Cybersecurity (Amendment) Bill
Debated in Parliament on 7 May 2024.
Summary
- The Cybersecurity (Amendment) Bill seeks to update the Cybersecurity Act of 2018 to address changes in technology and cybersecurity challenges, expanding the regulatory framework to include new categories such as Systems of Temporary Cybersecurity Concern (STCC) and Entities of Special Cybersecurity Interest (ESCI).
- The Bill requires Critical Information Infrastructure (CII) owners to report not only incidents directly related to their systems but also incidents affecting peripheral systems and third-party suppliers, enhancing oversight and accountability in the cybersecurity landscape.
- Many members expressed concerns regarding the potential compliance costs and operational impacts on businesses, particularly small and medium-sized enterprises (SMEs), urging the government to provide sufficient support and clear guidelines to facilitate adherence to the new regulations.
- There is a strong emphasis on the need for collaboration between the government, cybersecurity agency, and private sector to bolster national cybersecurity, with calls for transparent processes and considerations to avoid burdensome regulations that stifle innovation.
- The government reassured members about the necessity of these amendments to manage escalating cyber threats effectively, emphasizing the targeted nature of the provisions while seeking to enhance Singapore's cybersecurity posture overall.
Summary written by AI (edit)
Full Transcript
Order for Second Reading read.
The Senior Minister of State for Communications and Information (Dr Janil Puthucheary) (for the Minister for Communications and Information)
Mr Speaker, on behalf of the Minister for Communications and Information, I beg to move, "That the Bill be now read a Second time".
Sir, the Cybersecurity Act was enacted in 2018. At that time, we explained that the Act had three key objectives.
First, to strengthen the protection of Singapore's Critical Information Infrastructure, or CIIs, against cyber-attacks. Our CIIs are core computer systems that, if disrupted, could affect our national security and survival and were thus important to secure first. Second, to authorise the Cyber Security Agency of Singapore, or CSA, to lead in the prevention and response to cybersecurity threats and incidents. And third, to establish a licensing framework to regulate cybersecurity service providers.
In 2018, we saw that there was a need for stronger regulatory levers to safeguard our national cybersecurity. At that time, we were one of the first jurisdictions in the world to introduce cybersecurity legislation. The Cybersecurity Act has now been in force for six years. The core objectives continue to be relevant today. We have reviewed the Act, learning from our experiences and taking into account changes in technology.
We have made progress and, in certain areas, we lead in cybersecurity. This has allowed us to play a useful role in international efforts to address cybersecurity challenges. For example, Singapore has been chairing the United Nations Open-Ended Working Group (OEWG) on Security of and in the Use of Information and Communications Technologies since 2021. The five-year OEWG is the only UN forum for discussions on cybersecurity and norms for responsible state behaviour in cyberspace. OEWG is also part of the reason why Minister Josephine Teo cannot be here today. She is currently in the US to participate in and lend her support to OEWG-related discussions, amongst other engagements.
In order to continue to ensure Singapore's cybersecurity, a review and an update to the Act is needed as several aspects of our operating context have changed.
Technology has evolved and, as a result, business models have changed.
Cloud computing, as a service, has become widely available and widely used. Approximately 60% of all businesses in Singapore now use some form of cloud computing technology in their operations. When the Act was first written, it was the norm for CII to be physical systems held on premises and entirely owned or controlled by the CII owner. But the advent of cloud services has challenged this model.
Key benefits of digitalisation are scale and aggregation. Today, it is possible to aggregate and share common digital services and functions across borders to deliver essential services in different countries. This has likewise challenged us to review how we can safeguard the cybersecurity of our essential services.
The cyber threat landscape has also evolved. Malicious actors are increasingly finding new ways to their target, such as through supply chain attacks or starting with adjacent systems. One example Members may be familiar with is the SolarWinds cybersecurity breach in 2020, where a network management software that was widely used by major companies worldwide was compromised. The attacker used the software's regular updates to implant a backdoor and gain a foothold in the networks of organisations that downloaded and installed the malicious update, and then this provided the attacker with privileged access to internal networks.
Our relationship with technology has also evolved. Digital technology is now an integral part of our lives. In Singapore, over 90% of residents now communicate online. Firms use digital technologies intensively. Their technology adoption rate has grown from 74% in 2018 to 94% in 2022. More of us are now online for longer and online for more varied purposes. This means that we are exposed to more cyber risks, as every digital technology we use, every transaction we make and every connection made between computers, is a possible route for attack. The cybersecurity professionals refer to this as an increased "attack surface". To cause significant disruption to the way we work and live, those who mean us harm can take down the digital infrastructure we depend on, or the institutions and entities that hold our sensitive information or perform functions of national interest. Hence, when it comes to securing Singapore in cyberspace, regulating the cybersecurity or CIIs is no longer sufficient.
It is vital that we update our cybersecurity laws to continue to stay ahead of the curve.
We are not alone in doing so. Other jurisdictions like Australia, the European Union (EU), Malaysia, the United Kingdom (UK) and the United States (US) have also been grappling with these developments and the ensuing implications on how to do cybersecurity. These jurisdictions have also recently introduced or announced plans to have new cybersecurity legislation to address these same concerns.
Additionally, having had the experience of operationalising the Act and engaging with multiple stakeholders over the last six years, we have received feedback and we have learnt many lessons on how we can better implement and enforce the Act.
In developing the Bill before the House today, CSA has consulted extensively with stakeholders over two years. These included our CII owners, cybersecurity and legal professionals, academic experts, sector regulators, industry players, trade associations and chambers, and members of the public. Stakeholders have generally been supportive of our proposed Bill. They understand the need for stronger cybersecurity regulation and are supportive of the policy objectives of the Bill. Our stakeholders have also provided useful feedback that has helped CSA refine the Bill. I would like to thank all who participated for their feedback and for their suggestions.
The Cybersecurity (Amendment) Bill seeks to update the Act to address the shifts in the operating context in cybersecurity and strengthen the administration of the Act to address operational challenges CSA has faced.
Mr Speaker, Sir, before I go through the key provisions proposed in the Bill, allow me to explain that I will not disclose in this opening speech, nor in answer to Members' clarifications, any specific real-life examples of the critical systems and entities that we regulate or seek to regulate for cybersecurity. It is not in Singapore's national security interests to do so, as public disclosure of these systems and entities may expose them to more risks. The list of CIIs is not made public. Similarly, systems and entities regulated pursuant to the proposed amendments will also not be made public.
Sir, the Bill seeks to create new regulatory frameworks to keep up with the changes in our operating context.
We will update CII-related provisions. The 2018 Act was developed to regulate CIIs that were physical systems, but new technology and business models have emerged since. Hence, we need to update the Act to allow us to better regulate CIIs so that they continue to be secure and resilient against cyber threats, whatever technology or business model they run on. The Bill will do this in the following ways.
Clause 3(j) extends the meaning of "computer" and "computer system" in specified portions of the Act to include "virtual computers" and "virtual computer systems" which, in turn, are defined in new definitions inserted by clause 3(i). Clause 3(j) also introduces provisions setting out what "ownership" means in relation to virtual computers or computer systems.
Currently, the Act's definitions of "computer" and "computer system" are predicated on them being physical computers that are built out of dedicated physical hardware, such as hard disk drives, memory and processor chips. This was suitable in 2018, as CIIs were physical systems. However, given recent technological advancements, it is now possible that a CII could be a virtual computer system.
Our interest is in the computer or computer system that is necessary for the continuous delivery of the essential service, whether it is physical or virtual. However, in the case of a virtual CII, such as in a cloud environment, the underlying physical infrastructure could be shared or easily replace, and, therefore, it would not be sensible or meaningful to regulate the underlying hardware.
The new definitions we are introducing allow us to make it clear that the CII owner is responsible for the cybersecurity of its virtualised CII, and not other parties that supply the underlying physical infrastructure.
Clause 14 seeks to introduce a new Part 3A which will regulate providers of essential services who rely on CII owned by third parties for the continuous delivery of essential services. This will deal with situations where a provider of an essential service could leverage a computer system owned by a third party because it would be more effective or efficient to do so.
For example, hypothetically, a third-party vendor could own, operate and supply a critical Operations Management system that is used by multiple providers of a given essential service. The third-party vendor could have greater expertise operating such a system and is able to do so at a lower cost, due to demand aggregation.
The principal Act did not provide for such business models because it was the norm then for providers of essential services to own and operate their critical systems. Business models may be changing but the fundamental principle remains the same. Providers of essential services must remain responsible for the cybersecurity and cyber resilience of the computer systems relied upon to deliver essential services that they provide. The new Part 3A will ensure that they cannot outsource this responsibility even if they rely on a third party's computer system for the continuous delivery of the essential service.
Under the new Part 3A, the responsibility rests with the provider of essential service. To be clear, CSA does not seek to regulate the owners of these systems under Part 3A, who are the third-party vendors. However, the providers of essential services must ensure that the systems they rely on can meet comparable cybersecurity standards and requirements of a CII through legally binding commitments, such as contracts. Third-party vendors that seek to work with providers of essential services will need to have the necessary expertise and capability to own and operate a CII in a manner that meets the cybersecurity standards we hold a CII to. It is a specialised area and a considered business decision to operate in this space. Members will appreciate that not many businesses will be, nor can be, in this space.
Clause 8 allows CSA to deal with situations where a CII is supporting an essential service from overseas. The Act currently only allows CSA to designate computers or computer systems as CII if the entire or part of the computer or computer system is in Singapore. However, this has also meant that CSA is currently unable to regulate a CII that is wholly located overseas. Clause 8 inserts a new section 7(1)(a) which will allow CSA to designate and regulate such CIIs that are wholly located outside of Singapore, so long as its owner is in Singapore and the computer system would have been designated as a CII under section 7(1) had it been located wholly or partly in Singapore.
We will also be updating CII-related provisions to address the inventiveness of malicious cyber actors.
Under the principal Act, a CII owner is generally only obliged to report cybersecurity incidents relating to the CII, or computers or computer systems that are interconnected with or communicate with the CII. CSA needs such incident reporting so that it can intervene early if necessary and gain better situational awareness so that it can proactively alert other sectors and prevent the spread of similar attacks. Such reports serve to sound the alarm.
