SINGAPORE: A Bill aimed at bolstering Singapore’s cybersecurity defences while accounting for changes in technology was passed by parliament on Tuesday (May 7).
Under amendments to the Cybersecurity Act, owners of critical information infrastructure (CII) must now report more types of incidents including those that happen in their supply chains.
This is to address the “inventiveness” of malicious cyber actors, said Senior Minister of State for Communications and Information Janil Puthucheary.
“As the tactics and techniques of malicious actors evolve to target systems at the periphery or along supply chains, we must also start placing our alarms at those places,” he added.
The new law will allow authorities to regulate a new type of system called Systems of Temporary Cybersecurity Concern (STCC). These are systems that, for a time-limited period, are at high risk of cyberattacks, and if compromised, would damage Singapore’s national interests.
The Cyber Security Agency of Singapore (CSA) will now also be able to manage entities beyond its current regulatory regime. These include Entities of Special Cybersecurity Interest (ESCIs).
Attacks on ESCIs could have a “significant detrimental effect” on Singapore’s defence, foreign relations, economy, public health, public safety, or public order, because of the disruption of the function they perform, or the disclosure of sensitive information their computer systems contain, explained Dr Janil.
The specific list of entities designated as ESCIs should not be disclosed publicly to avoid inadvertently advertising these entities as “worthy targets” to malicious actors, he added.
CSA will now also be able to deal with situations where a CII is supporting an essential service from overseas. With the new changes, CSA can designate and regulate such CIIs so long as its owner is in Singapore and the computer system would have been designated as a CII had it been located in Singapore.
Tabling the Bill for a second reading, Dr Janil said that it aims to tackle “shifts in the operating context” in cybersecurity, and strengthen the administration of the Act to address “operational challenges” CSA has faced.
“The Cybersecurity Act has now been in force for six years. The core objectives continue to be relevant today. We’ve reviewed the Act, learning from our experiences, and taking into account changes in technology,” he explained.
“In order to continue to ensure Singapore’s cybersecurity, a review and an update to the Act is needed as several aspects of our operating context have changed.”
While Singapore implemented legislation in the form of the Cybersecurity Act in 2018, technology has evolved and business models have changed.
For one, cloud computing is widely available and used. While it was once the norm for CII to be physical systems on premises and entirely owned or controlled by the CII owner, this is no longer always the case, said Dr Janil.
Now it is also possible to aggregate and share common digital services and functions across borders. This means it is needful to review how Singapore can safeguard the cybersecurity of its essential services, he added.
All this is happening amid a backdrop of increased use and reliance on digital technology.
In Singapore, over 90 per cent of residents now communicate online and firms’ technology adoption rate has grown from 74 per cent in 2018 to 94 per cent in 2022. More are now online for longer and online for more varied purposes.
This means that there is an increased “attack surface” as people are exposed to more cyber risks, said the Senior Parliamentary Secretary. The cyber threat landscape has also evolved and malicious actors are increasingly finding new ways to their target.
With all this in mind, it is “vital” Singapore updates cybersecurity laws to stay ahead of the curve, said Dr Janil.
