5 key proposals from Singapore's new Cyber Security Bill

Proactive measures, spelt out for the first time, seek to minimise disruption to essential service when such attacks happen.
Proactive measures, spelt out for the first time, seek to minimise disruption to essential service when such attacks happen. PHOTO: REUTERS

SINGAPORE - The Cyber Security Agency (CSA) released a Cybersecurity Bill on Monday (July 10) for a public consultation that ends on Aug 3.

Proactive measures, spelt out for the first time, seek to minimise disruption to essential service when such attacks happen. Depending on the offences, the maximum penalty is a fine of $100,000 or jail term of up to 10 years.

Here are five key proposals:

1. Commissioner of Cybersecurity

The Bill confers power on CSA's chief as Commissioner of Cybersecurity to investigate threats and incidents to ensure that essential services in 11 critical sectors here - including telecommunications, transport, healthcare, banking and energy - are not disrupted in the event of a cyber attack. Other officers such as a Deputy Commissioner and Assistant Commissioners of Cybersecurity may also be appointed to carry out the Commissioner's duties.

2. Overarching Bill for all sectors

The Bill aims to harmonise the requirements to protect critical information infrastructure (CII) across the public and private sectors, mandating that organisations share information to facilitate in the investigations of cyber-security threats or incidents undertaken by CSA. Banking and privacy rules that forbid the sharing of confidential information will be superseded by the Cybersecurity Bill.

3. Proactive measures to be undertaken by CII owners

Owners of CII such as that run essential services in must:

- Notify the Commissioner of the CII suffering a cyber-security attack;

 

- Conduct regular system audits by a Commissioner-approved third-party;

- Conduct regular risk assessments of the CII;

 

- Comply with directions issued by the Commissioner, including providing access to premises, computers or information during investigations.

4. Designation of CII

The Commissioner may identify and designate new systems as CII during times of national emergency. The designation of a computer as a CII is an official secret under the Official Secrets Act.

5. Licensing framework for cyber-security vendors

Vendors providing services in two areas - investigative work that involves hacking and forensic examination, and non-investigative work such as managed security operations - must be licensed, just like how locksmiths are licensed in Singapore. Investigative cyber-security service practitioners such as hackers must also apply for an individual licence. Those found guilty of not having the required licences face a maximum fine of $50,000, jail of up to two years, or both.