Proposed Legislation Aimed at Protecting Critical Information Infrastructure
New cybersecurity legislation under consideration in Singapore would make it mandatory for owners of critical information infrastructure to report security breaches within hours and require cybersecurity vendors providing highly sensitive services to be licensed.
The Ministry of Communications and Information and the Cyber Security Agency of Singapore have invited the public to provide feedback on the proposal.
Last year, Singapore Prime Minister Lee Hsien Loong launched a cybersecurity strategic blueprint that was developed after consultation with 50 stakeholders.
Some security experts say the proposed legislation could be a good preliminary step toward improving data security in Singapore.
“Compliance alone won’t create an adequate security posture for the industries involved, but it will make them accountable to achieve and maintain a certain security baseline,” says Tom Wills, director at Ontrack Advisory, a consulting firm.
“But let’s be clear that once compliance is achieved, there’s still a lot more to do. The function of a law like this one is to set things in motion in the right direction, and to put some carrots and sticks in place for industry to start taking security seriously.”
Ingredients of the Bill
While a law now in place, the Computer Misuse and Cybersecurity Act, focuses more on cybercrime, the proposed legislation would apply to the cybersecurity of all essential services.
The new bill would enable a more proactive and holistic approach towards combating cyber threats, the CSA says. The three key differences between the proposed bill and the Computer Misuse & Cybersecurity Act, according to the CSA, are:
- Now the critical information infrastructure will have to regularly undertake investigation of cybersecurity threats and incidents;
- CIIs are officially designated and duties of CII owners are clearly spelled out;
- The bill attempts to raise the nation’s cybersecurity posture by licensing certain cybersecurity service providers.
The bill has four objectives:
- To provide a framework for the regulation of critical information infrastructure. This formalizes the duties of CII owners in ensuring cybersecurity.
- To provide CSA with powers to manage and respond to cybersecurity threats and incidents. Section 15A of the current Computer Misuse and Cybersecurity Act provides some existing powers related to cybersecurity. The new bill would enhance these powers.
- To establish a framework for the sharing of cybersecurity information with and by CSA.
- To establish a light-touch licensing framework for cybersecurity service providers.
The bill would create the new position of commissioner of cybersecurity, who would be appointed by the minister in charge of cybersecurity. The commissioner would interact on a regular basis with industry and manage the nation’s day-to-day cybersecurity issues.
Under the bill, the minister may also appoint a deputy commissioner as well as a number of assistant commissioners. The assistant commissioners would oversee and enforce the protection requirements for CIIs.
“The commissioner should definitely be from information security background. Personally, I would prefer a non-bureaucrat for the role,” says Dharshan Shanthamurthy, CEO at SISA, a payments security specialist.
“He or she should be a seasoned security leader who understands the particular security needs of national critical infrastructure providers, which are more stringent than other industries,” Wills says. “He or she should be able to effectively communicate the cybersecurity law in its context to all key stakeholders – those in the affected industries as well as the government and the general public – and do the heavy lifting that will be needed to overcome the natural resistance that stakeholders will have to taking security seriously.”
The proposed bill defines CII as a computer or computer system that is necessary for the continuous delivery of essential services that the nation relies on. Its loss or compromise would lead to a debilitating impact on national security, defense, foreign relations, economy, public health, public safety or public order.
The proposal states that CIIs may be owned by public or private organizations and may be located wholly or partly in Singapore. CII will fall under 11 critical sectors: aviation; banking and finance; energy; government; healthcare; infocomm; land transport; maritime; media; security and emergency services; and water.
Under the legislation, CII owners would have to provide information to the cybersecurity commissioner on the technical architecture of the CII. They would also have to comply with codes and directions and report relevant cybersecurity incidents. Additionally, they would have to conduct regular compliance audits as well as regular risk assessments.
“This is definitely a step in the right direction,” Shanthamurthy says. “The earlier Acts were all about reprimands when a breach took place. This particular bill proposes on what needs to be done on a regular basis to protect CIIs.”
Room for Improvement
Some security experts, however, says the bill could use some improvements.
For instance, the bill requires CII owners to get audit checks from licensed auditors every three years. That’s not frequent enough in today’s rapidly changing cyber threat environment, some observers say.
“Once in three years is absolutely not enough when it comes to effectively responding to today’s threat environment, which evolves in real time,” Wills says. “Again, critical infrastructure providers will have to go further than what is required for compliance if they’re going to achieve an adequate security posture.”
The quality of audit remains a point of concern, some security experts say. “It’s not about just paper compliance, nor about getting certified VAPT [vulnerability assessment and penetration testing] service providers,” says Ken Soh, CIO and director of e-strategies at BH Global. “I personally believe in getting VAPT vendors who have strong world-class credentials like world class competition winners and real CII hacking experiences.”
The bill also lacks details about required risk assessments. “Risk assessment is a wide term. They haven’t specified the methodologies to do risk assessment,” Shanthamuthy says. “Similarly in the case of audits, they haven’t mentioned any standard against which audits needs to be done.”
Some believe cost will be a big hurdle if this bill is enacted. “Where is this extra funding going to come from? It would have national level economic impact if it is to be passed to the community and industry” Soh says.
Is It Enough?
Some security experts stress that improving Singapore’s cybersecurity will require far more than compliance with the proposed new requirements.
“Critical infrastructure providers will have to adopt the whole spectrum of cybersecurity best practices in order to actually counter the threats that are out there,” Wills says. “That starts with regular, ongoing risk assessments and a rigorous program to respond to identified risks in a timely manner.”
Another key factor, he adds, is the prioritization of security by executive management and a willingness to make the necessary investments.