As the tactics and techniques of malicious actors evolve to target systems at the periphery or along the supply chains, we must also start placing our alarms at those places. Clause 12 will therefore amend section 14 to require CII owners under Part 3 to additionally report incidents that affect: one, other computers under the owner's control; and two, computers under the control of a supplier that are interconnected with or communicates with the CII.
The former requirement will help us be better prepared should any of our essential services be targeted in the same manner as in the SolarWinds case. The latter requirement will enable us to take proactive steps to protect our CIIs, if CII owners' immediate suppliers are compromised, to pre-empt potential disruptions to our essential services. The requirement to report on incidents affecting immediate suppliers will apply only if the CII is owned by the provider of essential service. This is a practical approach. In situations where a third party owns the CII, the provider of essential service is unlikely to have visibility of the third party's suppliers to be able to report any incident to CSA.
We will also expand the Act to regulate a new type of system called Systems of Temporary Cybersecurity Concern, or STCC, so as to address the evolution of our threat landscape.
Clause 15 inserts a new Part 3B to regulate the cybersecurity of STCCs, which are systems that for a time-limited period, are at high risk of cyber-attacks and if comprised, would have a serious detrimental effect on Singapore's national interests.
The COVID-19 pandemic drove home the importance of being able to secure such systems. During the pandemic, many governments around the world developed temporary systems to support the tracking and distribution of vaccinations and many of these systems were targeted by malicious actors seeking to exploit the urgency of the situation. Should we be faced with another national pandemic, we need to be in the position to secure the systems critical to our crisis response.
Another potential group of STCCs could include systems supporting high-key international events in Singapore, such as the Trump-Kim Summit in 2018, or the Youth Olympic Games in 2010. Such international events could be attractive targets for cyber-malicious actors seeking a global stage. The Tokyo Olympics of 2021, for example, was reported to have encountered 450 million cyber-attacks. We need to take the cybersecurity of such events seriously to maintain Singapore's reputation as a safe and reliable place to host such events.
Before the Commissioner of Cybersecurity can designate a system as an STCC, the Commissioner must be satisfied that, for a limited period, the system is at high risk of a cybersecurity threat or incident; and the loss or compromise of the system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety, or public order of Singapore. In other words, this is intended to apply to systems that are critical to Singapore.
Given that STCCs are critical systems when they are set up, Part 3B will impose on STCC owners' cybersecurity obligations similar to those for CII owners, where practicable. Part 3B will allow CSA to be proactive in raising the cybersecurity posture of the STCC, depending on the operating context and the time period for which the STCC is needed.
Finally, provisions will be introduced to expand the ambit of the Act to other new entities beyond the current CII regulatory regime.
Clause 16 introduces a new Part 3C, that will allow CSA to regulate entities that could be particularly attractive targets for malicious threat actors because of the disruption of the function they perform, or the disclosure of sensitive information their computer systems contain, will have a significant detrimental effect on Singapore's defence, foreign relations, economy, public health, public safety, or public order. These entities will be referred to as Entities of Special Cybersecurity Interest, or ESCIs.
One example of potential ESCIs could be universities. Universities are popular targets of malicious actors, given their standing in society, the sensitive research they may do, and the data they may possess. For instance, in 2019, the Australian National University detected a database breach, reportedly by a state actor, which resulted in unauthorised access to extensive personal information, including bank records, tax details and passport information of students and staff dating back almost two decades. Senior Australian officials feared that such data could be used to exploit or recruit students and alumni as informants.
Our own universities have also been targets of cyber-attacks in the past. The Ministry of Education and the universities have since taken steps to strengthen their cybersecurity defences. The proposed amendments in this Bill could further strengthen our universities' defences and enable CSA to take stronger action to secure them as well as other entities of special cybersecurity interest if they are designated.
However, the specific list of entities designated as ESCIs should not be disclosed publicly. This is to avoid inadvertently advertising these entities as worthy targets to malicious actors.
CSA will be able to issue or approve cybersecurity standards of performance and codes of practice to stipulate the cybersecurity measures ESCIs should have in place. ESCIs will be required to report prescribed cybersecurity incidents that result in a breach of the availability, confidentiality, or integrity of the entities' data, or have a significant impact on the business operations of the entities. CSA will also be empowered to issue written directions to ESCIs, if necessary or expedient, for ensuring the cybersecurity of the ESCIs or the effective administration of the Act.
The obligations we impose on ESCIs will be moderated when compared to those imposed on CIIs or STCCs, in recognition that the impact on our national interest resulting from cyber-attacks on ESCIs may not be as severe compared to the impact from cyber-attacks on CIIs or STCCs. This ensures that regulatory obligations are commensurate with the cybersecurity risks posed.
Clause 17 introduces a new Part 3D, to cover the last new category of entities that CSA proposes to regulate for cybersecurity – providers of Foundational Digital Infrastructure service, or FDI service. Our ability to operate normally and to enable citizens to meet their day-to-day needs has become increasingly dependent on the good functioning of the digital infrastructure that powers our digital economy. The more foundational the digital infrastructure is to systems central to our work and lives, the more attractive it is to malicious actors. Infrastructural vulnerabilities can be exploited to compromise many systems and can cause widespread disruption.
The new Part 3D will allow CSA to regulate major providers of FDI service for cybersecurity. This refers to entities that serve a large number of businesses or organisations. This reflects our interest in securing ourselves against the risk of widespread disruption or deterioration of activities that rely on or are enabled by the FDI service. This also means that smaller players, who are more sensitive to regulatory costs, will not be regulated.
These major providers must be providers of FDI services specified in the new Third Schedule, which will be introduced by clause 30. The digital world moves quickly, so our approach must allow for quick adaptation and agility. For a start, the Third Schedule will cover cloud computing services and data centre facility services as they are crucial to the functioning of a wide array of digital services that enterprises and consumers use daily. As new types of digital infrastructure grow in importance to our needs, they can be added to the new Third Schedule.
CSA will be able to issue or approve standards of performance and codes of practice to stipulate to the major FDI providers that have been designated, the expected cybersecurity practices that should be in place. These providers will also be required to report prescribed cybersecurity incidents that: one, result in a disruption or degradation of the designated provider's FDI service in Singapore; or two, have a significant impact on the major FDI service provider's business operations in Singapore. Recognising that major FDI service providers provide services to clients across sectors and often across borders, CSA has been consulting closely with industry and sector leads to develop inter-operable standards, codes and operating parameters. We are mindful about compliance costs for these major providers and are committed to keeping them reasonable.
The same appeal avenues available to those designated as CII owners under the Act today will be extended to providers of essential services under Part 3A, STCC owners, ESCI and major FDI service providers that CSA designates. For example, any entity that receives a designation notice may appeal against the designation and regulated entities can appeal CSA's decisions, orders and directions as well. This is encapsulated in the new section 35B introduced by clause 19.
The proposed stop in the Bill is targeted and affects only providers of essential services, owners of STCCs, ESCIs and major FDI providers. There are a known and finite set, and CSA has been and will be working closely with them. The Bill does not impose cybersecurity obligations on the larger business community.
We will also enhance the Act to strengthen the administration of the Act. To improve CSA's ability to enforce the Act against recalcitrant CII owners regulated under Part 3 of the Act, clause 13(b) will amend section 15(4) to empower CSA to inspect the CII if it appears to the Commissioner that the CII owner has not complied with its obligations or has provided information requested under section 10 of the Act that is false, misleading, inaccurate, or incomplete. This is because wilful non-compliance by CII owners could jeopardise our national security and survival.
Currently, Part 5 of the Act regulates persons who provide licensable cybersecurity services. Clause 18 will provide monitoring powers for licensing officers, for the purposes of executing Part 5. In the absence of such powers, CSA could face difficulties in seeking information from uncooperative licensed cybersecurity service providers to verify their compliance with the conditions of their licences. The new provisions will give CSA powers of entry and inspection, and to require the production of records, accounts and documents from licensed cybersecurity service providers. Non-compliance with such requirements without reasonable excuse will be a criminal offence.
While we seek to strengthen CSA's ability to act and enforce the law as the national cybersecurity authority, we recognise that there are criminals looking to exploit this authority through impersonation scams. Clause 7 will make it an offence for any person to use CSA's gazetted symbols or representations without the Commissioner's prior written permission.
Clause 22 allows the Commissioner to grant an extension of time to any person required to do any action under relevant parts of the Act, as long as there are good reasons to do so. This was borne out of our experience where there were valid reasons, at times, for regulated entities to not be able to comply with the obligations of the Act under business-as-usual timelines. With this amendment, we will be able to grant time extensions if regulated entities experience extenuating circumstances.
If these proposed amendments are passed, they will expand the range of cybersecurity obligations placed on CII owners under the existing Part 3 and regulate four new classes of systems and entities for cybersecurity, while accounting for the varying degrees of risk posed to Singapore and Singaporeans. Thus, the Bill also recommends a key revision to the penalties that can be imposed for non-compliance.
In the current Act, non-compliance with statutory obligations in relation to CII is to be enforced through criminal penalties. This was appropriate as the measures imposed on CII in the 2018 Act are needed to ensure their cybersecurity and in turn the undisrupted delivery of our essential services. We needed to underscore the gravity if there was any non-compliance.
This Bill before the House today will introduce more obligations on CII owners under the existing Part 3, such as the new reporting requirements relating to peripheral systems, as well as the proposed provisions covering new classes of systems and entities.
With a wider set of proposed obligations, clause 20 gives the Commissioner the flexibility to bring an action in Court for civil penalties with the Public Prosecutor's consent. In making a recommendation to the Public Prosecutor, CSA will consider a range of factors, including the risks created by the non-compliance, egregiousness and facts of the case.
Mr Speaker, Sir, the Bill is a major update to the Cybersecurity Act given the significant shifts in the digital domain. The amendments will allow CSA to: keep pace with developments in technology and business practices; respond to evolving cybersecurity challenges in our cyber threat landscape; extend its regulatory oversight to other important systems and entities and use a risk-based approach to regulating entities for cybersecurity; and administer the Act more effectively.
