|
Asst Prof Mahdev Mohan (Nominated Member): Mr Speaker, Sir, I rise in support of this Bill.
In Singapore, there has been a reported increase in the proportion of cybercrimes to overall crimes from 79% in 2014 to 14% in 2016. Cases reported under the Computer Misuse and Cybersecurity Act (CMCA) more than doubled from 280 in 2015 to almost 700 in 2016, with ransomware, hacking and the compromise of online accounts such as Facebook, SingPass and Internet banking accounts figuring most prominently amongst these. In 2016, the National Cyber Security Command (NCSC) saw cyber-attacks of varying impacts across many sectors, including the defence, Government, banking and finance, and healthcare sectors. I, therefore, welcome this Bill, Mr Speaker.
The omnibus Cybersecurity Bill allows the Minister to appoint a Commissioner of Cybersecurity. The Commissioner is, in turn, empowered to designate a Critical Information Infrastructure (CII).
There have been tweaks, Mr Speaker, since an early draft of this Bill was first released in July last year for consultation. Conducted between the10 July 2017 to 24 August 2017, the public consultation exercise garnered close to a hundred submissions from a diverse range of stakeholders. I must disclose at this point that I was together with other scholars and students of Singapore Management University, one of the respondents of this consultation exercise. I am, therefore, pleased, Mr Speaker, with what has followed, with the refinements that have been made to this draft Bill and now the Bill before us. In particular, I think I am pleased in relation to the regime that now governs cybersecurity licensees.
Beyond this, clause 19(6) also suggests and clarifies that a person is no longer obliged to produce to the incident response officer an email infected by a malicious programme or malware if that email contains information that is subject to legal professional privilege. A distinction is made between a non-disclosure agreement which would be a contractual document of privilege; but there is a distinction now being made with legal professional privilege.
Importantly, Mr Speaker, the Bill acknowledges that a compliance driven approach to cybersecurity should not only be focused on a box ticking exercise, of getting all the boxes ticked but one that solves cybersecurity problems creatively and proactively, thereby instilling a risk-management culture. Behind laws, Mr Speaker, it is this creative approach that will be our shield against cybersecurity threats and incidents; it is this this risk-management culture that will see CII owners taking swift and appropriate measures to prevent, manage and respond to cybersecurity threats and incidents.
In this vein, permit me to pose a few further questions to the Minister.
Most importantly or chief amongst, I would say, businesses that are involved in this sector. What perhaps is the Ministry and CSA's plan to minimise additional compliance costs, Mr Speaker. I know that compliance costs for audits, reporting and risk assessments can be exorbitant, and these costs are unfortunately likely to be passed down to the consumers, not to the owners themselves.
Data disclosed during a recent proposal to amend the Homeland Security Acquisition Regulation in the United States had revealed that costs per company associated with implementing its cybersecurity rules went up to US$150,000 for independent assessments, and equipment costs ranging in turn for up to US$350,000 to perform continuous monitoring for this purpose. If these processes are not properly managed in Singapore, considerable sums could be unproductively spent.
In relation to Part IV of the Bill which deals with responses to threats and incidents, can we have some examples of what might variously qualify as a “cybersecurity threat or incident of a severe nature” on one hand, a “serious threat” on the other, and still on the third hand, which we do not have, an emergency level “serious and imminent threat”. They are terms apart which I would say judges and lawyers would be very keenly looking at. Can we have some guidance as to what this would be?
Third, will cloud services be impacted by this new regulatory framework? The Bill’s explanatory statement admits that that the Commissioner’s wide-ranging powers of access to data in clause 20 is “intrusive”. Will this be seen as going against, perhaps, established data privacy and protection principles and potentially expose the data of the cloud service provider’s clients? This is particularly so in a public cloud environment.
Could the Bill have a chilling effect on the adoption of cloud services in Singapore, as cloud customers in both Singapore and elsewhere become increasingly concerned about the level of Government access to private data and, perhaps, may withdraw from such cloud services in time to come – even though these cloud services arguably claim to provide better cybersecurity than what we have beyond the cloud services? This would be a pity as the cloud could enable new innovations such as artificial intelligence, and big data analytics which will likely become the basis of future developments in technology and that, by all accounts, the Smart Nation and Digital Government Office wishes to support.
I understand that codes of practice and standards of performance will provide more guidance to the relevant businesses on the actions that they must take to comply with the Bill. Are there plans, Mr Speaker, to adopt the best practices, specifically from the US and UK in this regard? I note that the US has a Cybersecurity Disclosure Act of 2015, which adopts a "comply or explain" procedure in certain circumstances? Will we be following that route or studying it at least? Or the UK’s Cybersecurity Information Sharing Partnership, a structure for incident disclosure and collection which, among other things, allows business organisations to work in collaboration of the regulators, to collaboratively and voluntarily report incidents to UK national computer emergency response team.
In conclusion, Mr Speaker, the breadth of machines and systems that are or could become potential CIIs is staggering and will only expand in a smart city such as Singapore in time to come. I fear when I read that the Ministry of Defence, quite rightly, is looking at how even fitness trackers could become a portal for CII threat or incident.
Allow me to end by noting that the Economist Intelligence Unit's most recent report notes that cyber criminals are seeking out points of least resistance in the Asia-Pacific region. Jurisdictions without cybercrime legislation – so now we are going to have cybercrime legislation in addition to the CMCA – but jurisdictions, perhaps, as in our neighbouring jurisdictions, without this legislation or with weak enforcement, are attracting cyber criminals as vantage points from which to conduct attacks into the networks of more advanced countries. So, if I can end by just asking, Mr Speaker, if the Minister could share anything that is going to be done regionally and, perhaps, internationally to prevent this. Mr Speaker, I support the Bill.
Mr Melvin Yong Yik Chye (Tanjong Pagar): Mr Speaker, I stand in support of the Bill, which regulates cybersecurity service providers and enhances the online resilience of our country’s critical information infrastructures across all key sectors. With the proliferation of Internet devices and the growing scale of worldwide cyber-attacks, such as the widespread WannaCry ransomware attack in 2017, the proposed provisions in this Bill are a much-needed step towards safeguarding of our cyberspace and everyday security. Considering the multi-faceted cybersecurity threats that we face today, the Bill is encouraging in both breadth and depth.
Let me begin by expressing my support of the Ministry’s intentions behind the licensing of key cybersecurity services. There is no doubt that cybersecurity is important for Singapore. Our highly inter-connected businesses and community depend very much on the integrity and round-the-clock availability of technology to function smoothly.
Just last Friday, thousands of Singaporeans were affected when the e-payment system NETS was down for more than an hour. Our Smart Nation needs to be secured all the time, every time. However, I would like to ask if the proposed licensing framework would impact the development of a vibrant cybersecurity eco-system in Singapore.
Would third-party start-ups and vendors be required to obtain a licence just to offer their services as part of a turnkey solution to organisations?
Mr Speaker, even the best cybersecurity defence systems and the most onerous cybersecurity legislation would be for naught, if the end-users of these systems end up being the weakest link in our cybersecurity chain.
With the proliferation of smart devices, flash drives and devices connected to the Internet, these can all be points of entry for a hacker to cause damage if the user does not have a good basic understanding of digital security. I would like to urge the Ministry to design and roll out awareness programmes to educate our citizens – both young and old – on digital security, to ensure that the weakest link in our cybersecurity chain is secured.
Another possible weak link in the chain is the outsourcing of cybersecurity services to companies that are based overseas. How does the Ministry intend to ensure the compliance of such companies?
A third possible weak link is the use of third-party vendors. As seen from overseas hacking incidents and data breaches, such as the data breach suffered by Netflix in 2017, poor cybersecurity by third-party vendors has been a consistent problem for years. In 2013, hackers gained access to the network of retail giant Target by first stealing passwords from a third-party vendor dealing with their heating and ventilation systems. Often, these vendors, also known as network-connected outsiders, are small-sized companies who do not invest much in proper cybersecurity practices – even less so investing in best practices. This has been a problem plaguing many industries. How does the Ministry plan to ensure that such third-party vendors, beyond the 11 identified critical sectors, are also well regulated?
