Concerns about the extent of powers a proposed cyber security Bill would give the Government emerged during a just-concluded public consultation, underscoring the ever-present tension between security and privacy.
The finishing touches are being made to the final Bill, to be tabled for debate in Parliament next year. It will give the Cyber Security Agency (CSA) powers to order an investigation into a suspected cyber attack, while working with sector regulators.
Organisations must then surrender any information requested. Failure to do so can lead to a fine or jail term. The Bill would take precedence over bank and privacy rules that prohibit data sharing, and banks and telcos would have to report the attack "within hours".
Worries about such rules surfaced during a two-month public consultation which ended in August, acknowledged the CSA in a recent press briefing.
But its chief executive David Koh said the perception of sweeping powers among some members of the public was a "misunderstanding".
"The Bill defines the power that CSA has (and limits it) to when there is a cyber security incident. It doesn't give CSA broad powers to oversee every computer in Singapore," he said, adding that the information requested would mostly be technical in nature.
The CSA said the Bill received generally positive comments. Overall, the 92 individuals, industry associations and companies that made submissions welcomed the proposed law, the agency said, adding that they recognised that its job is to ensure that essential services such as for power and telecommunications are kept running even when hackers strike. The positive response was reflected in the relatively minor edits made to the proposed law at the end of the consultation, said the CSA.
The high-level agency in charge of coordinating cyber security efforts nationwide retained most of its proposed rules, making only changes for operational efficiencies after taking in feedback from businesses.
For instance, the designation of a computer as critical information infrastructure will no longer be an official secret under the Official Secrets Act (OSA).
Mr Harish Pillay, 57, who is on non-profit Internet Society's board of trustees, had questioned the invocation of the OSA, noting that it was "draconian".
His submission to the CSA has not been made public, but he told The Straits Times: "Security via obscurity is not the way forward."
Mr Pillay, who works as the chief technologist in a tech firm, was also concerned that the CSA's powers to seize computers and information would be too onerous on firms that must follow strict privacy laws in overseas markets.
On Mr Koh's assurance that the CSA does not have the powers to oversee every computer in Singapore, he responded: "Really? Until I see the updated document, I cannot comment."
Cyber attacks have become a growing threat here and battling them has taken on added urgency amid a push to go digital.
In April, hackers broke into the networks of the National University of Singapore and Nanyang Technological University, presumably to steal government-related data. Both institutions are involved in government-linked projects for the defence, foreign affairs and transport sectors. Just two months earlier, the personal data of 850 national servicemen and Defence Ministry staff was also stolen.
Supporters of the Bill, which was first released in July, had described it as bold and praised the fact that it covers both the public and private sectors - recognising that cyber criminals do not respect any such boundaries.