Recognizing the fast-evolving cybersecurity landscape and the impending cyber threats that loom over the Singapore cyber space, the Singapore Parliament has passed the Cybersecurity Bill. Under the bill, the owners of key bodies like national security, defence, foreign relations, economy, public health, public safety or public order, which the bill calls critical information infrastructure (CII) will have to comply to the standards and regulations mandated by the bill. The bill also mandates CIIs to conduct cybersecurity audits and risk assessments, and routinely participate in cybersecurity exercises.
Minister for Communications and Information Yaacob Ibrahim said, “no action will be taken against CII owners for cybersecurity breaches if they comply with their obligations. However, non-compliance will be an offence that will entail a maximum penalty of S$100,000, two years in jail, or both.”
According to the bill, the chief executive of Cyber Security Agency of Singapore (CSA) will be appointed as the Commissioner of Cybersecurity. He will be entrusted with administering the bill and to designate any computer or computer system as CII, in accordance with the earlier issued draft bill.
Earlier in 2017, Ministry of Communications and Information (MCI) and the CSA had issued a public consultation as part of the Draft Cybersecurity Bill. Heavy inbound feedback had made the agencies extend the consultation period. With most feedback in, the agencies had released a ‘Report on Public Consultation on the Draft Cybersecurity Bill.’
The draft bill had garnered responses from industry experts, cybersecurity professionals, and academics who had called for more comprehensiveness and broader approach, requesting elaboration powers given to the CSA, and most importantly the state of licensing cybersecurity professionals. According to the report, “The earlier proposed licensing framework for cybersecurity service providers involved licensing penetration testing service providers and individuals under an investigative cybersecurity service license and managed security operations centre (SOC) monitoring services providers under a non-investigative cybersecurity service license. The framework would apply to these providers and individuals serving the Singapore market. In-house provision of cybersecurity services is exempted.”
Currently, the agencies only intend to “license penetration testing and managed SOC monitoring service providers, including resellers of such services.” This has been implemented because according to the agencies, penetration testing and managed SOCs are very highly prevalent in the region.
The draft bill also mulled on exempting in-house penetration testing and managed SOC monitoring services, stating that “we do not intend to require organisations to be licensed for providing these services to their affiliated organisations.”
According to Dr Yaacob, penetration testing and managed security operations centre monitoring, “have access to sensitive information from their clients, and the services are also relatively mainstream in our market, and hence have a significant impact on the overall cybersecurity landscape.” He said while introducing the bill in the Parliament, “The requirement will not apply to in-house work, and providing licensable services to related companies, he said. Failure to get a license for a licensable service will mean a maximum penalty of S$50,000 fine, two years in jail, or both,” according to Channel News Asia.
Several MPs also raised several questions on privacy, cost of compliance, to which Dr Yaacob only responded by saying, “Let me assure the House that the powers under the Bill are not intended to intrude into privacy.”