29:35 Min
Singapore is making a “major update” to its Cybersecurity Act (CSA), given the significant shifts in the digital domain, said Senior Minister of State for Communications and Information Janil Puthucheary. It will have the power to keep pace with developments in technology and business practices and respond to evolving cyber security challenges in the cyber threat landscape, he said in Parliament on Tuesday (May 7). This means extending the regulatory oversight to other important systems and entities, and using a risk-based approach to regulate entities for cyber security and administer the Act more effectively. These will strengthen Singapore’s national cyber security and increase trust in using online services, said Dr Janil. A key provision involves Critical Information Infrastructure (CII). Dr Janil said regulating CIIs is no longer sufficient and it is vital to update cybersecurity laws to continue to stay ahead of the curve. Dr Janil pointed out that the 2018 Act was developed to regulate CIIs as physical systems, but new technology and business models have emerged. Hence, the need to better regulate CIIs to ensure that they continue to be secure and resilient against cyber threats, whatever technology or business model they run on. Under the Bill, the meaning of computer and computer system in specified portions will include virtual computers and virtual computer systems. The new definition will make clear that the CII owner is responsible for the cyber security of its virtualised CII. Another provision deals with essential services from overseas. CIIs that are wholly located outside of Singapore can be designated and regulated so long as the owners are in Singapore and the computer systems would have been designated as CII under the law had it been located wholly or partly in Singapore. The law will also be updated to address malicious cyber actors who target systems at the periphery or along supply chains. Dr Janil said Singapore must start “placing our alarms” at these places. It will require CII owners to additionally report incidents that affect computers that interconnect or communicate with the CII. The Government also wants to expand the Act to regulate a new Systems of Temporary Cybersecurity Concern. It deals with the cybersecurity of ICT systems that for a time-limited period are at high risk of cyberattacks and if compromised, would have a serious detrimental effect on Singapore's national interests. Provisions will also be introduced to cover new entities that could be attractive targets for malicious threat actors. These are Entities of Special Cybersecurity Interest, such as universities. Dr Janil told the House that the Bill is calibrated to address the risks to the nation, economy and Singapore’s way of life while balancing the compliance costs. He added that the Government will continue to refine its approach in consultation with stakeholders and consider new international practices as they emerge.
Members of Parliament supported the Bill, although they also raised questions on how CSA would cope with more reports of cybersecurity incidents and the compliance costs associated with the new obligations.
Ms Tin Pei Ling (PAP-Macpherson) wanted to know if the government would consider requiring CII owners to monitor and report incidents of those further down the supply chain - beyond their immediate suppliers - in the future.
Given how entities could potentially be designated as STCCs or ESCIs, Nominated Member of Parliament Mark Lee asked how businesses will be informed of or reveal and appeal designations.
Some MPs called for clarity on entities that fall under ESCI, which may hold sensitive information or perform a function of national interest.
Nominated Member of Parliament Razwana Begum also raised concerns about the ambiguity of the terms “sensitive information” and “function of national interest”, pointing out that a lack of clear definition could lead to inconsistencies in regulatory decisions.
Addressing concerns on increased compliance costs, Dr Janil said that neither the Cybersecurity Act nor the amendments proposed in the Bill imposes “cybersecurity obligations” on the business community at large.
Instead, what the new law will do is regulate only the cybersecurity of systems infrastructure and services that are important at a national level because their disruption or compromise could affect Singapore’s survival, security, safety or other national interest, he said.
“This is a known and finite set of systems and entities. Our approach is a targeted and calibrated one, precisely because we recognise that regulation will involve compliance costs,” Dr Janil added.
“Some compliance costs cannot be avoided where regulation is concerned. It's something we are mindful of. We do not seek to regulate without good reason.”
31:17 Min
In Parliament on Tuesday (May 7), Senior Minister of State for Communications and Information Janil Puthucheary responded to clarifications sought by members of the House on the Cybersecurity (Amendment) Bill. The Bill was then passed.
On designating entities as STCCs or ESCIs, Dr Janil highlighted that CSA’s practice has been and will be to provide “ample support” to regulated entities to guide them towards compliance.
“This begins even before a system or an entity is designated,” he added.
If CSA has reason to believe that a system or entity should be designated, the agency will first engage the owner to better understand the operating context, such as the cybersecurity measures that have already been implemented and the level of their cybersecurity capabilities, to ensure that any designation is appropriate.
CSA will then work with the owner to assess what needs to be done for the entity or system to be in compliance with the Act as well as the support and lead time that the organisation needs, said Dr Janil.
Entities that receive a designation notice can also appeal against it, while a regulated entity may also appeal against CSA’s decisions, orders and directions as well as codes of practice and standards of performance, he added.
Reiterating that he would not disclose any “specific real-life examples” of entities designated as ESCIs, Dr Janil said that publication and disclosure of an ESCI’s identity would be on a “case by case basis”.
“The issue for consideration is not whether a regulated entity is a large company, an MNC (Multinational Corporation) or a SME (small-and-medium-size enterprises), the key consideration is whether a cyberattack on the entity could have serious implications on our national security or other national interests,” he added.
“We do not take these decisions to impose obligations lightly.”