Mr Speaker, the demand for cybersecurity solutions is set to swell as technology advances. There is, therefore, a need for us to ensure that Singapore has a core talent pool of cybersecurity professionals that can be deployed across the various sectors.
Can the Minister provide some insights on the number of cybersecurity professionals needed for the next five to 10 years? How far are we currently from these target numbers? What are the plans to ensure that we have a strong sustained pipeline of local talents to service this growing industry?
Perhaps, a short-term solution in ensuring that our cybersecurity defences are working as intended, while current batches of cybersecurity professionals are still being trained in schools, would be through the use of “white hat” hackers. I have read with interest that MINDEF has recently invited 300 international and local hackers to hunt for vulnerabilities in its Internet-connected systems. Harnessing the enthusiasm of the “white hat” hacker community is a step in the right direction and I would like to propose for the Ministry to consider grooming a local community of “white hat” hackers in Singapore. However, clear boundaries and protocols would need to be drawn and the Ministry would need to think about how to best support and manage the group. With that, Mr Speaker, I support the Bill.
Ms Jessica Tan Soon Neo (East Coast): Mr Speaker, thank you for allowing me to speak on this Bill. With the extent, speed, increasing sophistication and trend of high profile cyber-attacks, this Bill is timely. We are seeing an increasing trend of ransomware. Ransomware like Wannacry that everyone has cited, as well as Samsam, have targeted high profiles like MNCs, critical infrastructure providers, even hospitals and education institutions. This shows us the extent of disruption that ransomware can inflict.
Malware affects files, computers and mobile devices by encrypting and locking data, rendering them inaccessible and, in most cases, leading to a loss of data and impacting operations. Once inside the network, it gives control of the management inside the network. As more businesses digitalise and technology progressively influences the way we live, work and play, such attacks will have wide-reaching impact.
In the physical world, customers place their trust in businesses to provide quality services and to handle their information appropriately. The measures outlined in this Bill are no different, requiring owners of critical information infrastructures to proactively put in place the right procedures to protect customer data and ensure quality and continuity of service.
This Bill spells out the code of practice and standards of performance; duty of owners of critical information infrastructures to report cybersecurity incidents; to perform cybersecurity audits and risk assessment of critical information infrastructure; and also to participate in cybersecurity exercises; and put in place measures to prevent, manage and respond to threats and incidents; investigation and prevention of serious cybersecurity incidents. It sounds extremely onerous.
To meet these requirements for cybersecurity, one constraint that we all must recognise is that of the availability of skills and knowledgeable cybersecurity specialists. There has been a lot of discussion on costs. The reason for that high cost that everyone is envisaging is because of this lack of skills or the need to build this base of deep skills. With the growing demand for cybersecurity skills, building this talent base ‒ we all have to recognise ‒ will take time.
Clause 5 (l) of the Bill outlines the duties and functions of the Commissioner to promote, develop, maintain and improve competencies and professional standards of persons working in the field of cybersecurity. Can the Minister share the plans to build this talent base and what is being done to ensure that we have sufficient cybersecurity skills and capabilities in Singapore to meet the current and, more importantly, future demands?
The Bill also recognises that for cybersecurity to be effective, it must start at the top, with owners or leaders of the critical information infrastructures. Building cybersecurity awareness and culture across an organisation requires a strong tone from the top. So, it is interesting to see Part 3 of the Bill clearly outlining the accountability of owners of critical information infrastructures. Failure of owners to comply with the regulations carries with it heavy penalties, including imprisonment for a term not exceeding two years. Clause 7(8) puts the same emphasis on critical information infrastructure owned by the Government, stating that when the critical information infrastructure is owned and operated by the Government, the Permanent Secretary allocated to the Ministry who has the responsibility for the critical information infrastructure is treated as the owner. This sends a strong message that leaders own and are accountable for cybersecurity in the organisation. This will keep cybersecurity top of mind in the organisation.
Compliance is necessary but not sufficient. Building resilience is at the core and spirit of this Bill. To achieve cybersecurity, we must not only ensure compliance but, more importantly, an understanding of a mindset change of all stakeholders of Singapore’s critical information infrastructure. While measures are put in place for compliance, people are one of our weakest links. Employees must understand the impact of their actions on cybersecurity. With the increasing sophistication and social engineering, targeted phishing emails are not as easily detected. It is becoming more difficult to tell a malicious email from a legitimate email. Hence, cybersecurity awareness and keeping cybersecurity top of mind are key. Apart from cybersecurity professionals, training and building resilience of all employees and users of critical information infrastructure is as essential. This is not a trivial task and organisations will need support to achieve this. Can the Minister share what will be done to support organisations in this aspect?
We must also recognise that it is not a matter of “if” but “when” there will be a breach. In fact, statistics and information tell us that many oganisations that have been breached take about 12 months on average to actually discover that they are breached. Organisations must have processes and tools to detect cyber threats or incidences. Most importantly, organisations must have in place processes to take action to recover and minimise the potential impact of the breach.
As Singapore strives to be a Smart Nation, cybersecurity is critical. Ensuring cybersecurity and resilience of our critical information infrastructure will require a strong partnership amongst stakeholders in the eco-system. To effectively fight cyber threats, organisations and the Government must work together as no one has all the knowledge or resources to do it alone.
For a start, there must be a two-way information sharing and feedback. By sharing plans on how data collected or submitted to the Commissioner will be used and how it will be used, will enable owners of critical information infrastructure to better understand how the data they submit are used. This will help build trust amongst stakeholders to share and, more importantly, work together to combat cyber threats. The cybersecurity journey has started and is one that we have to continually work on to protect our essential services. Mr Speaker, Sir, I support the Bill.
Mr Saktiandi Supaat (Bishan-Toa Payoh): Mr Speaker, Sir, in this era of digitalisation and connectedness, cutting back on cyber solutions is not the answer for institutions and companies. With our dependence on the digital world, we can only expect the exposure to cyber threats to increase. It is crucial that our Smart Nation aspirations must go hand in hand with resilient cybersecurity systems. This makes the Cybersecurity Bill an essential move forward.
Certainly, investments in cybersecurity could lead to rising business costs. For SMEs already struggling to stay afloat, this will create additional financial stress. With more cross-company collaboration and outsourcing occurring these days, it is crucial that this becomes a nation-wide effort. It would be just like how suppliers for the banking industry would have to adhere to the Banking Secrecy Act. Data sharing and exchange will be compromised if even just one organisation is careless with their approach on data security. Resultantly, some companies may then pass down the cost of cybersecurity measures to the consumers.
Cybersecurity is often likened to insurance, and similarly scorned for the same reasons. Its necessity is often overlooked until a crisis happens. Yet, according to the Cost of Data Breach Study 2017 by the Ponemon Institute, a US-based organisation that conducts independent research on privacy, data protection and information security policy, the average cost for each lost or stolen record containing sensitive and confidential information for 419 companies which took part in the survey was approximately US$3.62 million. This would be largely attributed to loss of reputation and potential business, remedial measures, as well as lawsuits.
Ultimately, having a sound cybersecurity system in place would be more cost-effective in the long run. But some businesses may not realise this. Moreover, as cybersecurity is still unfamiliar territory, some companies may under-invest or over-invest in the wrong systems. I have heard from business operators who think they are adequately covered with an anti-virus software, for example. I hope the Government can look into the estimated costs that will be incurred in cybersecurity investments, and consider financial incentives to alleviate the financial burden of implementing enhanced cybersecurity measures. Awareness and education would also go a long way in helping organisations make informed decisions.
I wish to also express my concern that the incident reporting and investigation requirements on CII owners under the Bill could be too onerous, especially when they are potential victims of cyber-attacks. This could mean plenty of administrative work back and forth, when the time, effort and other resources may be better spent on constantly shoring up cybersecurity defences instead. Perhaps, for high-risk CIIs, the Commission could work more closely with the owners to improve prevention measures.
