Singapore will have a cyber-security czar who is empowered to obtain confidential information from local organisations to investigate suspected cyber attacks, under a Bill passed in Parliament yesterday.
The new law will allow the Commissioner of Cybersecurity to demand data or seize computers not only from owners of critical information infrastructure (CII), but also non-CII systems deemed to be essential for investigations.
CII refers to any system that relates to 11 essential services, including banking, telecommunications, transport, healthcare and energy.
Nineteen MPs spoke in support of the Cyber Security Bill, during a three-hour debate.
Many of them expressed concern, however, about the broad powers that the new commissioner - Mr David Koh, chief executive of the Cyber Security Agency of Singapore - will wield.
Workers' Party MP Pritam Singh (Aljunied GRC) asked what threshold will be set to investigate incidents and if the broad powers would be used on dissenters.
Mr Zaqy Mohamad (Chua Chu Kang GRC), Mr Darryl David (Ang Mo Kio GRC) and Ms Sun Xueling (Pasir Ris-Punggol GRC) asked about safeguards to protect consumers' privacy, especially for sensitive information such as health records and investment portfolios.
Said Mr David: "Potential ethical dilemmas could arise when cyber-security officers, in the course of their work, gain access to personal data that contains identifiers, when the providers of that information did not give explicit consent for the information to be used or accessed."
Minister for Communications and Information Yaacob Ibrahim told MPs that the powers under the Bill "are not meant to intrude into privacy".
He also said the commissioner's powers are calibrated and strictly meant to keep the lights on for essential services, noting that any information required will primarily be technical in nature. These include network and system audit logs and network configuration.
"Such powers are necessary given the potential impact from serious cyber-security threats and incidents, which can disrupt our essential services, potentially cause physical damage and harm, and affect our economy and way of life," said Dr Yaacob.
CII owners will be notified of any intrusive network scanning or any seizure of computers,which Dr Yaacob said will be done only when the benefits of these measures outweigh the sacrifices.
Failure to share the required information or comply with any orders from the commissioner can lead to a fine of up to $100,000 or two years' jail, or both.
Mr Henry Kwek (Nee Soon GRC) suggested stiffer penalties for those who misuse data, particularly for perpetrators from the cyber-security industry.
"How do we keep watch on the guards?" he asked, calling for more due diligence to be conducted on cyber-security professionals.
Dr Yaacob said any cyber-security professional who misuses data will be prosecuted under the existing Computer Misuse and Cybersecurity Act, which was renamed the Computer Misuse Act yesterday.
Workers' Party Non-Constituency MP Daniel Goh asked why institutions of higher learning that have links to government projects were not designated as CII.
In April last year, hackers broke into the networks of the National University of Singapore and Nanyang Technological University, presumably to steal government-related data. Both institutions are involved in government-linked projects for the defence, foreign affairs and transport sectors.
Replying, Dr Yaacob said the definition of CII is consistent with other legislation in Singapore and those in other countries.
"Nonetheless, we do not preclude that new essential services may arise in the future, and the minister may amend the list of essential services... if necessary."