This Bill will strengthen our cybersecurity, and increase trust in using online services in Singapore in our highly digitalised nation. It is calibrated to address the risks to the nation, our economy and our way of life while balancing compliance costs. In implementing the proposed new laws, our experience with the 2018 Act will serve us well and we will continue to refine our approach in consultation with stakeholders and consider new international best practices as they emerge. With that, Mr Speaker, I beg to move.
Question proposed.
Speaker
Ms Tin Pei Ling.
Tin Pei Ling (MacPherson)
Sir, the digital revolution has transformed the way we live and do business, enhancing quality of life and creating opportunities for better efficiency and growth. Major sectors such as finance, healthcare and infocomm underwent significant transformations over the past two decades.
In the 2000s, the world saw a surge in internet usage with more than one billion people on the Internet in 2005. This figure doubled in 2010. Over the two decades, technology continues to advance in many ways. Mobile phone penetration also grew rapidly, with 740 million subscriptions worldwide at the beginning of the 2000s and hitting more than eight billion 20 years later. At the same time, with the proliferation of smart phones and wide range of apps, people essentially carry a mini-computer as they move, signifying technology has become more personal and portable. Work has also become remotely possible. We can get things done anywhere anytime.
Advances in cloud computing also changed the way organisations are structured and how global business operations are carried out. Established enterprises have been harnessing cloud technologies to streamline operations, enhance scalability and reduce costs. Many new startups that are "born in the cloud" are basically cloud-enabled by design.
These developments demonstrate how technology touches nearly everything we do and how digitally interconnected we are today. So, unlike in the past when transactions and important activities can be physically siloed, systems are now highly interconnected and workers can access work systems, links and files via their smart phones and consumer grade apps, possibly with lower standards of security safeguards. These present many opportunities or larger attacks surface for bad actors to launch cyber-attacks from anywhere in the world, from different angles and with new sophistication. A moment of carelessness can open up the entire network or system to attacks.
As Singapore continues to progress towards digitalisation, there is imperative in ensuring that our capacity, capability and legislation in cybersecurity keep pace with and, where possible, stay ahead of these threats.
Therefore, I fully concur with the three shifts that the Senior Minister of State highlighted in his opening speech earlier and the need to strengthen the Cybersecurity Act accordingly. I also agree in principle with the consequential amendments set out in this Bill.
However, I do have some clarifications that I would like to seek from the Senior Minister of State.
Firstly, this Bill will introduce new requirements for CIIs to also report incidents related to any computer or system under the control of a supplier that is interconnected or communicates with CII to the CII owner. In the Senior Minister of State's speech earlier, he indicated that the CII owner will only need to report incidents involving immediate suppliers. I would like to ask will the Government consider requiring the CII owner to monitor and report incidents for suppliers further down the supply chain in future, depending on the circumstances?
In view of the highly dynamic operating environment and tight manpower situation, how will the CSA ensure that it is not overly onerous on the CII owners? Conversely, with this expanded coverage, will the CSA be able to cope with the expected increase in incident reports? Mandating incident reports as part of enhancing detection is critical, but the ability to act on the issues and risks presented in a timely manner is just as critical. Otherwise, introducing this new requirement to enhance CSA's situational awareness will defeat its purpose.
Second, this Bill also empowers the CSA to designate a computer or system located overseas as a CII and regulate it as CII, if the owner is in Singapore.
As business operations change and cross-border supply of services is now highly prevalent, I agree fully that the CSA must have the ability to have oversight or certain degree of control over critical computers or systems, even if it is located overseas. But if the "hardware" is out of our jurisdiction and systems can operate virtually without physical boundaries, how will the CSA work with international entities and networks to enforce this?
Third, coping with the burden of compliance. Compliance is essential but it comes at a significant cost for all entities, government or non-government. This includes establishing frameworks and processes, investing in and implementing systems, ensuring a workforce that is rightly skilled and potentially high opportunity costs due to extended time-to-market. These costs can be exacerbated by the rapidly changing operating and regulatory environment, leading to anticipated revisions in legal and regulatory obligations.
Whilst there is urgency to proactively secure our critical systems, entities must be granted sufficient time for implementation to fully understand the regulations, grasp their obligations, develop strategies and execute necessary measures. Educating new entities that will now be regulated by this Act and existing entities facing new requirements must therefore also go hand-in-hand with the passing of this amendment Bill. How will the CSA and Government calibrate its implementation approach, drive greater awareness and buy-in amongst stakeholders?
In conclusion, I believe this Bill introduces new or enhances existing legal and operational mechanisms to better secure Singapore's critical systems and enhance our overall cybersecurity posture. It also ensures that the CSA has better situational awareness and stays "on top of things". But just as importantly, this is a chance for all stakeholders, directly involved or otherwise, to appreciate the dynamics and risks of our operating environment, be vigilant and take proactive steps to keep Singapore cyber secure. I support the Bill.
Speaker
Mr Gerald Giam.
Gerald Giam Yean Song (Aljunied)
Mr Speaker, the Cybersecurity (Amendment) Bill seeks to extend the regulatory reach of the CSA by updating the existing Cybersecurity Act of 2018. This includes the broadening of oversight across newly classified critical information infrastructure and the introduction of stringent compliance and reporting requirements all aimed at addressing the escalating challenges within our digital environment.
In this age of digitalisation, cyber-attacks on critical infrastructure can pose a significant threat to our national security and well-being. Examples of cyber-attacks abound around the world. In December 2015, Ukraine experienced a significant cyber-attack targeting its power grid which resulted in widespread electricity outages across several regions. This was one of the first known successful cyber-attacks on a power grid. The attackers, who are sophisticated and well-coordinated, used phishing schemes to install malware on the networks of several regional electricity companies. They were able to gain control of the companies' systems and shut down the substations, cutting off power for approximately 230,000 people for several hours. This incident not only disrupted everyday life, but also exposed the vulnerability of essential infrastructure to cyber threats and the potential for state-sponsored cyber warfare.
In May 2017 the UK's National Health Service (NHS) was struck by the WannaCry ransomware, a global cyber-attack that infected over 200,000 computers across 150 countries. The NHS faced significant disruption as the ransomware encrypted data on infected machines, demanding payment to restore access. Approximately, 19,000 appointments and operations were cancelled and patients had to be diverted from emergency rooms, which were unable to access critical digital services. The attack highlighted the importance of cybersecurity hygiene as it exploited a known vulnerability in older Windows operating systems that had not been updated with the available patches.
Here at home, in 2018, hackers infiltrated SingHealth healthcare system stealing personal data of 1.5 million patients. This included information like names addresses and dates of birth. Additionally, medical records of 160,000 patients, including that of the Prime Minister were also compromised. The sophistication of the attack, the type of data targeted and the resources needed for such a breach suggested that this cyber-attack may have been state-sponsored.
Each of these incidents served as a stark reminder of the chaos and danger posed by cyber-attacks. They undermined need for robust cybersecurity measures and the ability to rapidly respond to and manage cybersecurity threats, particularly when critical national infrastructure is at risk.
Sir, under this Bill, the CSA is empowered to regulate, monitor and enforce compliance through penalties and directives. I would like to ask the Minister if the Bill grants the CSA or any other national body explicit authority to take over the operations of critical systems if their owners fail to secure them adequately despite directions from the authority.
The current provision in section 23 allows the Minister to direct organisations to take measures to counter serious and imminent threats but does not explicitly grant the authority to directly take over operations of critical information infrastructure. This explicit authority may be necessary in situations where immediate action must be taken to prevent or mitigate a cybersecurity threat that poses a critical risk.
In contrast, the Bus Services Industry Act of 2015 is more explicit in its wording about operational intervention. Section 30 of that Act grants the Land Transport Authority (LTA) the power to make a step-in order in certain circumstances. This order allows LTA to take over the operations of a licensed bus operator or appoint a step-in operator to do so.
The Bus Services Industry Act also specifies the powers and functions of the step-in operator, such as having the same powers as the original licensee and requiring the licensee to provide access to premises, assets and employees. The Cybersecurity Act is less specific about what the emergency measures and requirements may entail.
Incorporating similar provisions in the Cybersecurity Act could provide a clearer legal framework for CSA to directly intervene and take control of CIIs when necessary to protect national security or the lives of Singaporeans. This would ensure that the Government has the necessary tools to respond swiftly and decisively to imminent cybersecurity threats.
In addition, while the CSA's regulatory and enforcement roles are crucial, in instances where national security is at imminent risk, are there any additional protocols for bringing in the Singapore Armed Forces' (SAF's) Digital and Intelligence Service (DIS), to manage the cybersecurity defences of CIIs?
Does the Minister see it necessary to develop a framework that enables either CSA or DIS to respond rapidly and directly to imminent threats to our CIIs, ensuring that operational control can be swiftly transferred in a crisis? Having this operational backstop is desirable precisely because cybersecurity attacks have high potential severity and could unfold very quickly.
This will require the strengthening of public-private collaboration to ensure the seamless integration of state and commercial resources in fortifying our national cybersecurity infrastructure. In addition, CSA will need to ensure it has the necessary expertise to undertake such responsibilities when called to do so.
CSA needs to be adequately staffed and equipped with the requisite skills and technology in order to effectively manage and mitigate cybersecurity threats. Such an arrangement will be in the long-run investment in our own capabilities that is worth making, both in defensive terms but also to enable public-private knowledge diffusion.
Next, regarding sections 7(1)(a) and 16(a)(1), how will the Government enforce its extraterritorial judgements on overseas providers of CIIs if the owner is not in Singapore? Can the Commissioner take enforcement action outside of Singapore? If we are not able to enforce the laws overseas, what purpose do these extraterritorial provisions serve?
Finally, in section 29(a) on monitoring, relying primarily on examining historical records and conducting ad hoc examinations may not be sufficient to provide the real-time, continuous monitoring needed to keep pace with rapidly evolving cyber threats. More proactive oversight measures potentially including direct access to provider systems may be required for effective supervision.
