10 Jul 2017
The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) invite the public to provide feedback on the proposed Cybersecurity Bill. The public consultation exercise will run from 10 July to 3 August 2017.
Fast-evolving cybersecurity landscape
Cyber-attacks are getting increasingly frequent, sophisticated and impactful. Globally, we have also seen a surge in the number of cybersecurity incidents, such as ransomware, cyber theft, banking fraud, cyber espionage and disruptions to Internet services. In Singapore, the recent Advanced Persistent Threat (APT) attacks targeting two of our universities, and the occurrence of the global WannaCry and Petya/Petna malware attacks which also reached our shores, serve as stark reminders of Singapore’s vulnerability to cyber threats.
Around the world, attacks on systems that run utility plants, transportation networks, hospitals and other essential services are growing. Successful attacks can and have resulted in significant financial losses and disruptions to daily lives. Hence, the protection of our Critical Information Infrastructure(CIIs) which are necessary for the continuous delivery of Singapore’s essential services is a cornerstone of the proposed Bill.
The need for new cybersecurity legislation
As a small nation with one of the highest levels of digital connectivity in the world, a major cyber-attack, especially if our CIIs are affected, will have significant impact on Singapore and our people.
Singapore takes cybersecurity threats seriously and has taken steps to address these threats. In April 2015, the Government set up the Cyber Security Agency of Singapore (CSA), as the central agency to oversee and coordinate all aspects of cybersecurity for the nation. In October 2016, Prime Minister Lee Hsien Loong launched Singapore’s Cybersecurity Strategy with the aim to create a resilient and trusted cyber environment for Singapore and our residents.
Against the backdrop of proliferating cyber incidents globally and locally, it is imperative that we take a more pro-active and holistic approach to strengthen our resilience against cyber-attacks, especially for CIIs. New cybersecurity legislation is needed so that we can take pro-active measures to protect our CIIs, respond expediently to cyber threats and incidents and facilitate sharing of cybersecurity information across critical sectors.
Proposed framework to enable expedient response to cyber threats and incidents
The proposed Cybersecurity Bill will establish a framework for the oversight and maintenance of national cybersecurity in Singapore, and will empower CSA to carry out its functions. The Bill also aims to minimise the risks of cyber threats, and ensure that we can better deal with cyber attacks. The Bill has four objectives:
a. To provide a framework for the regulation of CII owners (CIIOs). This formalises the duties of CIIOs in ensuring the cybersecurity of CIIs under their responsibility, even before a cybersecurity incident has occurred. The CIIOs’ responsibilities in protecting their respective CIIs will be spelt out, and the Act will also empower sector leads to raise the level of cybersecurity within their own sectors.
b. To provide CSA with powers to manage and respond to cybersecurity threats and incidents. The powers in section 15A of the Computer Misuse and Cybersecurity Act (CMCA), which pertain to cybersecurity, were enacted before the formation of CSA. Specific powers will be vested in CSA officers as sitting powers, to allow CSA officers to deal with fast-moving cybersecurity threats and incidents expediently.
c. To establish a framework for the sharing of cybersecurity information with and by CSA officers, and the protection of such information. Information sharing is key to cybersecurity. Under the Cybersecurity Bill, CSA officers will be able to receive and share information with relevant parties, for the purpose of preventing, detecting, countering or investigating any cybersecurity threat or incident.
d. To introduce a lighter-touch licensing framework for the regulation of selected cybersecurity service providers. For a start, the Bill proposes licensing the provision of penetration testing and managed security operations centre (SOC) services. The need for credible cybersecurity services will grow as cybersecurity risks become more mainstream. The proposed licensing framework aims to help provide greater assurance of safety and security to consumers of cybersecurity services, address information asymmetry in the industry and provide for improving the standards of cybersecurity service providers and professionals.
Submission of feedback
The public consultation paper and procedures for submission of feedback are available on the REACH public consultation portal at https://www.reach.gov.sg and CSA’s website at www.csa.gov.sg from 10 July 2017. Public may provide feedback to email@example.com. All submissions should reach MCI/CSA no later than 3 August 2017, 5 pm.
Please refer to Annex for the full public consultation document and the draft Bill.
 A critical information infrastructure (“CII”) is a computer or computer systems that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the security, economy, public health, public safety or public order of Singapore. CIIs may be owned by public or private organisations and may be located wholly or partly in Singapore. Today, the CIIs fall under 11 critical sectors: (1) Aviation, (2) Banking & Finance, (3) Energy, (4) Government, (5) Healthcare, (6) Infocomm, (7) Land Transport, (8) Maritime, (9) Media, (10), Security and Emergency Services, (11) Water.