up to two years or both. In addition, licensees that failed to comply with any terms and conditions stipulated could face a fine of up to S$10,000 or jail term of up to one year, or both.
Pereira said the move to license these selected vendors and individuals seemed to indicate a desire to improve buyers’ assurance on their service providers’ capabilities and suitability to offer, what could sometimes be deemed, intrusive cybersecurity services. The licensing approach also would raise the quality bar for all cybersecurity service providers, he added.
When contacted, Fortinet also was unable to reveal how many CII customers it had in Singapore. Its country manager Thiantara Kruathorn, though, confirmed the vendor’s clientele here included government agencies, telcos, financial services institutions, healthcare providers, media companies, and utility services providers.
While it would need more time to go through the draft bill, Fortinet believed the new laws–if passed–would significantly improve Singapore’s cyber defences. Kruathorn noted, however, that the bill would be just the first step forward and enforcement would be critical.
CSA would have to put in place the right mechanisms to ensure all parties involved adhered to the rules, he said. « As the bill is confined to the jurisdiction of Singapore, the government needs to continue to collaborate with authorities beyond our borders to deal with cybercriminals residing overseas, » he noted. « These would include agencies like Interpol and computer emergency response teams (CERTs) in countries around the world.