WannaCry, the global ransomware attack in 2017, rapidly spread across computer systems over seven hours, while the 2015 Ukraine power grid hack led to electricity outages lasting up to six hours. These are events that unfolded in less than one day. If we really want to monitor with a deterrent view in mind, we need to have operational integration and develop our backstop capabilities.
In conclusion, Mr Speaker, while the Cybersecurity (Amendment) Bill makes important strides towards enhancing our national cybersecurity posture, our approach must remain adaptable to the realities of digital warfare and capable of decisive action in times of emergencies. Sir, I support the Bill, but I look forward to the Minister's responses to my comments.
Speaker
Mr Sharael Taha.
Sharael Taha (Pasir Ris-Punggol)
Mr Speaker, Sir, since its inception in 1993, the Computer Misuse and Cybersecurity Act has undergone several crucial revisions to strengthen our national cybersecurity framework.
Notably, in 2013, the Act was first amended to address the emerging cybersecurity concerns. Further enhancements in 2018 introduced the concept of CII, empowering the Commissioner of Cybersecurity with extensive authority to combat and manage cyber threats. The digital landscape has rapidly evolved over the past five years, emphasising the need for our legal framework to keep pace with these technological advancements. The Bill introduces several key changes.
Firstly, in 2018, the mandatory incident reporting for CII only covers systems under the CII owners' control. The amendments to section 14 will require CII owners to also report incidents targeting computer or computer systems under the control of suppliers to the CII owners.
Secondly, amendments to section 2 updates the definition of "computer" beyond that of physical systems to give CSA the flexibility to separate virtual systems from the supporting physical infrastructure. The new section 7(1)(a) allows CSA to designate a computer or computer systems located overseas as a CII. This allows CSA to safeguard our essential services, even when CIIs go into cloud and the assets are not in Singapore.
Thirdly, the amendments to Part (3)(a) ensures providers of essential services remain responsible for ensuring the cybersecurity of the service it provides even if the CII is outsourced to a third-party vendor.
Lastly, the Bill seeks to provide wider cybersecurity assurance for Singapore's critical systems and important non-CII systems through the introduction of designating temporary systems as STCC in Part (3)(b) and designating entities as ESCI in Part (3)(c).
These amendments, Mr Speaker, are all vital in a landscape where cyber threats increasingly exploit the interconnected nature of digital systems and the supply chain. They also address the shift towards cloud computing, where many services are moving away from traditional on-premise models.
The Bill enables CSA to extend its protective measures beyond CIIs, encompassing a wider array of systems and entities under the broader umbrella of the Cybersecurity Act.
While I support this Bill, I seek clarifications on several points, mainly focusing on: one, the challenges to its implementation; two, the balance between security enhancements and the compliance burden on businesses; three, how do we manage other technologies that could pose an opportunity and also an equivalent cyber threat, such as the use of deep learning, machine learning and AI within CIIs?
Allow me to elaborate on my first point on challenges to implementation. By expanding the ambit of the Cybersecurity Act from just on-premise CII to CII and systems under the control of suppliers, essential services on cloud – even when it is offshore – and also to include STCC and ESCI, the scope of work for CSA will increase multiple-fold. Will CSA be adequately resourced to manage and implement this, given that a lot of the work requires detailed discussions and working arrangements together with the CIIs?
The requirements for suppliers to report cybersecurity incidents also raise several questions. What type of incidents must be reported and what constitutes sufficient severity? If a breach occurs in a system used by multiple customers, including CIIs, such as a cloud-based ERP system used by a CII like SAP S/4HANA, does the provider need to report breaches for instances outside of Singapore? And considering the complex dynamics and varying bargaining powers between computer vendors and CIIs, can we ensure adequate compliance? Which brings me to my second point.
The broadened reporting obligations could also impose a substantial compliance burden on CIIs, STCCs and ESCIs. The potential for increased costs and the challenge of securing legally-binding commitment from powerful computer vendors must be addressed. How can we strike a balance that ensures robust cybersecurity without overwhelming businesses with regulatory demands?
On my third point, given that these amendments are made to allow CSA to better secure Singapore's most critical systems in light of recent technological advancements, what is the Ministry's principal approach on the use of machine learning, deep learning and generative AI for CII owners? It is not unthinkable that, given the large amounts of data generated and consumed by CII owners, CII owners may have already begun to explore the use of machine learning and deep learning to optimise their processes. How do we ensure that this does not create or open up a potential cybersecurity threat for CIIs?
In conclusion, as the digital environment continues to evolve, the need to fortify our cybersecurity measures become increasingly critical. This Bill is a step forward towards safeguarding Singapore's cyberspace by updating our legal framework to address contemporary challenges. It aims not only to protect our most critical systems, but also to secure a wider spectrum of digital infrastructure and services. Notwithstanding the clarifications above, I stand in support of the Bill.
Speaker
Mr Mark Lee.
Mark Lee (Nominated Member)
Mr Speaker, Sir, as a highly digitised nation, Singapore's ability to function effectively has become increasingly dependent on the seamless and secure operation of our digital infrastructure.
The cyber-attack on SingHealth in 2018, which compromised the personal data of 1.5 million patients, serves as a reminder of the severe consequences a cyber breach can have on our nation's well-being and public trust. More recently, the personal information of parents and staff of 127 schools was accessed due to a data breach linked to a device management app installed on personal learning devices used by students.
Based on the Singapore Business Federation (SBF) National Business Survey 2023-2024, cybersecurity concerns, including increase in cyber-attacks, were a top trend that businesses expect to impact them in the next 12 months.
Globally, the World Economic Forum estimates that cyber crimes cost the world economy over US$1 trillion in 2020 alone, underscoring the pressing need for robust cybersecurity measures. In this context, the Government's proactive review of the Cybersecurity Act is a welcome one, which will keep pace with our evolving cyber threat landscape and business environment. However, Singapore businesses have some concerns about the potential impact of these proposed amendments.
First, we seek clarity on the criteria and processes involved in designating entities as FDIs, ESCIs and STCCs. How will businesses be informed about their designation and what is the redress process for companies to review and appeal these designations? This is crucial for businesses to understand their obligations and plan accordingly, as additional processes and resources will have to be committed to comply with the responsibilities of designated entities.
Second, considering the provisions under the Bill's Part 3(c), which detail the designation of ESCI, there is a need for clearer definitions. Many companies in Singapore operate computers that store sensitive information and could potentially fall under the broad criteria for ESCI designation.
This includes concerns about what constitutes sensitive information and what level of disruption might be deemed to significantly impact aspects, such as Singapore's defence, foreign relations, economy, public health, public safety or public order. Given that the list of designated ESCIs will not be published, businesses could be left without clear benchmarks, potentially leading to unease about being designated as an ESCI. It is crucial, therefore, that we refine our definitions and guidelines concerning these designations to prevent undue worry.
Third, while recognising the importance of enhancing cybersecurity, we must also acknowledge the additional compliance burden these new regulations will impose on our CIIs and designated entities. We urge the Government to work closely with businesses to operationalise the incident reporting requirements in a streamlined and cost-effective manner.
Fourth, the Bill does not cover standards for mandatory incident reporting or new duties on CII operators. We should ensure that these standards are developed together with industries before implementation.
Fifth, I would like to clarify if the Bill's intent is to cover personal information only and seek clarification whether the scope of the Bill will be expanded to cover other types of confidential business information?
Lastly, we would like to understand how the proposed monitoring powers for the Commissioner and Licensing Officers will be exercised and what safeguards will be put in place to prevent any misuse or abuse of these powers? While acknowledging the need for regulatory oversight, we must ensure that these monitoring activities do not impede business operations or compromise sensitive data and trade secrets.
In the next part of my speech, I would like to turn to the pressing issue of cybersecurity within our small and medium enterprises (SMEs). According to a 2020 survey by the CSA, only 34% of Singapore SMEs had implemented cybersecurity measures, leaving the majority vulnerable to cyber threats. The survey also revealed that 35% of SMEs experienced at least one cyber incident in the past year, with ransomware and phishing attacks being the most common. These findings highlight that SMEs are particularly vulnerable and that there is an urgent need to help SMEs strengthen their cybersecurity readiness, as they may lack the resources and expertise to do so effectively.
As the amended Cybersecurity Bill comes into effect, businesses, especially SMEs, along the value chain will need to develop resources and capabilities to report incidents while managing their operations effectively, promptly and accurately. We therefore encourage the Government to look into providing funding for qualified SMEs to beef up their cybersecurity posture and capabilities. There is also scope to look into how trade associations and chambers (TACs) can collaborate with SkillsFuture Singapore to encourage and incentivise businesses to equip their employees with basic cybersecurity knowledge.
At the individual level, our Government can also encourage mid-career workers to use the recent top-up in SkillsFuture credits to receive training on cybersecurity to ease the talent crunch in the cybersecurity domain.
In January this year, during the "Inclusive and Safe Digital Society" Motion, I spoke in Parliament highlighting in addition to capability building, SMEs also need actual and urgent support in the event of a cybersecurity attack. While time is of the essence in mitigating the impact of such incidents, many SMEs find themselves at a loss with no clear response strategy in such situations. We propose that in addition to the structured reporting framework for incidents, which will be covered by the amended Bill, the Government could also look into structuring centralised support or pooled services for SMEs to turn to for incident response and advisory services.
In conclusion, Singapore's success as a trusted and secure digital hub hinge on our ability to strike a delicate balance between robust cybersecurity measures and operational efficiency for businesses. It is therefore essential for the Government to foster the correct perception of incident reporting from one of compliance and potential fault-finding to a supportive process that provides real assistance. As we have discussed today, the vulnerability of businesses, especially SMEs, to cyber threats, coupled with their often-limited resources, highlights the critical need for a change in approach.
Incident reporting should be seen as a partnership opportunity between the Government and businesses, where each report triggers not just a compliance check but a supportive mechanism to help businesses address and recover from cybersecurity issues responsibly and effectively.
