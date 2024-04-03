SINGAPORE - Amendments to the Cybersecurity Act have been tabled in Parliament on April 3 to take into account risks introduced by suppliers, outsourcing and offshoring.

Critical information infrastructure (CII) operators in the 11 essential services sectors remain answerable to the Cyber Security Agency of Singapore (CSA) for any lapses. The sectors are: energy, water, banking and finance, healthcare, transport (land, maritime, and aviation), infocomm, media, security and emergency services, and the Government.

Here’s a quick look at the key changes in the Cybersecurity (Amendment) Bill.

1. Securing supply chains

Critical information infrastructure (CII) operators must report all incidents aimed at their systems, including those managed by or are linked to their suppliers.

The proposal comes after major cyber attacks around the world that have targeted peripheral systems to sabotage critical services. In 2019, hackers introduced malicious code into an IT monitoring tool from US software firm SolarWinds that serviced thousands of organisations. Over several months, the attackers gained access to the data of more than 30,000 public and private firms in the US. In 2021, the US’ largest fuel pipeline Colonial Pipeline was forced to shut down after attackers took control of its corporate payment services which lie outside of its critical functions.



2. Holding cloud services providers accountable

The definition of “computers” will include virtual systems and cloud infrastructure - servers hosted on the Internet that store and process data - which are rising in usage.

CII owners have the option of moving to commercial cloud solutions, such as those offered by Amazon Web Services or Microsoft, while still bearing responsibility for any cybersecurity lapses. The CII operator must make clear to third-party vendors to comply with Singapore’s rules as part of written contracts.

At least one of the physical computing resources of the cloud services provider that support the virtual system has to be deployed locally.

Data centres, cloud services and other foundational digital infrastructure that provide services to or out of Singapore will be regulated. They will have to provide cybersecurity-related details upon request, report any incidents and comply with standards of performance set by CSA.

In 2021, critical vulnerabilities were found in cloud computing platform Microsoft Azure’s database, which could permit hackers to access sensitive databases. The changes to the Cyber Security Act will make it mandatory for service providers to share details of such attacks, so that lessons can be shared with the wider industry and necessary action taken.



3. Regulation over high-key international events

CSA can designate systems that are critical to Singapore for a limited period as “systems of temporary cybersecurity concern” and require its owners to comply with heightened cybersecurity standards.

Operators of designated systems will have to provide cybersecurity-related information upon request, comply with CSA’s standards, report cybersecurity incidents.

These can be systems used for high-key events akin to major vaccine distributions, forums or international events, akin to the 2018 North Korea–United States Singapore Summit. In 2020, organisations around the world that were distributing Covid-19 vaccines were targeted by cyberattackers, who attempted to steal network log-in credentials to disrupt the distribution of doses, IBM reported.



4. Entities of special cybersecurity interest