Continue reading...
Under amendments to the Cybersecurity Act, owners of critical information infrastructure (CII) must now report more types of incidents including those that happen in their supply chains.
This is to address the “inventiveness” of malicious cyber actors, said Senior Minister of State for Communications and Information Janil Puthucheary.
“As the tactics and techniques of malicious actors evolve to target systems at the periphery or along supply chains, we must also start placing our alarms at those places,” he added.
The new law will allow authorities to regulate a new type of system called Systems of Temporary Cybersecurity Concern (STCC). These are systems that, for a time-limited period, are at high risk of cyberattacks, and if compromised, would damage Singapore’s national interests.
The Cyber Security Agency of Singapore (CSA) will now also be able to manage entities beyond its current regulatory regime. These include Entities of Special Cybersecurity Interest (ESCIs).
Attacks on ESCIs could have a “significant detrimental effect” on Singapore’s defence, foreign relations, economy, public health, public safety, or public order, because of the disruption of the function they perform, or the disclosure of sensitive information their computer systems contain, explained Dr Janil.
The specific list of entities designated as ESCIs should not be disclosed publicly to avoid inadvertently advertising these entities as “worthy targets” to malicious actors, he added.
CSA will now also be able to deal with situations where a CII is supporting an essential service from overseas. With the new changes, CSA can designate and regulate such CIIs so long as its owner is in Singapore and the computer system would have been designated as a CII had it been located in Singapore.
Tabling the Bill for a second reading, Dr Janil said that it aims to tackle “shifts in the operating context” in cybersecurity, and strengthen the administration of the Act to address “operational challenges” CSA has faced.
“The Cybersecurity Act has now been in force for six years. The core objectives continue to be relevant today. We’ve reviewed the Act, learning from our experiences, and taking into account changes in technology,” he explained.
“In order to continue to ensure Singapore’s cybersecurity, a review and an update to the Act is needed as several aspects of our operating context have changed.”
Related:
WHY IT MATTERS
While Singapore implemented legislation in the form of the Cybersecurity Act in 2018, technology has evolved and business models have changed.
For one, cloud computing is widely available and used. While it was once the norm for CII to be physical systems on premises and entirely owned or controlled by the CII owner, this is no longer always the case, said Dr Janil.
Now it is also possible to aggregate and share common digital services and functions across borders. This means it is needful to review how Singapore can safeguard the cybersecurity of its essential services, he added.
All this is happening amid a backdrop of increased use and reliance on digital technology.
In Singapore, over 90 per cent of residents now communicate online and firms’ technology adoption rate has grown from 74 per cent in 2018 to 94 per cent in 2022. More are now online for longer and online for more varied purposes.
This means that there is an increased “attack surface” as people are exposed to more cyber risks, said the Senior Parliamentary Secretary. The cyber threat landscape has also evolved and malicious actors are increasingly finding new ways to their target.
With all this in mind, it is “vital” Singapore updates cybersecurity laws to stay ahead of the curve, said Dr Janil.
29:35 Min
Singapore is making a “major update” to its Cybersecurity Act (CSA), given the significant shifts in the digital domain, said Senior Minister of State for Communications and Information Janil Puthucheary. It will have the power to keep pace with developments in technology and business practices and respond to evolving cyber security challenges in the cyber threat landscape, he said in Parliament on Tuesday (May 7). This means extending the regulatory oversight to other important systems and entities, and using a risk-based approach to regulate entities for cyber security and administer the Act more effectively. These will strengthen Singapore’s national cyber security and increase trust in using online services, said Dr Janil. A key provision involves Critical Information Infrastructure (CII). Dr Janil said regulating CIIs is no longer sufficient and it is vital to update cybersecurity laws to continue to stay ahead of the curve. Dr Janil pointed out that the 2018 Act was developed to regulate CIIs as physical systems, but new technology and business models have emerged. Hence, the need to better regulate CIIs to ensure that they continue to be secure and resilient against cyber threats, whatever technology or business model they run on. Under the Bill, the meaning of computer and computer system in specified portions will include virtual computers and virtual computer systems. The new definition will make clear that the CII owner is responsible for the cyber security of its virtualised CII. Another provision deals with essential services from overseas. CIIs that are wholly located outside of Singapore can be designated and regulated so long as the owners are in Singapore and the computer systems would have been designated as CII under the law had it been located wholly or partly in Singapore. The law will also be updated to address malicious cyber actors who target systems at the periphery or along supply chains. Dr Janil said Singapore must start “placing our alarms” at these places. It will require CII owners to additionally report incidents that affect computers that interconnect or communicate with the CII. The Government also wants to expand the Act to regulate a new Systems of Temporary Cybersecurity Concern. It deals with the cybersecurity of ICT systems that for a time-limited period are at high risk of cyberattacks and if compromised, would have a serious detrimental effect on Singapore's national interests. Provisions will also be introduced to cover new entities that could be attractive targets for malicious threat actors. These are Entities of Special Cybersecurity Interest, such as universities. Dr Janil told the House that the Bill is calibrated to address the risks to the nation, economy and Singapore’s way of life while balancing the compliance costs. He added that the Government will continue to refine its approach in consultation with stakeholders and consider new international practices as they emerge.