Sir, by providing this assistance, we will reinforce a culture of security and resilience rather than one of penalty and fear. This strategic shift will ensure that responsible businesses and SMEs, view engaging with cybersecurity frameworks not only as a regulatory requirement but as a valuable resource for enhancing their security posture and ensuring their continued prosperity in our digital economy. Mr Speaker, Sir, notwithstanding my clarifications, I support the Bill.
Speaker
Mr Alex Yam.
Alex Yam (Marsiling-Yew Tee)
Mr Speaker, Sir, today, as we deliberate the critical amendments to the Cybersecurity (Amendment) Act, it is imperative that we recognise the pressing need to fortify our nation's defences against the ever-evolving threats that loom over our Critical Information Infrastructure, or CII for short.
Based on World Bank's statistics, our most recent Internet penetration rate is at 96% in Singapore, as compared to 66.2% average worldwide. Our businesses are also even more interconnected worldwide with data transfers occurring at a click of a button. At the user front, we, of course, have well-known issues of scams and hacking threats and at a wider infrastructure level, there is even greater vulnerability.
Our CIIs are inherently vulnerable and that renders them susceptible to a myriad of cyber threats. Imagine, if you will, the intricate web of interconnected systems that underpin our essential services sector, from energy, water, banking and finance, to healthcare, transport, infocomm, media, security and emergency services and, of course, here, Government.
Envision the catastrophic consequences that could ensue if these systems fall prey to malicious actors. Consider, for instance, the potential ramifications of a cyber-attack targeting our energy grid.
With our reliance on electricity pervading every aspect of our lives, including right here in this Chamber, from powering our homes to fuelling our industries, the disruption that would be wrought by such an attack would be nothing short of devastating for our economy. We need only to look at history for precedents.
With cyber-attacks on energy infrastructure in Ukraine that various Members have raised and elsewhere, serving as stark reminders of the vulnerabilities that plague our interconnected world today. Likewise, our financial institutions stand as prime targets for cyber criminals, seeking to wreak havoc on our economy. With the click of a mouse, hackers can infiltrate banking systems, syphoning funds and destabilising markets with alarming ease.
The recent spate of ransomware attacks targeting financial institutions worldwide serve as a sobering testament to the gravity of this threat, with billions of dollars at stake and the livelihoods of countless individuals hanging in the balance. But perhaps most concerning of all of this is the potential for cyber-attacks to compromise our healthcare infrastructure.
In an era defined by a global pandemic, our healthcare systems have become more vulnerable than ever to malicious actors seeking to exploit weaknesses for their own gain. From ransomware attacks crippling hospital operations, to the theft of sensitive patient data, the stakes could not be higher when it comes to protecting our healthcare CIIs.
These examples merely scratch the surface of the myriad of threats facing our CIIs. From transportation systems to Government agencies, no sector is immune to the perils of cyber warfare. As we stand on the parapets of a digital age defined by unprecedented connectivity and innovation, the time is now for us to take decisive action to safeguard our nation's future.
These amendments are much needed. Since the introduction of the Cybersecurity Act, the CSA has had time to operationalise and learn and continue to evolve its methods to prevent attacks on our CIIs. And so, with this hindsight, we are able to come before this House to debate the amendments that are before us.
Much of what we are experiencing right now is related to how cloud computing has revolutionised the way organisations operate and is a key driver for digital transformation, bringing with it scalability, flexibility and, of course, cost savings, the most important factors for businesses today.
But a recent study by the Crowd Research Centre, with over 250,000 members on the information security community on LinkedIn and leading cloud security vendors, showed that 90% of companies and organisations are worried about cloud security. For many users, even individuals like ourselves, the ease of access to the cloud makes security challenges even more stark.
Information and data is widely available and, of course, vulnerable. Behind all of this is an alphabet soup of GDPR, HIPAA, PCI, DSS, PKI, DNS, HMSs – many of which the end user is unaware of and perhaps does not even understand. But all these are critical to help to keep our data safe.
So, while the amendments before us today largely require CII organisations to ensure compliance, it is also imperative that we educate end users on the importance of data security.
Secondly, it is also important that even non-CII companies are up-to-date in their data and cybersecurity measures, as each organisation today holds a significant amount of customer data, which may cause widespread damage if lost to malicious actors.
The Bill, as it is read, is also not specific at the moment on how the monitoring of CIIs will be done, which may cause companies to under-report for fear of revealing trade secrets or expertise. It will also be helpful for CSA to assist in creating a clear and standardised reporting structure that all companies, including CIIs, can adhere to.
In conclusion, Mr Speaker, Sir, the proposed amendments to the Cybersecurity Act represent a pivotal opportunity for us to strengthen our defences against the looming spectre of cyber threats. By bolstering accountability, expanding regulatory frameworks and empowering our CSA, we can pave the way for a safer, more secure future for generations to come. Therefore, Mr Speaker, I support the amendments to the Bill.
Speaker
Ms Jane See.
See Jinli Jean (Nominated Member)
Global communications firm Edelman's Trust Barometer survey in 2023 recorded Singapore respondents as having higher trust in Singapore institutions, particularly the Government as an institution. Nonetheless, the same survey revealed respondents' worries of harm by hackers and/or technology. The Cybersecurity (Amendment) Bill is thus timely. The Bill holds businesses responsible and accountable to cybersecurity and cyber resilience, especially when the rush to embrace AI and new technologies exposes businesses to new risks.
Owners of CII, such as water, electricity and banking services, are required by the Bill to be responsible for the cybersecurity and cyber resilience of their systems. CII owners must also be prepared to report more types of cybersecurity incidents, including those that happen in their supply chains.
As the requirements appear to only hold CII owners responsible downstream, the Government could also consider articulating efforts upstream, to strengthen trust between the public and CII owners, especially when CII owners race ahead in AI and technology frontiers. Dr Gillian Koh, a senior research fellow at the Institute of Policy Studies pointed out the trust gap in her response to media outlet TODAY Online's coverage of the Edelman survey. I quote, "Unless you are younger, more tech-savvy, interested in innovation and have a positive outlook on science and technology, the mass base of people feel threatened by that sort of change."
The Bill is in the right direction and can be reinforced by measures that boost CII owners' accountability and transparency to the public. I thus seek the Government's consideration of these measures.
First, the Government could make explicit CII owners' duty to the public. In this regard, the Government could consider requiring CII owners to allocate a reasonable share of expenditure to continual strengthening of cybersecurity and cyber resilience. Such guardrail would raise the public's confidence that CII owners would balance profit motivation and public interest.
Second, the Government could reinforce existing alliances and establish new alliances for cooperation in cybersecurity. This could be at three levels.
One, at the inter-governmental level because security threats can span borders. The ASEAN cybersecurity cooperation strategy is a progressive approach.
Two, at the technology-producer level, because cyber resilience must guide technology product development from the outset. This would reinforce technology producers' duty to buyers that include CIIs as well as end-users like the public.
Three, at the firm level, because regular information sharing between the Government and firms must be part of the efforts to counter cyber threats. Such public-private cooperation could be facilitated by proactive knowledge sharing and innovative collaboration. Allow me to elaborate.
First, proactive public-private knowledge sharing. The Government could stress-test CIIs' systems. Insights gleaned from stress tests could be shared with other CIIs, Institutes of Higher Learning and through public reports. This would set in motion a virtuous cycle for continual uplift in worker training as well as job and research programmes.
Second, innovative public-private collaboration. Innovative public-private collaboration could be modelled after the Singapore Police Force's collaboration with various banks to stem scams. Officers from these banks' anti-scam teams are stationed at the Police Anti-Scam Centre and work quickly and closely with the Police to curb scams.
To conclude, these measures of accountability and transparency would communicate that CII owners, together with the Government and core stakeholders, are active in safeguarding public interest against cyber threats. More important, these measures would reinforce the trust among the public, CII owners and the Government that is core to the Cybersecurity (Amendment) Bill. Mr Speaker, I support the Bill.
Speaker
Mr Melvin Yong.
Melvin Yong Yik Chye (Radin Mas)
Mr Speaker, I stand in support of the Bill, which seeks to update the Cybersecurity Act to keep pace with the developments in our cyber threat landscape and allow CSA to better secure our cyberspace and safeguard our digital way of life. However, I have some questions and suggestions.
Sir, according to the Ministry of Home Affairs, e-commerce scams have become one of the top scam types in Singapore. In 2021, there were more than 2,700 cases reported, with about $5.8 million in losses. The number of e-commerce scams more than tripled to 9,783 in 2023, with close to $14 million in reported losses by victims.
The rise in e-commerce scams comes despite concerted efforts put in place over the years by various Government agencies to combat this crime. For example, the Singapore Police Force's Anti-Scam Command was established in 2022 to consolidate expertise and resources to combat scams. Shortly after, the Online Criminal Harms Act was passed in July 2023, setting out ex-ante requirements that online platforms must adopt to better protect their consumers. The Act also allows authorities to order the swift blocking of fraudulent accounts or content, to protect other users from falling victim to scams.
The fact that we are still seeing a rise in e-commerce scams shows that criminals online have the resources to update their scam toolkit to stay ahead of law enforcement in conducting their criminal activities. And this is a real concern.
According to the annual complaint statistics by the Consumers Association of Singapore (CASE), the number of consumer complaints relating to e-commerce transactions has been rising year on year. From 2019 to 2020, the number of e-commerce complaints almost doubled from 2,236 to 4,366. This was followed by an increase of about 14.7% from 2021 to 2022, and another spike of 47% in 2023. This trend reflects the change in consumer purchasing behaviour. We now live increasingly digital lives and it is now the norm to work, shop and play online. We must, therefore, better protect consumers in the digital space.
Sir, the Bill proposes to require companies that provide digital infrastructure services that are foundational to our way of life, such as cloud service providers and data centres, to shoulder responsibility for the cybersecurity readiness of such digital infrastructure. Obligations include adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA. I fully support this.
Data centres are a prime target for malicious actors because of the sheer disruption it could cause. According to a 2023 article on CIO World Asia, a cybersecurity breach at data centres can affect major cloud service providers and the customers who use their services. Such an attack can interfere with CIIs, impact our digital society and cause serious consequences.