I also note that with the decision to simplify the licensing framework, the Bill will do away with the licensing of individual cybersecurity professionals. At this point, only penetration testing and managed security operations centre (SOC) monitoring service providers will require licensing. With the gig economy blooming, there will be no doubt cybersecurity professionals who provide their services as freelancers will increase. Cybersecurity professionals deal with sensitive information in large quantities. So, is there a need for this be better-regulated? Is it not vital to ensure that they are adequately skilled and possess the right disposition to provide services of such delicate nature?
On the topic of handling sensitive information, some hold reservations that the authorities, while conducting their investigations, would intrude on personal privacy. Are there safeguards in place for the broad investigation powers to ensure that there is no misuse of authority, whether unintentional or not? Can the public be assured that their information is in safe hands?
Mr Speaker, this is a comprehensive Bill that adequately covers many areas concerning cybersecurity. Meanwhile, we also have the Computer Misuse Act (CMA), formerly the Computer Misuse and Cybersecurity Act, as well as existing legislations like the Banking Secrecy Act which also address cybersecurity and data protection issues. Are there overlapping policies, and how would the new Bill interact and complement with the existing legislations that we have now? Enhancing our cybersecurity defences is the next logical move in the face of an increasingly digitalised society. I support the Bill.
Mr Desmond Choo (Tampines): Mr. Speaker, cyber-attacks are almost commonplace in recent years. In fact, in May 2017, billionaire businessman Warren Buffet said to his investors that cybersecurity could be the number one problem for mankind.
The numbers confirm this. In the first six months of 2017, globally, there were more than 900 data breaches in the first six months of last year. Analysts say that the damage caused by cybercrimes globally could hit US$6 trillion annually by 2021. No country has been spared. Singapore has been targeted by cybercriminals. We must put in place laws to safeguard our critical cyber systems and infrastructure.
I have three points of concern, namely on costs, processes and manpower needs.
In meeting the requirements, critical information infrastructure (CII) sectors will have to impose more stringent requirements on their systems or require their vendors to do so. This will inevitably lead to higher costs, as pointed out by Members of this House. In the Report on the Consultation Outcome paper released by MCI, it was stated that MCI will not be providing grants to offset the costs of audits and risk assessments because they are regulatory requirements. However, it will work with the sectors to streamline requirements so that they can minimise compliance costs incurred because of the Bill. May I ask, what is the estimated compliance costs involved for the various sectors? For sectors that face greater complications in meeting the requirements, are there existing schemes that they can tap on for this purpose? What is the timeline for the implementation of these compliance measures? Companies might not only need time to ramp up their compliance capabilities but also need technical guidance from MCI.
My next point is on processes. While we must not compromise on security, we must ensure that the reporting processes are not unnecessarily onerous. Companies and their staff already face substantial reporting requirements to other Government bodies. We must seek to rationalise compliance for ease of operations without compromising on security.
While a strong Cyber Security Agency (CSA) is necessary for our cyber security, it must not also intrude upon privacy unnecessarily. The Ministry has assured that there are safeguards in place. And it will adopt a calibrated approach depending on the severity of attacks. Can the Ministry also share more if it will adopt a tiered or classification system that would spell out the scope or limits of investigation depending on the level of severity of the incident or attacks? For example, the security agencies have used threat-level systems to decide on the intensity of preparation and fortification that needs to be done. Could a similar system be put in place so that stakeholders and parties involved will have a clearer picture of what is required of them, should a cyber-attack or breach of systems happen? And more importantly, the requirements needed of them during peace-time as it affects business costs and manpower requirements.
Mr Speaker, Sir, I would also like to know if the cybersecurity manpower is sufficient to achieve the aims of this Bill. While our IHLs have been training more students and MOM has introduced Professional Conversion Programmes (PCP) for the IT sector, and they have been in place for some time now, would the supply be sufficient? How can the Ministry work with MOE, MOM and even NTUC to ensure that there will be sufficient manpower to meet our future needs?
On a separate but related matter, in 2017, data security firm Check Point Software Technologies ranked Singapore as the world's top spot to launch global cyber-attacks from. While the attacks may originate somewhere, being a technology hub in Southeast Asia means that we have a high amount of Internet traffic from other countries going through us. We are a hub with high inter-trade and data connectivity. It is inevitable that some attacks will originate from Singapore and other similar hubs. Yet, it is also our global responsibility to stop attacks where possible. It is also an opportunity to provide a trusted gateway for countries and businesses. It establishes Singapore as a secure business node. We must not stop at exploring and developing ways for us to be used as a gateway for global cybersecurity.
In spite of the concerns, this Bill puts us in the right direction in hardening our systems for both current and future security needs. With this, I support this Bill.
Dr Intan Azura Mokhtar (Ang Mo Kio): Thank you, Mr Speaker, Sir for the opportunity to speak on this Bill. I support the Bill, which is an important one that will eventually help strengthen our laws on cybersecurity and related threats.
With our Smart Nation initiative and Government-wide move towards digital transformation of our processes, procedures and data management approaches, cybersecurity inadvertently becomes a concern that needs immediate address. While a lot are in this Cybersecurity Bill, there are, however, several concerns that I have in the implementation of this Bill that is to be enacted.
First, the cybersecurity services providers and licensees. How does the Government plan to ensure the integrity and reliability of these companies? Are their track records studied, and are the employees all screened? How sure can the Government be in ensuring security and privacy of matters, pertaining to the Government, with these third party cybersecurity services providers and licensees having access to such privileged and information?
Second, we know that cyber hackers and attackers are always, at least, two steps ahead. While I appreciate the focus of the Bill to put in place, a penetration testing service to search for vulnerabilities and compromises in the computing system of our public sector and civil service outfits, how do we stay ahead of the curve and stay relevant and secure? How do cybersecurity services providers and licensees ensure that the personnel who are helping them to search for this vulnerabilities and compromises, are up to speed with what potential cyber hackers or attackers are or will be doing?
Third, while this Bill aims to address the various measures and counter-measures to prevent, manage and respond to cybersecurity threats and incidents that may afflict our public sector and civil service, it must be accompanied by non-legislative approaches as well. Sustained efforts to ensure awareness in cybersecurity training of a public and civil service officers, so that they are able to recognise potential and actual cybersecurity threats, need to be carried out as well. In fact, this approach has to be nationwide, even to users of public services such as students and the general public.
Public education to increase awareness and identification of potential and actual cybersecurity threats must also be done to support the provisions of this Bill. Public and civil service officers as well as students in our public education institutions, need to understand and recognise when certain emails, hyperlinks or even mobile applications could risk the integrity and compromises the safety of connected computing systems in our various public offices, institutions or schools. Our cybersecurity public awareness programmes, must continue and be further enhanced. In addition, to what extent is data shared among our public sector officers, currently, in designing and implementing better policies or programmes for the public? And with this new cybersecurity legislation, how will that sharing of data and information be impacted? Notwithstanding my concerns above, I support this Bill, Mr Speaker.
Mr Louis Ng Kok Kwang (Nee Soon): Sir, I rise in support of this Bill. Singapore runs on computers. Everything from our transport system and fire departments, to our hospitals and military, relies on the availability of sustained access to computer systems and networks.
This also means that a successful cyber-attack on our Critical Information Infrastructure (CII) would not simply pose a threat to our way of life but could seriously endanger our national security. Therefore, I applaud MCI and CSA's efforts to develop the resilience needed to ensure that when we are attacked, we will stay strong.
I have seen how technology, used in the right way, has uplifted people. Ride-sharing and food delivery applications have given many people a new outlet for income, and entrepreneurs have embraced e-commerce to expand their market. Technology has helped many to climb the socio-economic ladder.
Ensuring our CII's are resilient to a large-scale cyber-attack is important. But there is more to who we are as a country than just 11 critical sectors. Small businesses must be resilient to hacks and learn how to maintain business operations, but regular Singaporeans should also be armed with tools to stay safe online.
