Amendments to the country’s cybersecurity bill aim to bolster its administration amid changes in the threat landscape.
With widening attack surfaces and technology infrastructures that are no longer necessarily physical, Singapore says its cybersecurity legislation must keep up with the changing threat landscape and be adequately administered to keep its critical infrastructures resilient.
The Cybersecurity (Amendment) Bill was passed on Tuesday following two readings in parliament to address « shifts in the operating context in cybersecurity » and operational challenges its administrator, Cyber Security Agency (CSA), faced amid such changes, Janil Puthucheary, Singapore’s senior minister of state for Ministry of Communications and Information (MCI), said in parliament.
The updates will keep pace with developments in technology and business practices and extend CSA’s regulatory oversight to other entities and systems beyond physical assets. The amendments will enable the regulator to better respond to evolving cybersecurity challenges and operate on a risk-based approach in regulating entities, said Puthucheary.
For instance, when the Cybersecurity Act was first established in 2018, it sought to regulate CIIs (critical information infrastructures) that were physical systems. However, the minister noted that new technology and business models have since emerged, in particular, with the advent of cloud computing.
He noted that an estimated 60% of local enterprises use some form of cloud technology in their operations and, as a result, business models have changed. This change led to challenges in applying the Act, which was written when physical on-premise IT systems still were commonplace and controlled or owned by the CII owner, he said.
With the latest updates, CSA can better regulate CIIs and ensure these infrastructures can withstand online threats, regardless of the technology or framework on which they sit, he added.
In particular, the definition of « computer » and « computer system » in some portions of the Bill now include « virtual computers » and « virtual computer systems ». Provisions have also been included to establish what ownership of such systems entails as this can include both physical and virtual systems to deliver essential services, Puthucheary said.
In a virtual CII, such as in a cloud environment where underlying physical infrastructure might be shared or easily replaced, it would not be meaningful to regulate the underlying hardware, he noted.
The updated legislation allows the government to make it clear the CII owner is responsible for the cybersecurity of its virtualized infrastructure, not third parties involved in the supply of the underlying physical infrastructure, he said.
The Cybersecurity Act lists 11 CII sectors, which include water, healthcare, maritime, infocommunications, banking and finance, and aviation.