I would like to ask if the Ministry could share details about the incident reporting parameters and cybersecurity codes of practice or standards for foundational digital infrastructure. Does CSA intend to adopt any international standards to reduce compliance costs to businesses, which would invariably pass such costs to consumers?
In securing our digital infrastructure, we must strike a right balance between cybersecurity requirements and the impact that these requirements have on the usability of our IT systems. Many organisations today incorporate the notion of an air gap in their computer systems, as part of their cybersecurity measures. Air gaps isolate critical systems from unsecured networks, like the Internet, to prevent unauthorised access.
However, such cybersecurity controls will sit at odds with the usability of the IT systems. The greater the control, the less usable the system would be from the user's perspective. Even air gaps are vulnerable to penetration, as it gives users a false sense of security. In fact, a quick online search will reveal many examples of data exfiltration techniques designed to penetrate air-gapped systems.
According to some cybersecurity experts, malicious actors are also increasingly relying on the age-old method of using USB devices infected with malware to attack air-gapped systems, such as operational technology networks.
Without compromising on our cybersecurity measures, I would like to ask how CSA intends to protect our CIIs from such security vulnerabilities while ensuring that cybersecurity requirements are not overly onerous to the point where workers and users find our IT systems unusable.
Sir, it is vital that we protect our critical operational technology (ops-tech) systems from malware and bad actors, as these can have huge ramifications on society. Imagine if a malicious actor messes with the ability of our Mass Rapid Transit (MRT) train doors to open and shut; worse still, if a cyber-attack on our power grid causes a nationwide blackout.
Such attacks on key ops-tech systems have happened. In the United States, the Colonial Pipeline ransomware attack in 2021 resulted in a widespread fuel shortage across the entire country. Any successful attack on our ops-tech systems would, without doubt, result in a significant loss of public confidence in our key public infrastructure.
However, the penetration of such systems can be extremely hard to detect. A malicious actor may test its malware by repeatedly causing nuisance, for example, by constantly creating door faults on an MRT train. Today, we would more than likely treat it as a technical issue, possibly checking that all the electrical wiring and sensors for the MRT doors are in order. But what if it was caused by malware? When, if ever, would we realise something like this has occurred? Could the persistent issues faced by our banks and telecommunications companies, pertaining to their reported service outages in recent weeks and months, have been a cyber-attack on their ops-tech systems?
Sir, my point is this: are our agencies geared to view occasional technical glitches with a cybersecurity lens? I hope that CSA could look into this and build up the necessary capabilities to address these threats.
Sir, we are living in an era where there is a greater surface area for cyber-attacks to happen. While remote and flexible work arrangements are a boon to workers, it does create additional cybersecurity penetration points for malicious actors.
The proposed changes in the Bill will help to expand the toolkits in the Cybersecurity Act to allow CSA to keep pace with cyber malicious actors and help secure our digital landscape. Even as we impose more security requirements, we must have a care on the impact that it has on the usability of our IT systems, particularly for those working in our CIIs. We must also build up our capabilities to investigate operational technology faults with a cybersecurity lens. Sir, with that, I support the Bill.
Speaker
Assoc Prof Razwana Begum.
Assoc Prof Razwana Begum Abdul Rahim (Nominated Member)
Mr Speaker, I stand in support of the Cybersecurity (Amendment) Bill 2024. The Cybersecurity Act was enacted in 2018 and established a legal framework for the oversight and maintenance of national cybersecurity in Singapore.
Mr Speaker, since 2018, the digital landscape in Singapore and across the globe has evolved at an unprecedented pace. Businesses are increasingly reliant on digital technology, including cloud-based systems, and cyber threats are becoming more frequent, more sophisticated and of increasing risk to critical industry and infrastructure.
The proposals contained in this Bill will enable us to better keep pace with these changes and will enhance our ability to protect critical infrastructure, strengthen oversight of cybersecurity practices and promote closer collaboration between the public and private sector.
Mr Speaker, the proposed amendments will place additional obligations on providers of CIIs to meet prescribed technical and safety standards with respect to data storage and continuity of service. These obligations will apply to all owner-operated and third party-operated providers, both here and overseas.
The amendments will also introduce additional obligations on providers of CII services to report potential and actual cyber threats, including those that may pose a risk to continuity of service, and will enhance the powers of the Commissioner of Cybersecurity to act against irresponsible providers or those who fail to meet the new obligations.
Both of these proposed amendments are sensible and will enhance our ability to protect ongoing service delivery of CII in Singapore, regardless of whether the provider of that service is locally based or overseas.
Mr Speaker, this Bill also introduces three new classes of regulated entities, in addition to CIIs. These are ESCIs, FDIs and STCCs. By broadening the scope of entities, we are better placed to monitor and protect the provision of important or essential services and to reduce potential threats to these services.
Mr Speaker, I would now like to seek clarification about several issues raised by the Bill. Before I do so, I should declare that I work in a university – Singapore University of Social Sciences.
First, has the Ministry taken into account the capacity of service providers to meet the new obligations? Mr Speaker, it may take time for providers to become aware of the changes, understand the changes and the impact they may have on their businesses and then take the necessary steps to ensure compliance.
There may also be technical challenges and financial implications for some providers. It may be useful for the Ministry to undertake an engagement campaign, alerting providers to the new obligations and offering technical, practical and financial support or advice as needed. It is important that providers move towards full compliance as soon as possible, yet do not jeopardise their business operations in the process or introduce new systems that are unknowingly non-compliant.
It may also assist if the Ministry were to strengthen the existing Cybersecurity Agency toolkit to include a how-to guide that outlines in simple terms what needs to be done and where to obtain further support or advice. Such a guide could also contain information about reporting obligations, including examples of what constitutes a reportable cybersecurity incident and how to report such incidents.
Mr Speaker, I should note that CSA has indicated that regulatory requirements for both ESCIs and FDIs will be light touch. This approach recognises that while these entities are important, they do not carry the same level of risk as CII providers.
While the intention behind these measures is sensible, I am, however, concerned about the ambiguity of terms, such as "sensitive information" and "function of national interest". Without clear and objective definitions, there is a risk of subjectivity in designating entities as ESCIs. This could lead to inconsistencies in regulatory decisions and create uncertainty for businesses operating in Singapore.
There is also a need to strike a balance between regulatory oversight and fostering innovation in research and development in the digital sphere. While safeguarding critical infrastructure and sensitive data is paramount, overly burdensome regulations may stifle the very innovation Singapore relies on. It is, therefore, important that we remain vigilant to the need to protect our society and economy from cybersecurity threats without hindering the growth and development of the digital economy.
Mr Speaker, this Bill stipulates an Enhanced Incident Reporting Regime beyond those CII systems under the direct control of owners or service providers. I understand that CSA provides a security bulletin based on the United States National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD). I also understand that the Infocomm Media Development Authority encourages researchers to submit vulnerability reports.
I would welcome advice about whether the Ministry intends to further strengthen this sharing of information with related entities and the general public by promoting the development of a robust vulnerability database contextualised to Singapore.
A local publicly accessible vulnerability database would assist providers in Singapore to report threats that they become aware of and keep up to date on other threats that may impact on their security and service delivery.
Mr Speaker, this Bill also proposes to hold cloud-based service providers accountable for the security of the digital infrastructure they manage. This is sensible and will add another layer of protection of critical personal and commercial information.
I would, however, welcome advice on how the Ministry intends to enforce this obligation. Many cloud-based service providers are based overseas, outside of Singapore's jurisdiction.
Mr Speaker, my final comments relate to the proposal to enhance cybersecurity collaboration between the public and private sectors. Again, this is a sensible proposal. However, I would welcome advice about what strategies are in place to enable such collaboration without compromising the confidentiality and proprietary interests of businesses and agencies, and without imposing a financial or practical burden on businesses.
Mr Speaker, in conclusion, the Cybersecurity (Amendment) Bill is essential for Singapore's future. By updating our cybersecurity laws, we can better protect our critical infrastructure, enhance oversight of cybersecurity practices and promote collaboration between the public and private sectors.
The Minister has rightly emphasised that cybersecurity is a shared responsibility. It requires the active participation of all sectors of society, from the Government to businesses to individuals. That is why transparency, clear communication and a commitment to getting the details right are so crucial.
By updating and strengthening our cybersecurity framework, we can better defend Singapore against cyber-attacks and ensure the resilience of our nation in the digital age. This Bill is a testament to Singapore's forward-thinking approach to cybersecurity and its commitment to the safety and prosperity of our people. Mr Speaker, clarifications notwithstanding, I support the Bill.
Speaker
Order. I propose to take a break now. I suspend the Sitting and will take the Chair at 3.25 pm.
Sitting accordingly suspended
at 3.03 pm until 3.25 pm.
Sitting resumed at 3.25 pm.
[Deputy Speaker (Ms Jessica Tan Soon Neo) in the Chair]
[Deputy Speaker (Ms Jessica Tan Soon Neo) in the Chair]
CYBERSECURITY (AMENDMENT) BILL
CYBERSECURITY (AMENDMENT) BILL
Debate resumed.
Mdm Deputy Speaker
Ms Joan Pereira.
Joan Pereira (Tanjong Pagar)
With rapid and widespread digitalisation changing how almost every sector operates, from logistics to utilities, healthcare to finance, we see unprecedented opportunities for growth, innovation and progress. However, such hyperconnectivity also exposes us to pervasive and malicious cyber threats.
In 2018, we laid the foundations to safeguard Singapore's cyberspace and protect Singaporeans online with the Cybersecurity Act. A year later, in 2019, digital defence was introduced as the sixth pillar of Total Defence.
Following up on these, the amendments in this Bill will update and boost current provisions, while expanding oversight by CSA to include Systems of Temporary Cybersecurity Concern and newly created ESCIs and FDI.
The changes will strengthen the Government's regulatory powers to ensure that these vital services remain operational and resilient in the face of unrelenting and increasingly sophisticated cyber-attacks.
