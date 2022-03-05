Online services and apps that are widely used by consumers and businesses may soon have to comply with government cyber-security rules similar to those that owners of critical information infrastructure (CII), such as systems for water plants and banks, must follow.

These rules, captured under the four-year-old Cybersecurity Act, mandate that critical sector organisations must ensure the security of their information technology systems and report cyber attacks within hours, among other things.

The Cyber Security Agency of Singapore (CSA) is reviewing existing cyber-security regulations for the 11 CII sectors to have them also cover foundational digital infrastructure and key digital services.

Such infrastructure and services include cloud services and apps that CSA said are important in enabling Singapore's digital economy and to allow people to go about their way of life digitally.

The review was announced by Minister for Communications and Information Josephine Teo yesterday in Parliament during the debate on her ministry's budget.

On securing non-CII digital infrastructure and services, she said that these help form the backbone of the country's connectivity, computing and data storage needs.

"If disrupted or compromised, there could be serious knock-on effects. Imagine the chaos of not having access to e-mails, websites and apps," said Mrs Teo, who is also Minister-in-Charge of Smart Nation and Cybersecurity.

The Government will consider how to apply a risk-based approach to protect these infrastructure and services, and for them to recover quickly when they are attacked, she added.

CSA said that it was doing the review because after the Cybersecurity Act came into force in 2018 to help maintain Singapore's national cyber security, the reliance on digital infrastructure and services has increased significantly.

This is also amid growing cyber attacks. "Given the unfolding situation in Ukraine, we must be alive to the heightened risks," said Mrs Teo. "Singapore is gravely concerned over the cyber attacks against Ukraine's government websites and national banks. It illustrates how essential services can be disrupted remotely and easily."

She added that even before the situation in Ukraine, there was a 73 per cent increase in reported data breach and ransomware cases here between 2020 and last year. In ransomware attacks, hackers lock up digital files until a ransom is paid.

CSA said: "As Singapore digitalises, more organisations are now at risk of falling victim to cyber attacks if the necessary cyber-security safeguards are not put in place.

"CSA is therefore reviewing the Cybersecurity Act to ensure that the digital infrastructure and services that we use are secure."

The agency did not specify what non-CII apps and services could come under the Act in future. But it said that it will be looking at digital infrastructure and services that many individuals and businesses have become reliant on.

One factor that CSA will consider is their reach and scale, such as their size. Another factor is whether there are alternatives that are easily available, and if there are high costs involved for individuals or businesses to switch to these alternatives if the infrastructure or service is hit by a cyber attack.

CSA will be consulting stakeholders on the proposed changes to the law, and will seek public feedback early next year. The review is expected to be completed next year.

Separately, the agency is updating cyber-hygiene practices, called the Cybersecurity Code of Practice, that CII sectors have to follow.

This is because current standard practices may no longer be enough for CII owners to defend against increasingly sophisticated cyber threats, as well as deal with the security risks for specific sectors, such as 5G for telcos.

CII sector regulators and owners have been consulted, and their feedback will be factored in before the enhanced code is issued in the second quarter of this year.