LAWMAKERS’ CONCERNS
Members of Parliament supported the Bill, although they also raised questions on how CSA would cope with more reports of cybersecurity incidents and the compliance costs associated with the new obligations.
Ms Tin Pei Ling (PAP-Macpherson) wanted to know if the government would consider requiring CII owners to monitor and report incidents of those further down the supply chain - beyond their immediate suppliers - in the future.
Given how entities could potentially be designated as STCCs or ESCIs, Nominated Member of Parliament Mark Lee asked how businesses will be informed of or reveal and appeal designations.
Some MPs called for clarity on entities that fall under ESCI, which may hold sensitive information or perform a function of national interest.
Nominated Member of Parliament Razwana Begum also raised concerns about the ambiguity of the terms “sensitive information” and “function of national interest”, pointing out that a lack of clear definition could lead to inconsistencies in regulatory decisions.
Related:
GOVERNMENT’S RESPONSE
Addressing concerns on increased compliance costs, Dr Janil said that neither the Cybersecurity Act nor the amendments proposed in the Bill imposes “cybersecurity obligations” on the business community at large.
Instead, what the new law will do is regulate only the cybersecurity of systems infrastructure and services that are important at a national level because their disruption or compromise could affect Singapore’s survival, security, safety or other national interest, he said.
“This is a known and finite set of systems and entities. Our approach is a targeted and calibrated one, precisely because we recognise that regulation will involve compliance costs,” Dr Janil added.
“Some compliance costs cannot be avoided where regulation is concerned. It's something we are mindful of. We do not seek to regulate without good reason.”
31:17 Min
In Parliament on Tuesday (May 7), Senior Minister of State for Communications and Information Janil Puthucheary responded to clarifications sought by members of the House on the Cybersecurity (Amendment) Bill. The Bill was then passed.
On designating entities as STCCs or ESCIs, Dr Janil highlighted that CSA’s practice has been and will be to provide “ample support” to regulated entities to guide them towards compliance.
“This begins even before a system or an entity is designated,” he added.
If CSA has reason to believe that a system or entity should be designated, the agency will first engage the owner to better understand the operating context, such as the cybersecurity measures that have already been implemented and the level of their cybersecurity capabilities, to ensure that any designation is appropriate.
CSA will then work with the owner to assess what needs to be done for the entity or system to be in compliance with the Act as well as the support and lead time that the organisation needs, said Dr Janil.
Entities that receive a designation notice can also appeal against it, while a regulated entity may also appeal against CSA’s decisions, orders and directions as well as codes of practice and standards of performance, he added.
Reiterating that he would not disclose any “specific real-life examples” of entities designated as ESCIs, Dr Janil said that publication and disclosure of an ESCI’s identity would be on a “case by case basis”.
“The issue for consideration is not whether a regulated entity is a large company, an MNC (Multinational Corporation) or a SME (small-and-medium-size enterprises), the key consideration is whether a cyberattack on the entity could have serious implications on our national security or other national interests,” he added.
“We do not take these decisions to impose obligations lightly.”
Continue reading...