Far-reaching Bill for cyber security 'not uncommon'

US, Europe, Japan, Australia, S. Korea have stringent reporting requirements: Experts

Singapore is not alone in proposing a far-reaching Bill to beef up cyber security, said experts, even as it wins the support of stakeholders following a recently concluded public consultation on the issue.

Concerns over the Cyber Security Agency (CSA) of Singapore's proposed far-reaching powers had surfaced during the consultation.

Firms must surrender any information requested when CSA investigates a suspected cyber attack, as its proposed Bill would take precedence over bank and privacy rules that prohibit data sharing.

Convinced that Singapore should not have it any other way, lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said: "The far-reaching Bill is justifiable in the light of the potential damage from state-sponsored cyber espionage."

The CSA's powers, like those of the police, are calibrated and strictly meant to keep the lights on for essential services, Mr Leong said.

In announcing on Monday its decision to keep most of its proposed ideas in the Bill, CSA responded to public feedback received during the consultation, and said the designation of a computer as critical information infrastructure (CII) would no longer fall under the Official Secrets Act.

The proposed Bill, to be tabled for debate in Parliament next year, also mandates that owners of CII, such as those in the banking, telecoms and energy sectors, report security breaches and attacks "within hours".

Similar mandatory data breach reporting requirements have been in place in the United States, Europe, Japan, Australia and South Korea for years.

Mr Shlomo Kramer, founder and chief executive of Israeli cyber-security start-up Cato Networks, said Singapore is playing "catch-up" with these nations in this respect.

"Such regulation will move the needle in a positive way and make organisations feel accountable," said Mr Kramer.

He spoke to The Straits Times three weeks ago when he was in Singapore to meet local cyber-services resellers ViewQwest and Quann.

Checks and balances - which are included in the proposed Bill - prevent the abuse of disclosed information, Mr Kramer noted. For instance, CSA officers may be held criminally liable if they are found to have misused the information.

Mr Bryce Boland, chief technology officer for Asia-Pacific at cyber-security firm FireEye, said laws are generally stronger in countries with a high dependence on technology. Thus, the far-reaching aspects of Singapore's cyber-security Bill could be compared to similar laws in the US and Britain, he added.

Said lawyer Koh Chia Ling from law firm OC Queen Street: "The general global trend is that countries are enacting such laws and Singapore is essentially doing the same."

Mr Jack Ow, technology partner at law firm RHTLaw Taylor Wessing, said Germany, the Czech Republic and China have similar cyber-security regimes.

Technology lawyer Bryan Tan of Pinsent Masons MPillay said debates are ongoing in the US, just like they have taken place in Singapore, arising from an ever-growing tension between security and privacy.

Referring to preserving privacy in the US, he added: "All bets are off when it comes to fighting terror or a national security issue - no one will compromise."

Owners of CII said the Bill is necessary. A spokesman for telco Singtel said: "The risk of cyber-security breaches is growing, especially now as Singapore pursues its ambition to become a Smart Nation."

An M1 spokesman said: "It is important that the powers under the Bill are exercised reasonably."

Such reporting requirements are not new to the banking sector.

Mr Patrick Chew, OCBC Bank's head of operational risk management, said: "Under the Technology Risk Management Guidelines introduced in 2013, financial institutions in Singapore are already required to notify our regulator as soon as possible of any critical system failures arising from (technology) and cyber-security incidents."

A version of this article appeared in the print edition of The Straits Times on November 17, 2017, with the headline 'Far-reaching Bill for cyber security 'not uncommon''. Print Edition | Subscribe