Budget debate: Widely used services, apps soon to comply with govt cyber-security rules

The review will also consider expanding what is considered CII beyond physical networks and systems. PHOTO: ST FILE

SINGAPORE - Online services and apps that are widely used by consumers and businesses could soon have to comply with government cyber-security rules similar to those that owners of critical information infrastructure (CII), like systems for water plants and banks, must follow.

These rules, captured under the four-year-old Cybersecurity Act, mandate that critical sector organisations must ensure the security of their information technology systems and report cyber attacks within hours, among other things.

The Cyber Security Agency of Singapore (CSA) is reviewing existing cyber-security regulations for the 11 CII sectors to have them also cover what it calls foundational digital infrastructure and key digital services.

Such infrastructure and services include cloud services and apps that CSA said are important in enabling Singapore's digital economy and to allow people to go about their way of life digitally.

The review was announced by Minister for Communications and Information Josephine Teo on Friday (March 4) in Parliament during the debate on her ministry's budget.

On securing non-CII digital infrastructure and services, she said that these help form the backbone of the country's connectivity, computing and data storage needs.

"If disrupted or compromised, there could be serious knock-on effects. Imagine the chaos of not having access to e-mails, websites and apps," said Mrs Teo, who is also Minister-in-Charge of Smart Nation and Cybersecurity.

"Given the unfolding situation in Ukraine, we must be alive to the heightened risks," she said.

The Government will consider how to apply a risk-based approach to protect these infrastructures and services, and for them to recover quickly when they are attacked, she added.

The review will also consider expanding what is considered CII beyond physical networks and systems.

With the shift to virtualisation, Mrs Teo said virtual assets, such as systems hosted on the cloud in Singapore or elsewhere, should also be considered as CII to be protected.

CSA said that it was doing the review because after the Cybersecurity Act came into force in 2018 to help maintain Singapore's national cyber security, the reliance on digital infrastructure and services has increased significantly.

This is also amid growing cyber attacks. "Given the unfolding situation in Ukraine, we must be alive to the heightened risks," said Mrs Teo. "Singapore is gravely concerned over the cyber attacks against Ukraine's government websites and national banks. It illustrates how essential services can be disrupted remotely and easily."

She added that even before the situation in Ukraine, there was a 73 per cent increase in reported data breach and ransomware incidents here between 2020 and 2021. In ransomware attacks, hackers lock up digital files until a ransom is paid.

Said CSA: "As Singapore digitalises, more organisations are now at risk of falling victim to cyber attacks if the necessary cyber-security safeguards are not put in place.

"CSA is therefore reviewing the Cybersecurity Act to ensure that the digital infrastructure and services that we use are secure."

Remote video URL

The agency did not specify what non-CII apps and services could come under the Act in future. But it said that it will be looking at digital infrastructure and services that many individuals and businesses have become reliant on.

One factor that CSA will consider is their reach and scale, such as their size.

Another factor is whether there are alternatives that are easily available, and if there are high costs involved for individuals or businesses to switch to these alternatives if the infrastructure or service is hit by a cyber attack.

For example, a digital service with a low switching cost would be an online search engine. This is because if the search engine is brought down by a cyber attack, alternatives can be easily found.

Mrs Teo said that the review of the Cybersecurity Act will also look into raising the Government's situational awareness over the country's cyberspace so that the authorities can act quickly against threats.

CSA will be consulting stakeholders on the proposed changes to the law, as well as seek public feedback early next year. The review is expected to be completed next year.

Separately, the agency is also updating a set of cyber-hygiene practices, called the Cybersecurity Code of Practice, that CII sectors have to follow.

This is because current standard practices may no longer be enough for CII owners to defend against increasingly sophisticated cyber threats, as well as deal with the security risks for specific sectors, such as 5G for telcos.

For instance, CSA said that ransomware has evolved to the point that it can pose national security concerns and disrupt critical services.

High-profile ransomware cases last year include the Colonial Pipeline attack in the United States in May that affected the fuel supply for about 50 million customers.

The agency hopes that by updating the Cybersecurity Code of Practice, CII owners will be better able to defend against sophisticated cyber attacks and CII sectors can respond more quickly to new sector-specific risks.

For example, one proposed update to the code aims to allow CSA to identify hackers' common tactics and techniques in cyber attacks, so that new practices or improvements to existing ones can be developed to counter such attacks.

Another proposed change aims to allow CSA or CII regulators to add new requirements for specific sectors, as and when they are required, to tackle emerging risks.

This means that CSA and telecoms regulator Infocomm Media Development Authority can, for instance, add new cyber-security measures for telcos that provide 5G mobile services to adopt.

CSA also hopes that by updating the code, the public and private sectors can coordinate better to deal with cyber threats faster. These can include state-sponsored attacks that require coordination between the two, as CII owners might not have the resources to manage state-sponsored cyber attacks themselves.

With the enhanced code of practice, CII owners must share relevant and updated technical data with CSA. Using the data collated across the CII sectors, CSA can get insights into threats that have a systemic impact.

The information can then be shared with CII owners so that they can improve their cyber defences.

CII sector regulators and owners have been consulted on the updates to the Cybersecurity Code of Practice. Their feedback will be factored in before the enhanced code is issued in the second quarter of this year.

Join ST's Telegram channel and get the latest breaking news delivered to you.