A 2015 survey published by IT Security firm ESET notes that although 76% of Singaporeans know of some precautions to take when going online, only 44% actually do anything about it.
So, how can we help our SMEs, our Instagram influencers and first-time e-retailers stay safe and be able to continue their business operations when they are hacked? How can we help the older generation, the aunties and uncles, to learn the best practices of using the Internet, so they can avoid becoming victims of cybercrimes?
The risks that regular people face online are increasing. As many have mentioned, last year thousands were affected when WannaCry ransomware hit our shores. But the threat can come from within Singapore too. Singapore hosts 1.6% of all the malware in the world, which is an astronomical amount considering that our island holds only a very small fraction of the world's population. The very fact that we are a connected and smart country means that we are more at-risk to cyber-attacks.
An idea to start with is with our young ones. The UK, for example, has set aside 20 million pounds to fund CCA clubs in schools that focus on cybersecurity training. This not only teaches children how to be good online citizens, but it also creates a pipeline of future cybersecurity specialists. Would MCI and CSA consider working with MOE on this?
Another possibility would be to provide grants to SMEs to beef up their cybersecurity awareness. Many businessmen may be unaware that being hacked could ruin their company. A recent survey conducted by QBE insurance found that only 23% of all surveyed SMEs are concerned about security of sensitive data while 35% of smaller SMEs have no cyber protection at all.
Smaller companies do not have large IT footprints but will face serious operational risks if their systems were down. Precision engineering firms would not be able to continue to manufacture if they were attacked by ransomware. Others would lose customers if customer data was to be hacked. Would MCI and CSA work with SPRING or NTUC to help SMEs and start-ups pay for anti-virus software or hire consultants for cybersecurity reviews?
Next, we can explore ways to do more for our most vulnerable residents – the older generation. I have residents that are 90-year-old grandparents who check their email and WhatsApp constantly. To them, technology is no longer just a novelty, but an integral part of daily life. Unfortunately, these residents are the most vulnerable to hacking. Would CSA work with People's Association (PA) to develop programmes to teach the fundamentals of cybersecurity?
Finally, I would like to ask MCI whether there are plans to amend the Bill to require all hacked companies to report breaches. This would give CSA greater visibility on the types of hacks that are happening in Singapore. Rather than waiting for a CII to be attacked, CSA might be able to identify trends and take preventative measures.
This will also prevent incidents from going unreported. For example, like the Equifax breach in the US, which resulted in the sensitive data of 145 million citizens being stolen, or Uber paying off hackers who had stolen customer information. After all, every day that a breach goes unreported is another day that people are at risk of identity theft, or credit theft.
Sir, in conclusion, I stand in support of the Bill. Anything we can do to improve our national's resilience to outside threats is a positive step. But let us not forget that thousands of SMEs and millions of Singaporeans still do not know how to stay safe in cyberspace. We will never be truly resilient, unless all of us, collectively as Singaporeans, can effectively mitigate the risks of being online.
Mr Patrick Tay Teck Guan (West Coast): Mr Speaker, in 2017, Singapore came in as the top launchpad for global cyber-attacks in cyber security firm Check Point's Threat Map, ahead of China, Russia and the United States. According to the Check Point report, Singapore was likely used as a gateway for attacks based elsewhere.
In another study by CyberInt, a cybersecurity threat monitor, Singapore ranked as the fifth-biggest global target for phishing attacks, after the United States, Britain, the Philippines and Russia. In recent years, we have also witnessed a surge in spates of cyber incidents on a global scale, some of which have hit home.
As Singapore develops into a highly-interconnected Smart Nation, we will become an increasingly attractive target for cyber criminals. As more aspects of our lives go digital, fallout from such attacks will become even more extensive; breakdowns in provision of essential services could result in loss of property, sensitive data and even lives, not only on a national scale but on a global scale.
It is therefore timely that we put in place robust regulatory infrastructure to govern cybersecurity matters in Singapore and maintain high cybersecurity standards to protect critical systems and data.
While I am supportive of the Bill, I do have some questions and suggestions which I would like to raise. I classify them into what I call the 5Cs: (1) Classification, (2) Compliance Costs, (3) Compromises and Concerns, (4) Continuing Education and (5) Contingency Planning.
First, is there a mechanism in place to allow organisations to check with the Cyber Security Agency of Singapore (CSA) if they are classified to be an owner of a critical information infrastructure (CII)? Having such a mechanism would allow organisations to definitively determine if they are a CII so that they can better plan for their operational costs and resource requirements in order to comply with the requirements of CIIs under the Bill.
Second, for organisations which have been notified that they are a CII, are there any support programmes in place which they can tap on to tide them through the implementation of processes and infrastructure to enable compliance with the requirements of CIIs under the Bill.
By the same token, are there any measures in place to ensure that the cost of compliance as CIIs do not trickle down extensively to the consumer?
Third, the CSA is given broad investigative powers under the Bill. These powers should be exercised with care to ensure that innovation is not curtailed. As part of its educational outreach in the National Trades Union Congress’ U Associate’s network, ISOC.SG (The Internet Society, Singapore Chapter) collected feedback from stakeholders on this Bill. ISOC.SG found that the general thrust of the Bill was widely accepted although there was concern that overly broad investigative powers would curtail innovation and the technology industry. A balance, without compromising cybersecurity must be found.
An example is allowing investigation and removal of anything, servers and data included, at any time. Although powers are used to combat security threats, too much data could be taken or disruptive actions could result if powers are poorly exercised. With possible implications on our status/efforts to become a data hub, the reasonable use of powers, perhaps with a chance to challenge a decision, makes sense. As a general point, overly broad powers usually affect innovation because of fear and less risk-taking.
Fourth, with this Bill and our Industry Transformation efforts across several sectors, I look forward to more job opportunities for those with cybersecurity skills. This will avail new entrants as well as those already within the profession to upgrade and keep abreast with the latest developments. Although there were reservations by practitioners during the public consultation to license practitioners in this field, I submit that it is still good to align and benchmark the skills and competencies of cybersecurity professionals locally and with global accreditations and provide more platforms for continuing education and professional development to ensure they stay relevant and current within the practice of cybersecurity. To this end, the Labour Movement hopes to partner with the various associations in this sector and the cybersecurity professionals in this journey to provide continuous learning, growth and career progression opportunities.
Fifth, recognising that cybersecurity is everyone’s responsibility, are there plans to ensure that the wider community, our enterprises and individuals, are prepared for cyber contingencies and know what to do to prevent one, or, when faced with one, what to do to mitigate its impact?
NTUC and ISOC.SG are supportive of continuing efforts (as every Singaporean is online to some degree and a stakeholder in the security of the Internet) to avail users to tools and resources and building cybersecurity awareness to help enhance cybersecurity and build trust online. By inculcating that cybersecurity DNA into all Singaporeans, we will also create a world-class future-ready workforce that can differentiate itself to employers.
For example, enterprises. In the recent Petya ransomware attack in mid-2017, a number of companies under the global marketing services group WPP were affected by Petya. Singapore employees of a company under WPP were reported to be scrambling to follow instructions on how to deal with Petya after the attack. They were told to log off from the office wifi network or servers, and made arrangements to work remotely. Some worked from home using their personal computers, while other teams met in public spaces such as cafes. Are our enterprises equipped to take steps to prevent cyber incidents from occurring? Are there response and business continuity plans in place which they can implement if they are subject to a cyber-attack?
Next, individuals. To raise our people’s awareness of cybersecurity, will there be a pervasive rollout of cybersecurity messaging and e-learning to individuals so that they are equipped with the requisite knowledge and skills to prevent cyber incidents and know what to do when faced with one, as has been done for SG Secure? Are there plans to develop cybersecurity tools that all individuals can use to safeguard their devices against cyber-attacks? There could be publicly available online quizzes to understand cybersecurity and prevention tips.
These tools could perhaps be developed by trainees undergoing training to be cybersecurity professionals who are placed with cybersecurity enterprises or start-ups in the business of developing these tools. We can even provide free-to-use anti-virus software available for all households to utilise especially since we are moving towards a Smart Nation and we are all so virtually connected.
