The newly ratified Singapore Cybersecurity Bill is Singapore’s answer to securing critical information infrastructure (CII) providers, minimizing threats from malicious actors. But now that the bill has been signed into law, analysts and practitioners alike are raising concerns about the high costs and logistic challenges of enforcing it.
CII providers are defined as the owners of computer systems directly involved in providing essential services relating to national security, defense, foreign relations, the economy, public health, public safety, and public order. The Singapore Cybersecurity Bill requires them to do the following:
- Report cyber security incidents related to these critical infrastructure systems
- Adhere to best practices and exercises at the government’s request
- Conduct risk assessments and audits
What are the penalties for noncompliance?
Penalties for failing to comply with the Singapore Cybersecurity Bill can range from S$100,000 to 2 years served in prison. The newly appointed commissioner of cybersecurity has the authority to commandeer computer systems and CIIs to ensure the continuous delivery of essential services during a cyber security incident.
The commissioner’s office has the power to take, remove, or duplicate the contents of disk storage to assess the impact of a cyberthreat. This statute also has privacy implications—especially for CIIs operating on a global level. After all, global CII providers must also adhere to privacy regulations such as the General Data Protection Regulation (GDPR), which will take effect on May 25, 2018.
How can your firm work toward compliance?
The foundation of the Cybersecurity Bill involves software. So there are four recommended steps to handling security incidents as efficiently and effectively as possible:
- Shut down as many devices as possible. Meanwhile, assess the damage in coordination with the essential members of the computer security incident response team (CSIRT).
- Disclose the breach to users. CII owners must also disclose the situation to the authorities per the Cybersecurity Bill.
- Identify and resolve the security vulnerabilities that led to the breach.
- Prepare for future incidents by establishing an incident response strategy.
The bill also lays out a licensing framework to standardize operations such as penetration testing and managed security monitoring. Such security activities offer access to sensitive business and personally identifiable information (PII), which can lead to a great deal of damage if obtained by a malicious actor.
What are the implications for open source software?
As of 2015, 78% of companies were running at least in part on open source software (OSS). While OSS can make performing certain tasks easier and speed the development cycle, open source doesn’t necessarily equal secure software. Let’s take the Apache Struts vulnerability as an example. In this case, adoption of vulnerable components jeopardized commercial software in a number of cases.
If you’re implementing open source components into your firm’s software, ensure you’re adopting public domain–licensed code so that you retain the right to modify and use the software components without restriction. Permissive licenses, including BDS, Apache, and MIT, are also widely preferred for the same reason. However, GNU Lesser General Public Licenses (LGPLs) and proprietary licenses aren’t advisable for commercial development.
Build security in from the start
While the Singapore Cybersecurity Bill is mandatory for CII providers, it also offers valuable lessons for other organizations who are looking to improve operations in this connected, digital ecosystem. Great software goes beyond great features—it’s secure software by design. While there is a continued need to test software to ensure functionalities and security measures are optimal, developer enablement is also a critical piece of the puzzle.
Be responsive, design security into your software, and take advantage of the resources at your disposal as you scale and continue to produce highly valuable software.
Olli Jarva is Managing Consultant – Application Security at Synopsys Singapore