Proposed Cyber Security Bill: Experts hail proposals but some concerned about cost

A proposed licensing framework for cyber-security vendors will help its member banks "make informed choices".
A proposed licensing framework for cyber-security vendors will help its member banks "make informed choices". ST PHOTO: KEVIN LIM

Security vendors, lawyers and operators of essential services laud steps taken by the Singapore Government to protect the continuity of essential services such as telecommunications, banking and healthcare with the release of a draft Cyber Security Bill yesterday.

Mr Bryce Boland, security system specialist FireEye's regional chief technology officer, said that the proposed legislation increases an organisation's accountability for protecting critical infrastructure information by making key individuals personally responsible.

Depending on the offences, the maximum penalty is a fine of $100,000 or a jail term of up to 10 years.

Lawyer Rajesh Sreenivasan, a technology and telecoms partner at Rajah & Tann, said the Bill rightfully recognises the responsibility of the asset owner as it might be futile to focus on going after cyber criminals alone.

"Many attackers are state-sponsored, with deep pockets, and many are not going to be caught. The best way to counter them is to take away their tools, which are essentially compromised IT systems," he said.

Welcoming the Bill, Association of Banks director Ong-Ang Ai Boon said the proposed legislation will push for cyber resilience across all critical sectors, which will benefit banks in Singapore.

 
 

A proposed licensing framework for cyber-security vendors, such as those providing white-hat hackers and managed security services, will help its member banks "make informed choices".

But some experts questioned if the cost of operation for businesses across all sectors would go up, and wondered if consumers would ultimately bear the cost. Technology lawyer Bryan Tan of Pinsent Masons MPillay asked: "Would this lead to a similar situation in the banking industry, where suppliers to the banks are invariably subject to the same rules as the banks?"

Lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, asked: "Will the cost be passed back to customers?" For instance, mobile telephony services are essential services under the Bill. This implies that mobile equipment, such as those in public carparks, has to be better protected, said Mr Leong.

The Bill is going through a public consultation that ends on Aug 3.

All three telcos - Singtel, StarHub and M1 - said they will respond to the Cyber Security Agency by the deadline. M1 and Singtel added that they will continue to work with the Government to facilitate investigations in the event of a cyber-security threat or incident.


5 things about the proposed cybersecurity bill 

CYBER SECURITY COMMISSIONER 

The Bill confers power on the Cyber Security Agency's (CSA) chief as Commissioner of Cyber Security to investigate threats and incidents to ensure that essential services in 11 critical sectors here are not disrupted in the event of a cyber attack. These sectors include telecoms, transport, healthcare, banking and energy.

Other officers, such as a Deputy Commissioner as well as Assistant Commissioners of Cyber Security, may also be appointed to carry out the commissioner's duties.

OVERARCHING BILL FOR ALL SECTORS

The Bill aims to harmonise the requirements to protect critical information infrastructure (CII) across the public and private sectors, mandating that organisations share information to facilitate the investigation of cyber-security threats or incidents undertaken by the CSA.

Banking and privacy rules that forbid the sharing of confidential information will be superseded by the Cyber Security Bill.

PROACTIVE MEASURES TO BE UNDERTAKEN BY CII OWNERS

CII owners must notify the commissioner if the CII suffers a cyber-security attack. The CSA's National Cyber Incident Response Framework requires notification "within hours".

They must also comply with directions issued by the commissioner, including providing access to premises, computers or information during investigations.

DESIGNATION OF CII 

The commissioner may identify and designate new systems as CII - an official secret under the Official Secrets Act - during times of national emergency.

LICENSING FRAMEWORK FOR CYBER-SECURITY VENDORS

Cyber-security service practitioners such as white-hat hackers must be licensed, just like how locksmiths are licensed in Singapore.

Managed security service operators must also apply for an operator licence.

A version of this article appeared in the print edition of The Straits Times on July 11, 2017, with the headline 'Experts hail Cyber Security Bill, but some voice cost concerns'. Print Edition | Subscribe