A draft cyber-security Bill was released on Monday for public consultation.
The draft Bill requires owners of critical information infrastructure to report security breaches, and cyber-security vendors providing highly sensitive services to be licensed.
While owners of businesses in 11 named critical sectors are busy reviewing the proposed Bill, a careful reading of it shows that other organisations, in other sectors, should be getting involved too.
There is no doubt that cyber security is important for Singapore. Our modern, highly connected businesses and society depend on the integrity and availability of technology to function smoothly. Our smart nation needs to be secured against cyber attacks, especially smart devices that manage energy, healthcare, transport and waste, and gather data to aid government planning.
Although Singapore appears to have dodged the bullet so far, such as during the recent global ransomware epidemic, we remain a prime target and vulnerable to online threats. The recent reports of cyber attacks targeting two major universities are only the tip of the iceberg. Since technology already pervades every part of our lives, we risk economic harm and even physical harm unless we all make cyber security a priority.
Thanks to the proposed Bill, a total of 11 sectors will need to prioritise cyber security. These sectors are government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime. Critical information infrastructure (CII) owners will be required to report cyber attacks, carry out audits and risk assessments, and take part in cyber- security exercises. Potential CII owners must prepare for additional responsibilities and liability, and spend the time and resources required to meet these obligations.
AS FOR THE REST?
However, if organisations which are not in these 11 named sectors think that they are off the hook, then they would be mistaken.
First, CII is defined in Section 2 of the Bill as "a computer or a computer system that is necessary for the continuous delivery of essential services which Singapore relies on". While the essential services are listed in the First Schedule, the organisations that serve the essential services can come from any other sector.
For example, if a company provides printing services for healthcare institutions, then its computers or computer systems could be "necessary for the continuous delivery of essential services". Likewise, many of the significant organisations in the 11 sectors rely on a wide range of suppliers and service providers for their daily operations. The computers of some of those suppliers and service providers could in turn fall within this definition.
Even where suppliers and service providers are not designated as CII, their CII customers may impose contractual requirements on them, to support their CII obligations. For example, if the CII owner needs to report attacks, carry out audits and risk assessments, then the CII owner will also want its suppliers to do the same.
This is understandable because computer systems are interconnected and hackers often attack the weakest link. Hackers gained access to the network of US retail giant Target by first stealing passwords from a third-party heating and ventilation company. In Singapore, bank statements belonging to a bank's private banking customers were stolen from a server at the bank's printing vendor.
Most recently, hackers broke into the computer systems of the National University of Singapore and Nanyang Technological University, in a bid to steal data related to government-linked projects for the defence, foreign affairs and transport sectors. Could the universities' computers be designated as CII as well?
GOLDEN OPPORTUNITY
Second, Part 4 of the Bill describes scenarios where any relevant organisations that are outside the 11 key sectors may be compelled to assist and share information with the Cyber Security Agency of Singapore (CSA), in the event of cyber-security threats or incidents. This assistance can range from giving statements and providing technical logs, in less serious cases, to allowing CSA to enter premises to access, scan, or seize computers for examination and analysis, in more serious cases.
While these powers can help the authorities to identify and resolve cyber-security threats and incidents, the impact on any business that is involved cannot be underestimated.
The scope of this is huge in our smart nation, where any organisation might find its computers inadvertently involved in a cyber-security incident. The largest cyber attacks of 2016 - multiple distributed denial-of- service attacks which caused major Internet platforms and services to be unavailable in Europe and North America - are believed to have been executed by taking over thousands of Internet of Things devices such as printers, IP cameras, residential gateways and baby monitors.
Third, the list of 11 sectors in the Bill can be amended by order of the minister at any time, pursuant to Section 52. By now it should be clear that any organisation, not just those in the 11 named sectors, should be paying attention to the Bill and getting involved in the public consultation.
The current public consultation continues several rounds of consultations that the Ministry of Communications and Information (MCI) and CSA have already had with key stakeholders, including regulators, potential CII owners, industry associations and cyber- security professionals.
Throughout the earlier rounds, it has been heartening to note that MCI and CSA have been forthcoming and cooperative, open to suggestions, and have taken on board many of the ideas that were raised.
Now that the draft Bill is available, all stakeholders can give formal feedback, and members of the public can highlight their concerns. This is a golden opportunity because the Bill has not even been placed before Parliament for the First Reading. Public consultation ends on Aug 3 and the Bill could be tabled in Parliament later this year. Any organisation that might potentially be affected - and there are many - should seize the opportunity to give feedback and influence the policy process.
Considering the multifaceted cyber-security threats facing Singapore, the cyber-security Bill is encouraging in its breadth and depth.
The ball is in our court, to contribute to the discussion and its further development, because cyber security affects all of us.
- The writer is Senior Fellow/Coordinator, Cyber Programme Centre of Excellence for National Security, S. Rajaratnam School of International Studies, Nanyang Technological University.
