People who use or trade personal information obtained illegally can now be charged with an offence even if they did not perform the hacking to retrieve the data, after changes to cyber security laws were passed yesterday.

In amending the Computer Misuse and Cybersecurity Act, the Government is moving to keep pace with the evolving nature of cybercrime and criminal acts that target computer systems.

Besides criminalising the use of personal information obtained through illicit means, the changes also make buying or selling hacking tools for illegal activity a crime.

The revisions also extend the Act's reach to offences committed abroad, and toan overseas computer, which lead to "serious harm" in Singapore.

In addition, prosecutors can now combine repeated instances of hacking into one computer for a period of 12 months or less into a single charge, which will allow a higher penalty to be imposed.

The changes "will allow the police to handle the increasing scale and complexity of cybercrime, as well as the evolving tactics of cyber criminals", said Senior Minister of State for Home Affairs Desmond Lee.

They come ahead of a new Cybersecurity Act that should be introduced in the middle of this year, which will require operators of critical information infrastructure to take proactive steps to secure their systems and networks.

Ten MPs spoke in support of the Bill, pointing to recent breaches such as the leak of the personal details of 850 national servicemen and Defence Ministry staff as grounds for tighter cyber security measures. However, several MPs also raised concerns about its implementation.

Mr Murali Pillai (Bukit Batok) and Nominated MP Mahdev Mohan sought to clarify when having access to personal information might be an offence.

For instance, journalists or researchers may obtain such compromised data in their line of work.

There is "nothing wrong" with reporting or researching on hacked data, provided that information is not published or made publicly available, Mr Lee said.

However, he noted that depending on the circumstances, "indiscriminately making available hacked personal information may amount to an offence".

Mr Murali, Mr Melvin Yong (Tanjong Pagar GRC) and Mr Desmond Choo (Tampines GRC) also pointed out that extraterritorial cases are often challenging.

"Investigations for such cases are usually complex as it will involve dealing with the laws of other countries," Mr Choo said. "How would distributed databases and cloud services affect investigation and enforcement?"

Mr Lee replied that data hosted on the cloud may actually be physically located in servers overseas, which makes investigations more challenging. Where necessary, the police will work with their overseas counterparts to investigate such cases, he said.

Ms Joan Pereira (Tanjong Pagar GRC) and nominated MPs K. Thanaletchimi and Thomas Chua asked about raising awareness of cyber security in the private sector, especially among small and medium-sized enterprises (SMEs).

Mr Lee replied that businesses must recognise the importance of guarding against cyber risks.

He added that the Infocomm Media Development Authority will set up a digital tech hub by the third quarter of this year to provide SMEs with technical advice on cyber security.