Cybersecurity Bill - the work starts now

It is important for the public and private sectors to work together, and to get everyone on board - from pre-schoolers to employees to organisations.

Excitement surrounds Singapore's journey to becoming a Smart Nation. Driverless cars, artificial intelligence, fintech and the Internet of Things (IoT) offer great promise for a brighter future.

But recent global incidents such as the WannaCry and Petya cyber attacks are stark reminders that opportunities do not come without risk. That is why nations need to be both smart and secure. It is against this backdrop that the Cyber Security Agency (CSA) and Ministry of Communications and Information launched the draft Cybersecurity Bill on July 10 for public consultation. It follows an announcement last October of a cyber security strategy that includes strengthening global partnerships and directing more funds to plug security gaps in critical information infrastructure (CII), such as those that run essential services like telecommunications, transport, healthcare, banking and energy.

The Bill is an integral and important step for Singapore's cyber defence game plan, and lays the foundation to be cyber secure.

It attempts to strike a balance between allowing the CSA to deal with the cyberthreats swiftly, flexibly and effectively, while not being overly intrusive.

This is a tough balancing act, but necessary to protect CII.

However, if Singapore is to be successful in dealing with the ever evolving and increasing threat landscape, it falls on each person on this island, whether as individuals, employees, business owners or public servants, to implement what the Bill sets out.

It is the next level of detail that will determine if Singapore as a whole is forward-looking or just reacting to threats. It is absolutely important for everyone to be forward-looking as there will be more unknowns and more powerful threats as the world becomes more connected and digitally enabled.


The Cyber Security Agency conducted the second run of Exercise Cyber Star last month to put Singapore's cyber-incident management and emergency response plans to the test. The Government launched the draft Cybersecurity Bill on July 10 for public consultation. ST PHOTO: NG SOR LUAN

Here are some relevant parts of the cyber security strategy launched last year which complements the proposed Bill:

INVOLVING PUBLIC AND PRIVATE SECTORS

The Bill confers power on CSA's chief as Commissioner of Cybersecurity to investigate threats and incidents to ensure that essential services here are not disrupted in the event of a cyber attack. However, while the Bill gives clear authority to the Commissioner, it is important for everyone from organisations down to individuals to do their part in order for Singapore to be successful in dealing with cyberthreats.

The cyber world is interconnected, and while the new Bill is a step in the right direction, it is not a silver bullet.

To use a sports analogy, the commissioner is the "coach" but if the players don't work together, coordinate or don't know the different defence plays, the strategy will never work. For example, information sharing, which is one of the most fundamental cyber defence strategies, is often an area which is very difficult to implement.

The commissioner needs to work with companies on the type of information to be shared, and how and when it is shared so that competitive advantage and confidentiality are not lost. On top of that, often the most difficult and time-consuming part of information sharing is how to build trust.

There are examples of effective public-private partnership models in Singapore and around the world. For example, in the financial services sector, the Monetary Authority of Singapore (MAS) has worked with it successfully in dealing with some of the issues being faced.

The MAS' Technology Risk Management Guidelines and Outsourced Service Providers Guidance are examples of how the public and private sector can come together to solve difficult and systemic issues facing the industry.

This has not only provided clarity to help stakeholders deal with current issues but has also set Singapore as the leader in the globally competitive financial services industry.

Other industries can learn from this successful example in implementing governance and guidance within their own industries.

DEVELOPING THE CYBER SECURITY INDUSTRY

The Government has taken a bold first step to consider licensing the cyber security industry. There is merit to this as it provides some level of assurance and quality on the industry practitioners.

It is important that this is implemented judiciously so that it does not prevent Singapore from getting the best practitioners to work here. To be best in class, cyber security experts must work with the best and see what the best looks like.

Singapore also needs to consider how this part of the regulation supports aspirations to promote cyber security as one of the growth industries as highlighted in the Committee on the Future Economy report.

In addition, the Government needs to consider how to enhance the standing of the cyber security professionals and look at how self-regulation can have a role to play. Other professionals like lawyers and accountants have done that and lessons can be learnt.

The Government should also bear in mind that traditionally the public sector has been slower than the private sector in responding to industry trends, especially in the case of the fast-moving cyber security sector.

It could also consider if and how licensing could apply to the IoT which would both enhance Singapore's cyber security global standing while supporting the Smart Nation agenda. This could potentially give Singapore an edge, given the fact that there is considerable room for improvement in the IoT risk management space globally.

THE HUMAN FACTOR

Even if the best technology, processes and policies are implemented, one important aspect that will determine success or failure is the people aspect. It is often the most vulnerable, but also the most powerful prevention against cyber security incidents.

Singapore will need a sustained and comprehensive cyber awareness strategy covering each segment of society, starting with children at pre-schools, reinforced at work and through to senior citizens. Kindergartens, schools, workplaces, businesses, governments and community centres all have a role to play in fostering cyber security awareness.

In addition, these campaigns would need to be focused, continuous and, most importantly, reinforcing to be effective.

The new Cybersecurity Bill puts Singapore in a good position to deal with threats and shows that Singapore is forward-looking and brave enough to tackle cyber security head on.

Cyber security risks are a clear and present danger. The potential for cyber attacks is the new reality.

A team is only as strong as its weakest player, and the coach and players must perform their role in developing a strong defence strategy. Now the hard work begins.

• The writer is financial crime and cyber leader, Asia-Pacific and Singapore, for PwC Singapore.

A version of this article appeared in the print edition of The Straits Times on August 03, 2017, with the headline 'Cybersecurity Bill - the work starts now'. Print Edition | Subscribe