Mr Speaker, just a short one in Chinese:
(In Mandarin): [Please refer to Vernacular Speeches.] I support this Bill but I would like to raise three points here.
First, I am worried about the additional compliance cost. Are there any grants to help SMEs cope with this extra cost? I am also concerned that the cost will be passed on to the consumers.
Second, will the new Act curtail innovation from the companies?
Third, as the cybersecurity scene changes every day, individuals and companies must upgrade and keep abreast with the latest developments. Hence, I hope that the industry can develop a continuing education framework.
Cybersecurity is the responsibility of every individual. Therefore, I urge the Government, companies and the citizens to stay alert and be prepared.
Ms Sun Xueling (Pasir Ris-Punggol): Mr Speaker, the Cybersecurity Bill sets out a comprehensive framework to protect our Critical Information Infrastructures (CIIs) and points out the areas where Government agencies can work with CII owners to fortify our systems.
Given the pivotal role that CII owners play, I would like to understand how the essential services and CIIs are identified, together with their owners. In instances where business operations are international and computer systems are housed outside Singapore, how would CII owners be identified and held accountable for their cybersecurity responsibilities?
The Bill sets out requirements for CII owners to establish mechanisms and processes to detect any cybersecurity threats. It is heartening to note that MCI and CSA have been forthcoming and open to suggestions.
I would like to enquire, given the range of cyber threats, to what extent would it be possible to expect CII owners to guard against every imaginable threat?
The Bill would likely bring about increased compliance costs, as well as organisational change to businesses. Has there been an assessment on the costs businesses would incur from the implementation of the Cybersecurity Bill? Would there be adequate time given to them for them to comply? And when there are cyber-attacks, how do we balance the need for incident reporting and investigation requirements when CIIs may be putting efforts simultaneously to restore services targeted by cyber-attacks?
I think standards or codes of practice issued or approved under the Bill should be aligned with globally compatible policies and benchmarks to help CII owners as much as possible. Given rapid developments globally to tackle cyber threats, how would the Bill take into account global developments and evolving standards?
The Bill is bold as it covers both the public and private sectors, recognising that cyber criminals do not distinguish between such boundaries.
However, concerns about the extent of powers a proposed Cybersecurity Bill would give the Government has emerged underscoring the ever-present tension between security and protection of privacy.
For example, the Bill empowers the Commissioner of Cybersecurity to require any person to surrender pertinent information regarding a suspected cyber-attack. At the same time, various laws prevent the disclosure of personal information. Banks, for example, owe their customers a duty of confidentiality under the Banking Act. Similarly, organisations cannot use or disclose personal data without individuals’ consent under the Personal Data Protection Act (PDPA). Is there scope then for the Bill to better address the intent of the Bill with existing prohibitions on disclosure? Lastly, how would the Cybersecurity Bill interact with existing legislation that may already cover cybersecurity requirements?
Digital technologies are transforming our daily lives. They offer many new and exciting opportunities but, at the same time, present several challenges, including increasing our vulnerability to cyber-attacks. The Cybersecurity Bill would help fortify our systems against cyber-attacks and, notwithstanding my clarifications, is definitely a step in the right direction.
Mr Speaker, in Chinese, please.
(In Mandarin): [Please refer to Vernacular Speeches.] Cyber security cannot be taken for granted. Cyber-attacks are becoming more sophisticated and can cripple our critical information infrastructures (CII). This can have serious repercussions for our nation’s ability to function and deliver essential services to our citizens.
The Bill sets out the responsibilities of critical information infrastructure owners. CII owners have to be identified correctly and their responsibilities accordingly scoped so that they face the right impetus to invest in cybersecurity for the sake of the nation.
There will be conflict between the need to uphold cybersecurity and the need to protect the privacy of information, but we should not shy away from exploring where the boundaries are and find the right balance.
Assoc Prof Dr Yaacob Ibrahim: Mr Speaker, the hon Members have raised valid concerns and good suggestions on the Cybersecurity Bill. Let me address each area in detail.
Some Members, Mr Zaqy Mohamad, Mr Pritam Singh and Ms Sun Xueling, asked how the Bill will apply to systems that are providing essential services but located overseas. The Bill allows the Commissioner to designate as CII, computers and computer systems necessary for the continuous delivery of essential services in Singapore. Overall, a significant majority of such systems are based wholly or partly in Singapore. Owners of CII that are partly located in Singapore will still have to comply with their obligations under the Bill.
Given Singapore’s interconnectivity, it is inevitable that some computer systems serving important functions in Singapore are connected globally and may also be located wholly outside Singapore. These computer systems could also be operated by international organisations based abroad.
While Singapore may be able to work with these international organisations to ensure the cybersecurity of the systems in question, we cannot control such systems by designating them as CII under the Bill as they are outside our jurisdiction. There may also be potential conflicts with other countries’ regulatory regimes.
To facilitate investigations of cybersecurity threats and incidents that may originate overseas, the Government has made significant efforts to develop strong international partnerships and linkages with overseas Computer Emergency Response Teams (CERTs). CSA will work closely with its foreign counterparts for such investigations.
Ms Joan Peirera and Mr Melvin Yong asked if the cybersecurity of CII would be affected, if their owners choose not to impose requirements on their vendors or if such vendors were not regulated.
CSA will work with the sector regulators and CII owners to define the boundaries of the systems that will be designated as CII, on a case-by-case basis. CII owners are ultimately responsible for the cybersecurity of their respective CII. Many engage third-party vendors to support their CII. In deciding which vendors to engage and what conditions to impose on their vendors, CII owners should carry out the necessary risk assessments and due diligence to ensure that their obligations under the Bill are complied with.
CII owners will be required under the Bill to conduct regular cybersecurity audits to ensure that their obligations are met. This provides an added layer of assurance that the CII would be in compliance with cybersecurity codes of practice and standards of performance, as required under the Bill.
Ms Thanaletchimi suggested establishing an accredited framework for a national cybersecurity audit for CII stakeholders. Sir, audit is an important aspect of good corporate governance. There are already multiple layers of IT audit regimes established within the 11 sectors. We are mindful that another layer of national cybersecurity audit could potentially result in CII stakeholders experiencing audit fatigue. For now, CSA plans to tap on existing sector audit regimes to ensure that the security measures are effective in protecting the CII. To ensure an acceptable standard of practice, CSA will provide audit guidance to auditors and track the audit outcomes.
Mr Darryl David asked how CII and essential services are determined, while Assoc Prof Daniel Goh suggested that higher education and research institutions be considered essential services.
In arriving at the list of essential services in the First Schedule, we took reference from section 15A of the Computer Misuse and Cybersecurity Act (CMCA). We also studied the definition of "essential services" in other jurisdictions, before identifying a total of 11 sectors in Singapore delivering essential services. These sectors provide services that are essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
For each sector, CSA worked closely with the relevant sector regulator to identify the essential services within the sector, as well as the computers and computer systems that would be CII. CII are identified as computers and computer systems that are necessary for the continuous delivery of essential services, the loss or compromise of which would have a debilitating effect on the availability of the essential services in Singapore.
Higher education and research institutions are not considered essential services at this point in time. Nonetheless, we do not preclude that new essential services may arise in the future, and the Minister may amend the list of essential services in the First Schedule if necessary.
Mr Patrick Tay asked if there is a mechanism in place whereby organisations can check with CSA on whether they are CII owners.
There is no need for organisations to make self-assessments as to whether their computer or computer systems fulfil the criteria of a CII. Prior to designating a computer or computer system as a CII, CSA will consult its owner and the relevant sector regulator to identify whether it is responsible for the provision of any of the essential services listed in the First Schedule. Organisations whose computers or computer systems are designated as CII will be notified in writing.
CII owners will be given an opportunity to submit representations to the Commissioner if they disagree with the Commissioner's decision. They may also appeal to the Minister against the designation. However, the Minister's decision on an appeal will be final.
