Singapore’s Ministry of Communications and Information (MCI) and the Cyber Security Agency (CSA) recently proposed a Cybersecurity Bill, which is open for public feedback from 10 July to 3 August 2017.
The Bill has four objectives:
- To provide a framework for the regulation of critical information infrastructure (CII). This formalizes the duties of CII owners in ensuring the cybersecurity of their respective CIIs.
- To provide CSA with powers to manage and respond to cybersecurity threats and incidents. Section 15A of the current Computer Misuse and Cybersecurity Act (CMCA) provides some existing powers related to cybersecurity. These will be enhanced within the Cybersecurity Bill, and specific powers will be vested in CSA officers as sitting powers.
- To establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information.
- To establish a light-touch licensing framework for cybersecurity service providers.
The scope of the bill is extended to 11 key service sectors, both public and private, in Singapore: aviation, banking and finance, energy, government, healthcare, infocomm, land transport, maritime, media, security and emergency services, and water. It also supersedes any sector-specific regulation for information confidentiality.
Singapore’s response to today’s threat landscape
Industry experts believe that the proposed bill is a culmination of frustration stemming from the recent WannaCry and Petya ransomware attacks. According to A10 Networks, multi-vector distributed denial-of-service (DDoS) attacks today are a mounting threat to enterprise businesses, costing up to $1 million per day. If it hits a country’s essential services, it has the potential to cripple basic infrastructures.
This is especially so for Singapore, given that it is a small city-state with a Smart Nation ideology. With businesses setting up their IT infrastructure in Singapore as their APAC hub, a major cyberattack in this highly connected landscape will significantly impact the nation’s economy.
“With recent cyberattacks on both MNCs and government websites, the need for a Cybersecurity Bill has never been more important. The cyberthreat landscape is evolving and…cybercrime laws must also keep up,” said Matthias Yeo, CTO for Asia at Symantec. “The proposed regulations will help the nation to prevent and mitigate cyber-incidents on critical infrastructure.”
Bill echoes regional sentiments on cybersecurity
Initiatives addressing cybersecurity concerns are also being implemented or are already implemented in other regions.
“We have observed that many developed countries have also already implemented a similar framework for the regulation of CII owners and we believe that this is in line with international standards, and is the right direction for Singapore,” said Yeo.
According to Orange Business Services, European countries like France recently put into play a similar legislation that is part of the Loi de Programmation Militaire (LPM), a legal framework articulating long-term military programs and strategies. Singapore’s CSA has also signed a Memorandum of Understanding (MOU) with its French counterpart, the Agence nationale de la sécurité des systèmes d’information (ANSSI), and both agencies are collaborating in the battle against cyberattacks and cybercrime.
Good first step
Industry experts also agree that the Bill is an important first step in the right direction, signifying a shift in the emphasis that governments and enterprises are placing on digital threats. Nicolas Drogou, APAC security practice head at Orange Business Services, said: “The Bill acknowledges the fact that it is no longer a question of ‘if’, but ‘when’.”
As Singapore leverages technology on its journey to become a ‘Smart Nation’, it is increasingly vital to have a higher level of protection for CII. The bill helps regulate Singapore’s cybersecurity industry better in a top-down manner, explicitly spelling out how things should be done for both the Government and private companies.
One of the main challenges that the Bill can address once implemented is the lack of data and analysis in the event of cyberthreats and attacks. The sharing of information from affected individuals and enterprises will form an initial foundation for the CSA to build a more robust defense solution to future-proof the country’s security concerns. It will also help empower organizations to ensure that security remains a top-of-mind concern and is ingrained into core business processes.
The reference framework proposed in the Bill will also help organizations in implementing security controls that can suitably handle current and future attack trends.
Room for improvement
Despite spanning 11 essential sectors in Singapore and reinforcing legal requirements across the public and private sector, a slew of smaller and non-critical industries such as retail and manufacturing are not covered by the Bill, and this may lead to them having a misconception about the issues and challenges that they face.
“It is a great starting point,” said Simon Piff, vice president of security practice for APAC at IDC. “But it could go farther and make such reporting mandatory across all industries. It could encompass more than just those industries Singapore government deems critical and could levy greater potential fines for non-compliance.”
Furthermore, there is consensus that, while the Bill is comprehensive in terms of putting in place the right structures to strengthen Singapore’s security posture, it needs to remain a dynamic process and evolve to reflect the changing nature of threats faced.
“The pace of technology enhancements added to the huge potential of combining big data analytics, machine learning and artificial intelligence all point towards a future where tomorrow’s concerns will be different from todays,” said Drogou. “However, there are constant elements that will need consistent attention: data integrity, identity integrity, securing transactions whether they are financial or not, protecting key assets ranging from anything to medical or personal records to electrical grid.”