For the public consultation on this Bill, there were queries about whether it would be feasible for the Commissioner to require Providers of Essential Services (PES) to cease the use of an outsourced CII in the event the PES is not able to secure a legally binding commitment, given that this may potentially disrupt the delivery of essential services. The CSA's response is that it would proceed to do so if it has ascertained that the PES is unable to meet its obligations. I would like to ask what happens if there are very limited or no comparable alternative solutions? This could be due to the highly technical or monopolistic nature of a particular sector.
Regarding the proposed amendments to allow the authorities to designate computer systems of temporary cybersecurity concern due to certain events or situations, would the Ministry share more details about this?
As Singapore is a global hub for key events all year round, it is important to ensure high cybersecurity standards to retain the trust of visitors and investors. Would these powers be applicable to and do the authorities intend to extend these powers to all ancillary or supporting infrastructure, including hotels and event venues, for high-profile or high-level events held in Singapore?
As we work to attract more business and activities to Singapore, we must also stay cognisant of business costs that come with shoring up our cyber defences. I support the proposed lighter-touch regulatory regime for ESCI and FDI, which will help to strike a balance between increased compliance costs and high standards of practice. Would the Ministry consider the possibility of industry-wide initiatives that can be rolled out alongside any grants or subsidies, to better support companies in this respect? Madam, in Mandarin.
(In Mandarin): [Please refer to Vernacular Speech.]: As we work to attract more business and activities to Singapore, we must also stay cognisant of business costs that may come with shoring up our cyber defences. I support the proposed lighter-touch regulatory regime for ESCI and FDI, which will help to strike a balance between increased compliance costs and high standards of practice. Would the Ministry consider the possibility of industry-wide initiatives – that can be rolled out alongside any grants or subsidies – to better support companies in this respect?
(In English): Madam, in closing, I would like to express my support for the Bill. Let us stand united together in defence of our nation's digital sphere and ensure a safer, more secure future for generations to come.
Mdm Deputy Speaker
Mr Neil Parekh.
Neil Parekh Nimil Rajnikant (Nominated Member)
Mdm Deputy Speaker, thank you for allowing me to join this debate on a topic which is of utmost importance for all of us and especially for the business and financial community.
In March this year, a chamber of commerce in Singapore held a fireside chat with a leading expert on cybersecurity who summarised the threats and challenges for cybersecurity with these words: "The bad guys are here to stay."
Simple words, but somewhat scary and that is why this Bill before the House is most timely as not a day passes by in Singapore or any part of the world without a cybersecurity-related event taking place. Hon Members who spoke before me discussed the need for the various amendments which have been proposed in this amended legislation.
The proposed Cybersecurity (Amendment) Bill represents a significant step forward in enhancing Singapore's digital resilience. Among its key features, the Bill empowers the Commissioner of Cybersecurity with the authority to conduct on-site inspections and broadens the scope of incidents that must be reported. Importantly, it extends the definition of CII to include "non-provider-owned CII", therefore holding third-party vendors accountable when they manage essential services.
Additionally, the Bill introduces new regulated categories, such as STCC and ESCI, to address emerging threats and evolving operational risks. Through these measures, the Bill seeks to bolster our cybersecurity framework, ensuring that we stay ahead of sophisticated and rapidly evolving digital threats.
With a focus on opportunities for businesses, the amendments provide for market expansion in cybersecurity services, where businesses in the cybersecurity sector can expand their offerings to include services tailored to the new categories, like foundational digital infrastructure and digital service providers.
There are also avenues for innovation and product development, leading to new patents, intellectual property and leadership in niche markets. The increased demand for skilled cybersecurity professionals, will provide more avenues for training and workforce development.
This amendment also creates an opportunity for the insurance industry to develop new products and services around cybersecurity insurance, which could become more prevalent and necessary as businesses seek to mitigate the increased risks associated with the new stringent compliance requirements.
However, these expanded definitions and updated requirements are likely to increase the regulatory burden on businesses and require companies to invest in new technologies. For smaller businesses, these increased costs may be prohibitive, potentially leading to competitive disadvantages or even business closures if they cannot afford to comply.
There are also data privacy concerns.
With the broadened scope of what constitutes sensitive digital infrastructure, businesses must handle an increased volume of sensitive data – raising data privacy and security concerns. Mismanagement of data, or failures to adequately protect data, can lead to breaches, legal penalties and loss of consumer trust, all of which can have significant financial repercussions.
Mdm Deputy Speaker, I am most concerned about the impact of the legislative changes on the SMEs as they make up the backbone of our economy. We do not want regulatory compliance to unfairly favour established companies. SMEs may find it particularly challenging to meet the new requirements due to limited budgets and cybersecurity expertise. If they fail to comply, SMEs might face penalties or be forced out of certain markets, reducing the diversity of the business ecosystem and possibly leading to consolidation in certain industries, which could stifle innovation and competition.
Also, the stringent requirements for entities of special cybersecurity interest could act as a barrier to entry for new startups in critical sectors. Meeting these high standards from the outset could be daunting and financially taxing for new market entrants.
I have a few clarifications which I wish to raise with the Senior Minister of State.
Businesses would like to have some clarity on the specific criteria that will be used to designate entities to be of special cybersecurity interest. Knowing these criteria can help companies assess their status and understand whether they fall under this designation. Organisations need to know exactly what security measures they must implement once designated as STCC.
Secondly, businesses also would like to better understand both the financial and operational impacts of non-compliance. Also, are there any exemptions or exceptions, particularly for SMEs or startups that might face significant challenges in meeting these more stringent requirements?
In its publicly available closing note on the Bill's consultation process, CSA has communicated that "further industry consultations will be conducted on the development of reporting parameters and applicable cybersecurity codes or standards". I would like to ask the Senior Minister of State in what ways chambers of commerce and trade associations can help and collaborate with the various training agencies to help prepare the workforce to meet these hidden compliance costs amidst growing manpower challenges.
Mdm Deputy Speaker, cybersecurity is a serious matter for Singapore and it impacts our reputation as a global smart city.
To ensure the proposed Cybersecurity (Amendment) Bill is effective and equitable, it is crucial to consider international best practices in its formulation. We can draw valuable lessons from the United States, where a recent Executive Order focuses on harnessing AI for advanced cybersecurity; and from the EU's Network and Information Systems (NIS) Directive, which emphasises proactive risk assessment and public-private partnerships.
Additionally, countries like Estonia have demonstrated how continuous risk assessment and collaboration can enhance digital infrastructure protection. By aligning our roadmap with these global standards, we can develop a robust and forward-thinking cybersecurity framework that not only addresses emerging threats but also fosters innovation and industry collaboration.
Mdm Deputy Speaker, notwithstanding my clarifications, this legislation has my complete support.
Deputy Speaker
Mr Desmond Choo.
Desmond Choo (Tampines)
Mdm Deputy Speaker, I rise in support of the Bill. It has been almost six years since this House debated and passed the Act; and in that time, technology has advanced rapidly. We have witnessed a surge in the use of technology across various sectors, from Government services to healthcare in the private sector. Unfortunately, this progress has also attracted malicious actors who pose a threat to our security.
In Singapore, we have seen a significant increase in data breaches, up by around 319% in the past two years alone, totalling 65,702 incidents. Cybersecurity has rightfully taken center stage globally and especially here in Singapore. It is crucial to act swiftly against such threats. A robust and regularly updated cybersecurity framework is equally important as our first line of defence.
The proposed Bill expands the responsibilities of CII owners and the oversight of CSA to cover STCCs. Additionally, it introduces two new classes of regulated entities: ESCI and FDI, which includes data centers.
For example, DBS and Citibank services saw a complete outage last year due to a technical issue at the Equinix data centre. While the services were not disrupted due to cyber-attacks or committed by malicious actors, the disruption was palpable and widely felt across the economy. We can only imagine if malicious actors were the cause of this damage, it would be wider and more damaging.
Regarding CIIs, owners are currently required to report cybersecurity events involving their systems. The Bill extends this obligation to include peripheral systems connected to the CIIs. This change is crucial as it ensures a comprehensive approach to cybersecurity, focusing not only on main systems but also on peripheral ones, which are equally vulnerable. It provides a clear understanding of how cyber threats can infiltrate our networks, promoting transparency and accountability.
However, stakeholders have raised concerns about the compliance costs associated with these new obligations. What is the Ministry's current estimation on the increase in compliance costs as a result of the new requirements?
The CIIs also have the option of moving to commercial cloud solutions. How would CSA provide upstream vetting of such cloud services so that the CIIs can have a greater assurance on which are the reliable commercial cloud services. Would CIIs be restricted to cloud services that are hosted in Singapore only? Are there concerns on data security of critical infrastructure if these services are hosted overseas?
Moving on to ESCIs, the Bill empowers the CSA to designate and regulate entities handling sensitive data or fulfilling roles of national importance. Maintaining the confidentiality of the list of the designated ESCIs is crucial to prevent targeted attacks by malicious actors. Stricter penalties beyond those provided under the Official Secrets Act for any wrongful communication of this list should be considered to deter potential breaches effectively. In addition, how often would this list be updated?
Under the proposed amendments, the CSA retains the power to issue written directions to designated entities to ensure cybersecurity. While entities have the option to object to such directions, it is essential to provide avenues for appeal, especially considering the potential financial implications for non-compliance.
That said, I strongly support that the fine for non-compliance is set at 10% of the total revenue of the company. This sends a strong signal to companies of their responsibility in ensuring cybersecurity. Balancing cybersecurity objectives with the legitimate commercial interests of entities is crucial, particularly for data centers and cloud service providers. Mdm Deputy Speaker, in Mandarin, please.
(In Mandarin): [Please refer to Vernacular Speech.]: We have witnessed rapid technological developments in Singapore. Technology has become an integral part of our lives, crucial for the smooth operation of various activities, whether in the Government or private sector. Unfortunately, malicious actors have caused several data breach incidents in recent years. These incidents have increased by 319% in just the past two years.
The Government would take action to strengthen our cybersecurity policies. Under the proposed Bill, the CSA will have a broader regulatory scope to ensure our cybersecurity strategies. Regulated entities will be required to comply with directives issued by the CSA or else face severe financial penalties.
I believe that by amending policies targeting new cyber threats, the security of Singapore's cyberspace will be better safeguarded.