Sir, I would like to assure Members that the identification of CII is a considered and consultative process. MCI and CSA have already consulted with the sector regulators in identifying potential CII, and engaged the potential CII owners twice since July 2016. Hence, potential CII owners would already know who they are.
The process for identifying and designating new CII in the future will be similarly considered and consultative.
Some Members – Mr Zaqy Mohamad, Assoc Prof Daniel Goh, Mr Saktiandi Supaat and Ms Sun Xueling – asked whether the incident reporting and investigation requirements under the Bill could be too onerous for CII owners, especially when they are potential victims of cyber-attacks.
As mentioned in my opening speech, we do not intend to take action under the Bill against CII owners for cybersecurity breaches so long as they comply with their obligations thereunder.
Given the importance of CII to Singapore, it is necessary to provide for their proactive protection. For example, clause 14 requires CII owners to establish mechanisms and processes to detect cybersecurity threats and incidents in respect of the CII. CII owners are also required to promptly report to CSA, cybersecurity incidents in relation to their CII and any computer or computer system connected with the CII that are under their control. This will enable CSA to have better oversight of incidents happening across sectors, and to take the necessary actions.
There is no obligation for a CII owner to report a cybersecurity incident in respect of other infrastructure that it owns, where such infrastructure is not connected to the CII.
Under clauses 19 and 20, CII owners are required to cooperate with CSA during the investigation of cybersecurity threats and incidents. I will elaborate on CSA's exercise of investigation powers later in my speech.
Mr Pritam Singh asked about the incident reporting threshold for CII owners. All CII owners, regardless of whether they are local or foreign companies, will need to report to CSA cybersecurity incidents that occur on or that affect their CII. As mentioned earlier, reporting cybersecurity incidents in respect of CII is a requirement under clause 14, and any non-compliance without reasonable excuse will be an offence. The maximum penalty is $100,000 or two years' imprisonment or both.
A cybersecurity incident on a CII is defined as an act or activity carried out without lawful authority on or through the CII, that jeopardises or adversely affects its cybersecurity. As Mr Pritam Singh pointed out, details of what constitutes a prescribed incident and the form and manner of reporting will be set out in subsidiary legislation.
When exercising these powers, the Commissioner will be mindful that the owners of the computer systems in question are typically also victims. CSA will be providing further details to guide CII owners in incident reporting, such as relevant forms and guidelines.
On the other hand, Assoc Prof Daniel Goh and Mr Louis Ng called for mandatory reporting of all cybersecurity incidents to the CSA for more holistic protection of Singapore's cyberspace.
Making the reporting of cybersecurity incidents a requirement under the Bill will be both resource intensive for CSA as well as companies in Singapore especially our SMEs. Today, all companies, including owners of computer systems that are not CII, can already voluntarily report cybersecurity incidents to CSA through SingCERT. On top of this, the Bill will provide CSA with powers to investigate cybersecurity threats and incidents pertaining to computer systems in Singapore, including computer systems that are not CII.
Ms Jessica Tan and Mr Patrick Tay asked whether there are programmes to help CII owners comply with their obligations under the Bill, while Ms Thanaletchimi suggested that staff of organisations that own CII attend cybersecurity awareness programmes. On the other hand, Ms Sun Xueling and Mr Desmond Choo asked about the time that CII owners will be given to implement cybersecurity measures.
To assist CII owners and their staff in getting ready for the implementation of the Bill, CSA has developed a Cybersecurity Legislation Initialisation Programme for Sector Leads, also termed as CLIPS, to work with the CII sector regulators to prepare CII owners for their obligations under the Bill.
CLIPS will focus on establishing clarity on the roles and responsibilities between the sector regulators and the CII owners, and identifying and resolving any operational issue pertaining to the respective sectors. For example, these include harmonising policies, and streamlining audits and incident reporting processes.
The need to step up protection of CII is urgent, but where necessary, CSA will also give CII owners sufficient time to undertake preparations and planning, prior to issuing the cybersecurity codes of practice or standards of performance for each sector. Assistant Commissioners, also known as ACs, are senior officers appointed from the 11 CII sectors and will be able to advise the Commissioner on the necessary requirements, taking into consideration the unique contexts and complexities of their respective sectors.
Mr Zaqy Mohamad provided many useful suggestions to help CII owners meet their obligations under the Bill, including sharing best practices and benchmarks, and providing support for their R&D efforts. He also asked if the cybersecurity readiness of the CII owners will be benchmarked.
Today, CSA assesses the cybersecurity readiness of the CII sectors and shares this information with CII owners to help them improve the cybersecurity of their CII. We will consider Mr Zaqy Mohamad's other suggestions.
And I agree with Ms Thanaletchimi that we need to establish mechanisms to inform organisations if they are potential targets, and advise them on precautionary measures that they could take. CSA currently shares information on cybersecurity threats and vulnerabilities with the CII sectors so that appropriate actions can be taken promptly. The CERTs overseeing specific sectors also issue advisories to the operators in their respective sectors.
Several Members – Mr Pritam Singh, Mr Zaqy Mohamad, Mr Saktiandi Supaat, Ms Sun Xueling and Mr Desmond Choo – asked about the costs that CII owners and other businesses may have to incur in implementing cybersecurity measures, while Mr Patrick Tay asked whether there are any measures to ensure that compliance costs do not trickle down to consumers.
Cybersecurity is a collective responsibility, and we must all do our part. Much of the cost of strengthening cybersecurity protection and enhancing responses to cybersecurity threats and incidents at the national level are borne directly by the Government. This includes resourcing national-level cybersecurity infrastructure and manpower, conducting regular cybersecurity exercises to validate cybersecurity incident management processes, and deploying National Cyber Incident Response Teams (NCIRT) to respond to cybersecurity incidents.
Today, many CII owners have already put in place cybersecurity measures arising from regulations in sectors such as banking and finance and infocomm. The Bill aims to strengthen the cybersecurity of CII in all sectors, including those that currently do not have any cybersecurity requirements. The requirements under the Bill have been carefully scoped and are considered not too onerous.
There will be cost implications for some CII owners who will have to strengthen the cybersecurity posture of their computer systems to meet the requirements of the Bill. To minimise regulatory costs, we will work with sector regulators to streamline the cybersecurity audit and incident reporting processes in order to harmonise cybersecurity requirements under the Bill and in their respective sectors, wherever possible.
It is also in the interest of CII owners and their vendors to spend adequately on cybersecurity measures. They should consider not only the upfront cost of such measures, but also the cost of potential breaches, including the intangible costs arising from any damage to their reputation. If organisations follow security-by-design practices, they will spend less overall in the long-run to fix cybersecurity issues. As Mr Ganesh Rajaram mentioned, cybersecurity will actually help companies protect their bottom line.
Therefore, on balance, MCI and CSA will not provide funding to offset the costs of CII obligations which are regulatory requirements.
Ms Sun Xueling and Mr Saktiandi Supaat asked how the Cybersecurity Bill is intended to interact with existing legislation that have cybersecurity or data protection requirements. Mr Darryl David asked how the Bill will be administered in view of existing agencies with cybersecurity roles.
The Bill will apply concurrently with other laws and regulations enacted in Singapore, including existing sectoral laws. For example, in the event of a cybersecurity incident, the Telecommunications Act will continue to govern licensees under that Act for resulting telecommunications service disruptions, while the Personal Data Protection Act will continue to govern companies and individuals in the area of personal data breaches.
As mentioned earlier, there are already some laws and regulations in Singapore that deal with various aspects of cybersecurity such as in the banking and finance, and infocomm sectors. In certain cases, such sectoral requirements may be more stringent or wider in scope than those in the Cybersecurity Bill. The Assistant Commissioner from the sector will play a key role in ensuring that CII owners do not face conflicting requirements under the Cybersecurity Bill and in sectoral regulations. This will help minimise the regulatory burden on CII owners.