Allan Leinwand, CTO of ServiceNow, suggests that private sector innovation from individual companies will likely outpace the common standards and raise the bar, which is good for both customers and private sector innovation.
“For this current Bill, we believe it is well thought through and it has considered the needs of various stakeholders,” said Lim Teng Sherng, vice president for security in Asia Pacific and Japan at CA Technologies. “The next steps will be for this Bill to be constantly evaluated, and continuously improved in order to be effective and relevant.”
Rights versus information disclosure
There will always be a delicate balance between data protection and the need for security; it’s a matter of rights versus information disclosure.
Individuals and enterprises that accept the use of digital resources available on public networks should equally be aware that fully embracing digital technology comes with risk, and that they are handing over pieces of their privacy and subsequently the right to make personal and corporate data accessible.
However, these risks can be mitigated. Education and awareness are essential in this space to ensure the reasonable use of information that could be tapped for multiple objectives, commercial, intelligence gathering etc. It is also important to understand that such information disclosure is necessary in order to investigate criminal activities.
So long as CSA is receptive to feedback, it is expected that the larger interests of individuals and enterprises will remain protected.
Aside from technology and policies, the solution for cyberthreats has to include human behaviors and attitudes toward security. The recent spate of ransomware attacks exploited user apathy and ignorance about cybersecurity. “Perhaps it is also time to look at initiatives to increase our collective awareness about cyberthreats through social campaigns,” said Jonathan Tan, regional vice president for ASEAN and Pakistan at A10 Networks.
Concerns arising from the Cybersecurity Bill
Industry experts believe that the Cybersecurity Bill is just the tip of the iceberg. As we embark on the next Industrial Revolution powered by the digital wave, it seems reasonable to foresee that we are probably just at the beginning of what will be much larger security concerns.
Upcoming concerns include the Internet of things (IoT), where more and more household appliances will be connected to the internet and raise security issues regarding these devices. Growing automation of industrial environments, for example, triggers significant challenges in securing product lines, while driver-less cars and pilot-less planes open a whole new scope in terms of potential hacking to overrun automated systems.
Data confidentiality will continue to remain at the forefront of discussion, especially in sectors that hold the personal information of citizens. There could also be potential compliance cost implications for organizations and individuals, as well as the time needed for vendors to get licensed. These need to be taken into consideration and proper resolutions must be in place so that there are sound benefits for all stakeholders.
“The ‘light-touch licensing regime’ for cybersecurity service providers including local and overseas players in the Singapore market will likely shake up the market dynamics,” said Cathy Huang, senior research manager for IDC’s APAC cloud and services research group. “It may cause a heated competition for cybersecurity talents, particularly around those investigative roles.”
Furthermore, a potential issue for debate may be, depending on the particular CII set-up (e.g. layers of control), whether there could be more than one “owner” of the CII.
“It can be a challenging task to regulate technology, and getting the definitions clear and CII requirements workable will be key. It will be important to see how the consultation process tests and clarifies the boundaries of the regulated IT systems as well as shapes the development of the regulations,” said Anne Petterd, Principal at Baker McKenzie Wong & Leow.
“Many of these details are to be set out in regulations, including how a CII is designated and specifics on the duties and responsibilities for CII owners. Other important matters to be addressed in the regulations include the criteria for notifiable significant cybersecurity incidents.”
A shared responsibility
Overall, experts concur that while the Cybersecurity Bill represents progress in strengthening Singapore’s cybersecurity posture, the challenge is that cybersecurity is not a level playing field and attackers behind the scenes will continue to identify gaps and loopholes to create more threats. Having a solid first step is a good start, but the Bill needs to be constantly improved in order to remain effective and relevant.
“The solutions organizations are using may not be enough, and currently the attackers truly have the upper hand. Government legislation, such as the new Cybersecurity Bill, will hopefully encourage businesses to re-examine their cybersecurity defenses, which in the end will benefit consumers and make the Internet a safer place,” said Brendon Mitchell, director at Neustar APAC.
Individuals and enterprises cannot expect to take on the threat landscape on their own. Both the government and industries need to work hand-in-hand to address the evolving threat landscape. To do this, there must be a concerted outreach to the community.
Said Stanimira Koleva, group vice president for APJ at Citrix: “Both the MCI and CSA have looked at today’s threat landscape with an eye on the future and chosen a unified approach, which is appropriate given that cybersecurity really is a shared responsibility and that everyone is on the frontline.”
But Petterd cautioned that it can be a challenging task to regulate technology, and getting the definitions clear and CII requirements workable will be key. “It will be important to see how the consultation process tests and clarifies the boundaries of the regulated IT systems as well as shapes the development of the regulations,” she added.