Aerial view of Singapore’s Civic District including the Singapore Parliament.
Singapore is to have a new cybersecurity tsar with wide-ranging powers to seize confidential information and impose penalties under legislation passed by its parliament on Monday last week.
The Cybersecurity Bill requires owners of computer systems involved in the provision of essential public services in 11 designated areas to meet a set of statutory obligations overseen by a commissioner of cybersecurity.
The new post will be filled by David Koh, who is chief executive of the Cyber Security Agency of Singapore (CSA) and also serves as deputy secretary (special projects) and cyber chief in the Ministry of Defence.
Companies and organisations that own such “critical information infrastructure” (CII) will have to report cybersecurity incidents, conducts audits and risk assessments, participate in cybersecurity exercises and comply with performance standards and codes of conduct.
Failing to share the required information or comply with orders from the commissioner is an offence under the new law that will carry a maximum penalty of a S$100,000 fine, two years’ in jail or both.
The 11 essential services include national security, public order, the economy, public health, public safety, defence and foreign relations.
The law allows the commissioner to demand data or seize computers not only from CII owners but also from non-CII systems that are deemed to be essential for investigations, according to the Straits Times.
During a three-hour debate on the bill in Singapore’s parliament, 19 MPs spoke in favour of the government’s bill but many of them expressed concerns about the wide powers granted to the new commissioner.
Saktiandi Supaat, People’s Action Party MP for Bishan-Toa Payoh Group Representation Constituency (GRC) said some people were worried that the authorities would intrude on personal privacy during investigations. He asked if there were any safeguards in place against misuse of their broad investigative powers, whether intentional or not.
Pritam Singh, Workers’ Party MP for Aljunied GRC, said the bill gave the commissioner and any authorized officer the power to take or copy a hard disk, even if it was only to assess the impact or potential impact of a cybersecurity threat.
He asked what qualified as an incident major enough for such powers to be exercised, “so that the House is assured the commissioner’s powers will be used very judiciously and not against government critics and individuals”.
Yaacob Ibrahim, minister for communications and information, who oversees the CSA, said that the powers granted under the legislation “are not intended to intrude into privacy” and are mainly technical, operational or procedural in nature.
“Such powers are necessary given the potential impact from serious cyber-security threats and incidents, which can disrupt our essential services, potentially cause physical damage and harm and affect our economy and way of life,” he said.
Owners of critical infrastructure systems will be notified of any intrusive scanning of networks or seizure of computers, which will only be done when the benefits of such measures outweigh the sacrifices, Yaacob said.
The bill also lays out a licencing framework that will apply to providers of two types of cybersecurity service – penetration testing and managed security operations centre monitoring, according to Channel News Asia.
“These providers have access to sensitive information from their clients, and the services are also relatively mainstream in our market, and hence have a significant impact on the overall cybersecurity landscape,” said Yaacob.
Failure to get a licence for a licensable service will mean a maximum penalty of a S$50,000 fine, two years in jail, or both, he said, adding that the requirement will not apply to in-house work or providing licensable services to related companies.
Patrick Tay, MP for West Coast GRC, asked if there were any measures in place to ensure that the cost of complying with the new cybersecurity requirements does not trickle down extensively to the consumer.
Yaacob said there will be cost implications for CII owners who need to strengthen the cybersecurity of their computer systems to meet the requirements of the bill. However, many owners already have cybersecurity measures in place to meet regulations within their sectors.
And while no funding will be provided to cover such costs, the government will work with regulators to streamline sectoral cybersecurity audit and incident reporting processes so that they harmonise with the requirements of the bill, he added.