I wish to clarify that we are not establishing a new agency under the Bill – the Chief Executive of CSA will be appointed as the Commissioner, and he will be supported by CSA staff and the Assistant Commissioners (ACs) who are intended to be senior officers from the sector regulators. So, there will be no new agency. In many instances, the CII owners will interact with the ACs appointed from their sectors. For example, CII owners in the banking and finance sector will interact with an AC, who will be a senior officer appointed from MAS, for requirements under the Bill.
I want to highlight that information shared with CSA under the Cybersecurity Bill cannot be used for enforcement action against the CII owners under sectoral regulations.
Mr Zaqy Mohamad and Mr Saktiandi Supaat asked about the relationship between the Cybersecurity Bill and the Computer Misuse Act (CMA). Mr Darryl David asked how the Government would deal with individuals who hack into a website to spread falsehoods, while Mr Henry Kwek asked for a re-examination of the penalties for misuse of access to data especially if the perpetrators are cybersecurity professionals.
The Cybersecurity Bill and CMA are complementary, given that cybersecurity and cybercrime are closely related. The Cybersecurity Bill provides for investigation powers in clauses 19 and 20. These investigation powers apply only to the assessment of the impact of cybersecurity threats and incidents, and to the prevention of further harm and further incidents from arising. The investigation of cybercrimes and the prosecution of their perpetrators are different issues covered by the CMA. Hence, it is important that the Cybersecurity Bill and the CMA are kept separate.
The Bill provides for the protection of the CII in Singapore and ensures that CII owners maintain a necessary level of cyber safety awareness, protection and vigilance against cybersecurity threats and incidents. This will also make them less vulnerable to cybercrime.
The unauthorised use to or modification of computer material and the unauthorised use of computer service are cybercrimes which are offences under the CMA. The CMA is under the purview of MHA and the Police. Depending on the facts of the case, cybersecurity professionals who misuse their access to data may be prosecuted under the CMA. CSA, with the investigation powers under the Cybersecurity Bill, will work with MHA and the Police to better protect computer systems in Singapore, especially CII, against cybersecurity incidents.
However, neither the CMA nor this Bill is intended to address the threat of fake news.
Several Members − Mr Zaqy Mohamad, Mr Patrick Tay, Mr Desmond Choo, Ms Sun Xueling, Mr Darryl David, Mr Pritam Singh and Mr Saktiandi Supaat − asked about the broad investigation powers provided to the Commissioner by the Bill, including whether such powers would curtail innovation or intrude into personal privacy and how such powers would be used judiciously.
Sir, as mentioned in my opening speech, the investigation powers under Part 4 of the Bill are calibrated and there are limits to the investigation powers that can be exercised depending on the severity of the threat or incident. How an incident will be classified depends on the facts of the case at hand. To be clear, all organisations, regardless of whether they are local or foreign, are required to cooperate with CSA during the investigation of cybersecurity threats and incidents pertaining to computers or computer systems in Singapore.
We recognise the need to balance operational expediency with the proportionate and judicious exercise of power. Investigation officers cannot investigate and remove equipment "at any time".
For example, the Commissioner’s authorisation is required before cybersecurity officers and authorised officers can exercise more intrusive investigation powers under clause 20. There will be a governance process within CSA to ensure that the investigation powers are exercised responsibly and in accordance with the Bill. CSA will also consider providing guidelines to the public, to advise the owners of computer systems on what they should do during investigations of cybersecurity threats or incidents.
The Commissioner will determine the appropriate measures to take during investigations of cybersecurity threats and incidents, in consultation with the owner of the computer or computer system whenever possible. To address Asst Prof Mahdev Mohan's point, this will be the case regardless of the type of computer system or technology involved, including cloud services.
For example, the Commissioner may take possession of any computer or equipment to carry out further examination or analysis with the consent of the owner. However, if there is no consent from the owner, Clause 20(5) clearly sets out the conditions that must be met before the Commissioner can authorise the exercise of this power. The conditions are as follows: first, this is necessary for the purposes of the investigation; second, there is no less disruptive method of achieving the purpose of the investigation; and third, this can only be done after consultation with the owner, and having considered the importance of the computer to the business and operational needs of the owner, that the benefit of the action outweighs the detriment caused to the owner.
Prior to deploying more intrusive investigation tools such as network-scanning software which are necessary when responding to cybersecurity incidents, CSA will wherever possible notify the computer system owners and follow appropriate protocols.
Let me assure the House that the powers under the Bill are not intended to intrude into privacy. The measures and requirements are mainly technical, operational and procedural in nature. For example, CII owners may be required to implement network perimeter defence devices such as firewalls, or to perform regular vulnerability scanning of their systems to identify potential loopholes. These measures are non-intrusive with respect to personal privacy.
Sir, I would like to assure Members that any information required under the Bill to deal with cybersecurity threats or incidents will be primarily technical and not personal in nature. For example, to aid in the detection of cybersecurity threats, information such as network logs, indicators of compromise as well as system event and audit logs may be requested.
Furthermore, the Commissioner’s requests for information from CII owners are carefully scoped for specific purposes, such as information pertaining to the technical design and configuration of a CII. The Commissioner does not have direct or continuous access to the data of any CII owner.
As mentioned in my opening speech, the Bill protects information disclosed to CSA under the Bill by requiring persons who obtain it in the course of performing their functions or discharging their duties under the Bill to keep it confidential, and by specifying the circumstances under which it can be disclosed. Misuse of the information by the Commissioner or other specified officers will be a criminal offence.
With the exception of clause 23, the Bill does not require persons to disclose any information that is prohibited by any other law. The powers under clause 23, which are for emergency cybersecurity measures, are not new and were taken from section 15A of the CMCA.
We have also further scoped clause 23 to be tighter than the existing section 15A of the CMCA, to make clear that action can only be taken against serious and imminent threats and not just any cyber threat to the national security, essential services, defence or the foreign relations of Singapore. The Minister is constrained by the language of clause 23 when exercising his powers. His discretion is not unfettered.
Mr Christopher de Souza asked whether the Bill would cover less mainstream cybersecurity services such as white hat or ethical hackers, while Mr Melvin Yong asked if the Ministry could consider encouraging a local community of white hats.
On the other hand, Mr Saktiandi Supaat asked whether cybersecurity freelancers need to be regulated, while some Members − Mr Zaqy Mohamad and Ms Joan Peirera − spoke about the missed opportunity and risks of not regulating individual cybersecurity professionals.
Sir, it is clear from the debate that there are diverse views on the issue of licensing cybersecurity service providers and growing the cybersecurity ecosystem. On the one hand, there is a call for even individual professionals to be regulated, while on the other hand, some expressed concerns over potential cost implications for businesses.
As I had mentioned in my opening speech, for a start, the licensing framework is deliberately light-touch in view of the need to strike a good balance between industry development and cybersecurity needs.
Furthermore, given the global nature of the cybersecurity industry, we recognise there are currently practical challenges to require individual cybersecurity professionals to be licensed, especially for service providers who deploy employees from overseas to serve clients in Singapore.
Our focus is on more mainstream or mature cybersecurity services with the potential to cause significant impact on the overall cybersecurity landscape. We have identified two categories of services, penetration testing and managed security operations centre (SOC) monitoring, as licensable cybersecurity services, which are set out in the Second Schedule. Nonetheless, other cybersecurity services will still need to comply with other laws in Singapore, such as the CMA.
All providers of licensable cybersecurity services, regardless of whether they are companies or individuals directly engaged for such services or third-party vendors that support these companies, will need to be licensed. However, we do not intend to require companies to be licensed for providing such services to their related companies.
Under the Bill, no person may engage in the business of providing any licensable cybersecurity service to other persons, except under and in accordance with a licence granted or renewed under clause 26. CSA will encourage consumers of such cybersecurity services to only procure services from licensed cybersecurity service providers by publishing a list of licensees online. Companies can also inform CSA of any unlicensed service providers.
The proposed licensing framework is intended to reduce the safety and security risks that cybersecurity service providers can pose. The service providers are required to ensure that their key executive officers are fit and proper persons when applying for a licence. Any applicant who is not fit and proper may be refused a licence under clause 26.
