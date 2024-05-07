SINGAPORE - Lawmakers on May 7 passed a Bill that seeks to expand the oversight of Singapore’s cyber-security watchdog over any computer system that is critical to the nation and at high risk of cyber attacks.

This includes temporary systems set up to support the distribution of vaccines or to host key international summits.

For instance, during the Covid-19 pandemic, many governments worldwide developed temporary systems to support the distribution of vaccines and many of these systems were targeted by bad actors, said Senior Minister of State for Communications and Information Janil Puthucheary in Parliament on May 7.

The expanded oversight of the Cyber Security Agency of Singapore (CSA) comes as threats can often be obscured with increased digitalisation.

Tabling the Cybersecurity (Amendment) Bill, the first changes to the Cybersecurity Act since it came into force in 2018, Dr Janil said that the Act had to be updated to keep up with evolving tech and business models, which often rely on outsourced digital services that can also span across borders.

“When the Act was first written, it was the norm for CII (critical information infrastructure) to be physical systems held on premises and entirely owned or controlled by the CII owner. But the advent of cloud services has challenged this model,” he said.

Under the amended Cybersecurity Act, CII operators in Singapore will need to declare any cyber-security outage and attack faced on their premises or along their supply chain, as long as it affects their services. The proposed law will also add new categories for entities whose digital defences will be audited by the authorities, including autonomous universities, which may hold sensitive data or perform significant functions.

The Bill was passed in Parliament with unanimous support from the House even though many questions on how CSA will designate entities of cyber-security interest, what information is deemed sensitive, and its bandwidth to manage the increased scope of reports surfaced during the three-hour debate.

Bad actors are increasingly finding ways to target supply chains or adjacent systems. This is seen overseas, said Dr Janil, citing how in 2019, hackers introduced malicious code into an IT monitoring tool from US software firm SolarWinds that serviced thousands of organisations. Over several months, the attackers gained access to the data of more than 30,000 public and private firms in the United States.

Greater oversight over cyber incidents is also needed as digital services take root in everyday life, with more than nine in 10 residents communicating online, and the technology adoption rate among firms here growing to 94 per cent in 2022, up from three quarters in 2018.

“More of us are now online for longer and online for more varied purposes,” said Dr Janil. “This means that we are exposed to more cyber risks, as every digital technology we use, every transaction we make, every connection made between computers, is a possible route for attack.”

Other nations are adopting a similar approach, he said, referring to the European Union, Malaysia, the United Kingdom and the US, which have introduced cybersecurity laws to address these concerns.

The definition of “computers” will include virtual systems and cloud infrastructure – servers hosted on the internet that store and process data – that are rising in usage.

Dr Janil said: “Our interest is in the computer or computer system that is necessary for the continuous delivery of the essential service, whether it is physical or virtual.”