Similarly, a cybersecurity service provider’s licence may be revoked or suspended, if the service provider is no longer fit and proper, among other factors under clause 30. In addition, the service provider will be required to keep records on the cybersecurity services it has provided to its clients, including details of the employee providing the service, for not less than three years for accountability and traceability in the event of foul play.
Mr Henry Kwek also asked whether the Government could create a certification system that favours cybersecurity professionals who have a vested interest in Singapore.
CSA intends to work with the industry and professional association partners to establish voluntary accreditation and certification regimes for cybersecurity service providers and professionals, to raise the quality of cybersecurity services and further improve their standing. For example, in partnership with CSA and the Association of Information Security Professionals (AISP), CREST, a non-profit international organisation, established a Singapore chapter to introduce penetration testing certifications and accreditation in Singapore.
Given the nascent nature of our industry, we should remain open, and take reference from internationally recognised standards where possible. It would not be in our interest to favour only those professionals who have a vested interest in Singapore. Likewise, we would want our local cybersecurity professionals to be recognised in other markets, based on their professional expertise and experience.
The regulatory regime needs to strike a balance between security needs and the development of a vibrant cybersecurity ecosystem. This is the best balance that we can find at this point in time.
MCI and CSA will be engaging the industry in working out the implementation details for licensing, including licensing conditions for licensable cybersecurity service providers. We will also continue to take in feedback from the industry on the licensing regime as the cybersecurity ecosystem evolves.
Several Members − Mr Zaqy Mohamad, Ms Jessica Tan, Mr Henry Kwek, Mr Melvin Yong and Mr Desmond Choo − asked about the Government’s plans to grow and develop the pool of cybersecurity professionals.
I would like to assure Members that Singaporeans will continue to be an important part of our cybersecurity workforce. The Government is collaborating with the industry to grow the cybersecurity workforce in Singapore. For example, under the Cyber Security Associates and Technologists (CSAT) programme, CSA and IMDA partner the industry and Institutes of Higher Learning (IHLs) to attract new graduates and convert existing professionals from related fields to a career in cybersecurity.
Under CSA’s Cybersecurity Professional Scheme (CSPS), officers will be recruited and trained in areas such as cyber forensics and vulnerability assessment, before being deployed to public agencies overseeing CII sectors to assist companies in these sectors with their cybersecurity capabilities.
Assoc Prof Daniel Goh asked about the potential to build greater synergy in civilian and military cybersecurity capabilities.
Today, CSA already works closely with MINDEF on cybersecurity matters. For example, CSA can call on MINDEF for support when responding to cybersecurity incidents, as MINDEF is part of NCIRT. CSA and MINDEF also collaborate in areas such as the sharing of operational lessons and threat information, technology cooperation and participation in joint exercises such as Exercise CYBER KNIGHTS 2017.
Last year, MINDEF announced the establishment of a new Cyber Defence vocation. I understand that they are looking into better harnessing the cybersecurity skills of National Servicemen to defend our military networks and contribute to the national cybersecurity effort. CSA and MINDEF will continue to find more ways to cooperate in these areas.
I also agree with Mr Patrick Tay that we need to bring together various partners to assist cybersecurity professionals in areas such as continual learning and career development. We need to continually upgrade our cybersecurity defences and training as cyber-attacks are getting more sophisticated. CSA, through its Academy, is leading efforts to boost the skills of cybersecurity professionals working in the Government and CII sectors such as energy and healthcare. On this, Sir, I look forward to the labour movement’s support.
Ms Sun Xueling asked how the Bill would take into account global developments and evolving standards to tackle cybersecurity threats, while Mr Azmoon Ahmad spoke about the need to regularly review the regulatory framework given the fast changing internet landscape.
In formulating this Bill, we studied cybersecurity legislation which other countries have implemented or are considering. Our Bill has taken into consideration these international developments.
During the implementation of the Bill, we will take reference from internationally recognised standards when developing codes of practice and standards of performance for the different sectors.
We also recognise that the environment that we operate in may change with changes in the industry and technological trends. Therefore, we will need to keep abreast of international developments, and review and adjust our laws to address new and emerging issues moving forward.
Asst Prof Mahdev Mohan asked what MCI and CSA have done with respect to cybersecurity internationally and regionally.
CSA has been an active participant at international forums and discussions to develop international cyber norms, including at the United Nations. Bilaterally, we have signed MOUs with countries such as the US, the UK, France and Australia on cybersecurity cooperation and capability development. Regionally, we have launched the ASEAN Cyber Capacity Building Programme with ASEAN member states and Dialogue Partners to build cybersecurity capacity in the region. We will continue to pursue efforts on this front.
Several Members, Mr Patrick Tay, Mr Saktiandi Supaat, Mr Louis Ng, Ms Joan Peirera, Mr Melvin Yong and Mr Darryl David, asked whether there are plans to assist businesses including our SMEs and to educate the public on how to prevent and respond to cybersecurity threats and incidents.
Through the Cyber Security Awareness Alliance, CSA works closely with representatives from public and private sector organisations, and industry associations, to reach out to businesses including SMEs, and to promote awareness and adoption of cybersecurity practices. This is done through organising cybersecurity talks and conferences, and developing online cybersecurity resources, which are available on CSA’s GoSafeOnline website. CSA also publishes an annual Singapore Cyber Landscape report for public awareness.
In addition, SMEs can also tap on IMDA’s SMEs Go Digital programme to adopt cybersecurity solutions and seek technical advice on cybersecurity and other digital concerns from IMDA’s SME Digital Tech Hub.
Besides these initiatives, businesses and members of the public can also sign up for SingCERT’s advisories and alerts on cybersecurity threats and incidents. For example, when D-Link routers were found to have security vulnerabilities in September last year, SingCERT and the Info-communications Singapore Computer Emergency Response Team (ISG-CERT) under IMDA issued a joint advisory which contained information on the affected products and the steps that affected consumers should take.
CSA also collaborated with PDPC to develop a series of Student Activity Books to raise awareness of the importance of Cybersecurity and Personal Data Protection among our students. The Silver Infocomm Junctions, an initiative by IMDA, provides seniors with infocomm training, which includes cybersecurity. We will continue to work with partners in our efforts to raise cybersecurity awareness among the public.
Mr Zaqy Mohamad asked whether the Government could consider cybersecurity as another pillar of Total Defence.
CSA has been working with MINDEF to incorporate cybersecurity messages in each of the existing five pillars of Total Defence.
On this, I agree with Ms Jessica Tan that people are the weakest link, but also our strongest asset. If we each do our part to use our computer systems and devices responsibly, collectively we can help to protect Singapore’s cyberspace.
Sir, many of the issues raised by the Members are among those that we have considered, in developing a Cybersecurity Bill that takes into account the interests of the different stakeholders and Singapore’s needs. The Members of Parliament also raised questions that do not relate directly to the Bill, but rather to the larger cybersecurity ecosystem that we are developing. I understand their concerns and agree that these are important issues to address.
My Ministry will continue to work with stakeholders from the public and private sectors to ensure that our laws remain robust and relevant, and beyond this Bill, to raise the level of cybersecurity awareness and develop the cybersecurity ecosystem in Singapore. As Mr Ganesh Rajaram mentioned, cybersecurity is not just the Government’s responsibility. Everyone needs to play a role, including Members in this Chamber.
Members of the House will agree that it is an important legislation to protect our critical information infrastructure and safeguard our essential services from disruption by cyber-attacks. I hope that we can support the Bill.
Sir, lastly, I would like to take this opportunity to thank my colleagues from MCI and CSA for working on this landmark Bill. In particular, I would like to make special mention of Mr Chng Ho Kiat, Director of the Cybersecurity and Resilience Division in MCI, who passed away less than two weeks ago. In his time at MCI, Ho Kiat made significant contributions towards the strengthening of cybersecurity in Singapore – he played a pivotal role in developing the national cybersecurity strategy and this Bill. Thank you.