(In English): In conclusion, Mdm Deputy Speaker, I firmly support the Bill.
Deputy Speaker
Ms Hany Soh.
Hany Soh (Marsiling-Yew Tee)
Mdm Deputy Speaker, I rise in support of this Bill. Singapore has been making monumental strides in its transformation into a Smart Nation. We are a hyper-connected, world-class, tech-driven state built upon three pillars: one, a digital society; two, a digital economy; and three, a digital government.
In the 2024 Smart City Index published by Switzerland's International Institute for Management Development, Singapore is ranked fifth out of 142 cities. In the Digital Inclusion Index published by Roland Berger in 2020, Singapore was ranked as the top global leader out of 82 countries.
However, the greater our usage and reliance on digital services and infrastructure, the more susceptible we will be to cyber-attacks which are increasing in frequency, scale and sophistication.
Apart from those shared by my fellow Parliamentary colleagues in their respective speeches earlier, this House will also recall some of the major cybersecurity incidents that we have encountered recently.
In 2018, SingHealth data breach, where the personal data of 1.5 million patients were stolen by a deliberate, targeted and well-planned cyber-attack; in 2021, National University of Singapore Society data breach, where the personal data over 1,300 members were compromised; in 2023, cyber-attack against the Marina Bay Sands that led to the theft of 665,000 customers' data; in February 2024, cyber espionage incident that took place during the Singapore Airshow period, which resulted in a foreign military phone call being leaked abroad; and even more recently, in April 2024, a ransomware attack on a local law firm.
Clearly, the importance of cybersecurity cannot be overstated. As a nation, multinational company, SME or individual, we are all vulnerable. In broad terms, this Bill seeks to implement several changes to the Act that would enhance the security of CII operators' supply chains, regulate the usage of cloud services, regulation of systems used for and during key events and designating ESCI.
Mdm Deputy Speaker, the following parts of my speech will be focused mainly on the ESCI.
Clause 16 of this Bill inserts a new Part (3)(c), which regulates the ESCIs, including by empowering the Commissioner of Cybersecurity to designate entities ESCIs and impose cybersecurity obligations on them. I seek several clarifications in this regard.
Firstly, in designating an entity as an ESCI, how promptly will the CSA notify that particular entity? Upon such designation, would any support be rendered by the CSA to such entity to ensure its familiarity with its legal obligations as an ESCI?
Secondly, a notice issued under the new section 18(1) need not be published in the Gazette, by virtue of the new section 18(4). What are the circumstances or the considerations that will go towards publication or disclosure of an ESCI's identity?
Thirdly and related to the preceding point, would actual and potential ESCIs as well as the public be able to access to a database or repository of sorts, in order to review the relevant precedents and case outcomes? Potentially, such information could be unavailable to serve as valuable lessons, should they be redacted or not reported.
Fourthly, this Bill also introduces a new penalty framework. The Commissioner will be able to recommend civil penalties in lieu of criminal penalties for all offences committed by regulated entitles where appropriate and impose monetary penalties on non-complying FDI providers and ESCIs. To this end, what are the factors the Commissioner may or will take into consideration when exercising his or her discretion over the appropriate penalty to be imposed?
Mdm Deputy Speaker, virtually, all aspects of our lives – professional, financial, social and personal – are increasingly being digitalised. Thus, cybersecurity requires a whole-of-nation effort down to the individual, which must be constantly and diligently performed. Notwithstanding my clarifications sought, I stand in support of this Bill.
Mdm Deputy Speaker
Ms Ng Ling Ling.
Ng Ling Ling (Ang Mo Kio)
Mdm Deputy Speaker, I welcome amendments to the Cybersecurity Act 2018 through this Cybersecurity (Amendment) Bill. This will help Singapore keep pace with the developments in the cyber threat landscape and to ensure that we can continue securing Singapore's cyberspace as well as safeguard our evolving digital economy and digital way of life.
I would like to raise three clarifications to better understand the obligations of entities that will be affected by various parts of this Bill.
Firstly, the Bill will update existing provisions relating to cybersecurity of CII, to ensure continuous delivery of essential services. The amendment will require companies that provide digital infrastructure services that are foundational to our economy or way of life, to shoulder more responsibility for the cybersecurity of their digital infrastructure. The CII are defined as energy, water, banking and finance, healthcare, transport, info-communication, media, security and emergency services and the Government in the Bill.
I note that a key aspect of the Bill is to ensure that CII owners remain responsible for the cybersecurity and cyber resilience of their systems, while embracing new technological innovations, such as the use of cloud computing and new business models, through higher requirements of incident reporting. At present, CII owners are only required to report cybersecurity incidents concerning the critical infrastructure and computer systems under their control that are interconnected or communicate with their infrastructure. With the amendments, owners will, however, also have to report incidents targeting systems that are peripheral to the CII, including those from third-parties and entities in the supply chain, like in the case of the use of cloud computing.
While I understand that doing so will empower CSA to be more aware of cyber threats that could disrupt essential services and work with CII owners to proactively protect those services further, I would like to raise practical challenges that healthcare providers may face.
In the healthcare space, entities can differ significantly in operational size and digital capabilities, such as a restructured public hospital compared with a small private general practitioner (GP) clinic. The question is, whether both entities will be subject to the same requirements under the Bill? As GP clinics are encouraged to step up to take in more patients under the national Healthier SG initiative, I understand that many are also attempting to digitalise for better operational efficiency. Will the higher requirements discourage smaller healthcare providers from digitalisation? Will a more tiered requirement be more appropriate in such a critical sector for our ageing population? Perhaps, the Government can consider more sector-specific support to help better calibrate responsibilities for owners of CIIs with small, medium and large operations, considering the differing degree of complexity, nuances of virtual systems and third-party ownership in their context.
Another proposal in the Bill is to allow CSA to designate and regulate ESCIs. ESCIs hold sensitive information or perform a function of national interest so disruption to their services could potentially have adverse effects on the defence, foreign relations, economy, public health, public safety or public order of Singapore. In addition, CSA will further create two new classes of regulated entities: ESCI and FDI.
These two classes will be subjected to "light touch" regulations as they are not CII. Under the Bill, CSA will be able to designate and regulate ESCI for cybersecurity. The obligations imposed on these entities will not be the same as the levels of those of CIIs.
While autonomous universities have been cited as one example of ESCIs, can the Ministry give greater clarity of what other entities can be designated by CSA to be under these new classifications? For example, will a not-for-profit social service agency taking in statutory cases of youth offenders or child protection have any probability of being designated as ESCI? While ESCI are not CII and the obligations imposed on the ESCI will not be at the same levels as that of the CIIs, will there be guidelines provided by the CSA to give more specifics as some entities, such as smaller not-for-profit organisations may not have the capabilities or resources to bear the additional cybersecurity compliance burden?
Lastly, the Bill also requires companies, such as cloud service providers and data centres to be responsible for the cybersecurity of the digital infrastructure that they manage. This includes adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA, which will also not be at the level of a CII.
Amendments in section 2, particularly 2(3) and 2(3)(d) introduced definitions of "virtual computers" and "virtual computer systems" as well as defining the "owner" in relation to a provider-owned CII, third-party-owned CII or system of temporary cybersecurity concern that is a virtual computer or a virtual computer system. Most of these records and databases are uploaded into cloud-based applications, which are increasingly adopted for their scalability and efficiency. The virtual nature of these assets would mean that physical inspection is often challenging, especially for third-party vendors that operate overseas.
Also, security measures are often under the control and configurations implemented by cloud providers. Although the new Bill requires at least one of the physical computing resources of the cloud service provider that support the virtual system to be deployed locally, the question remains whether the risk can be well-managed.
Therefore, greater specifications may be needed as to how owner responsibility is demarcated from those of cloud service providers. Although CII operators in essential service sectors remain answerable to CSA for any lapses, the shared nature of digital services complicates the accountability framework. We need to ensure that there are no overlapping roles or responsibilities, especially when third-party cloud services are involved.
Mdm Deputy Speaker, in closing, the amendment Bill exemplifies our Government's commitment to proactively defend and safeguard our essential services from cyber-attacks which may disrupt our way of life, especially with fast-changing developments in the cyber threat landscape. Notwithstanding my considerations raised, I support the Bill.
Mdm Deputy Speaker
Mr Darryl David.
Darryl David (Ang Mo Kio)
Mdm Deputy Speaker, as one of the most well-connected countries in the world, Singapore is constantly exposed to the risk of cyber-attacks and cyber crimes. Worldwide, countries are battling the rising scourge of cyber warfare, marked by an increase in numbers of attempted and/or successful attacks on CII by state and non-state actors.
As we have heard already, such attacks should not be taken lightly. A successful attack on CIIs, say on the healthcare or emergency services, can lead to massive disruptions in medical delivery, potentially endangering lives of hundreds and thousands of individuals.
As a case in point, Synapxe, the national health technology provider that supports 46 public healthcare institutions and 1,400 community partners like nursing homes and general practitioners in Singapore, was subjected to a Distributed Denial of Service (DDoS) attack in November 2023, which led to a seven-hour downtime in accessing the websites of public hospitals. Admittedly, the outcome of the cyber-attack could have been much worse. It is therefore timely that the Government is reviewing the scope of the Cybersecurity Bill to strengthen cybersecurity standards.
Mdm Deputy Speaker, under the proposed amendments, CII owners remain responsible for the cybersecurity and resilience of the CII and they are now required to report more types of cyber incidents, including those targeting their supply chains and peripheral systems that have been outsourced and offshored.
While I am supportive that the expanded coverage of the Bill which will allow the CSA to become more aware of the types of cyber threats that Singapore faces, the expanded coverage of the Bill will also impose significant responsibilities on CII owners to monitor systems that are currently owned by their vendors, which could be, at this juncture, beyond their immediate or direct control and supervision. This is especially true if their vendors are located overseas or if the infrastructures used by these vendors to provide the required cyber services are located outside of Singapore.
How would the Government, in this instance, support the owners of CII to exercise oversight on these overseas vendors and suppliers, especially if these suppliers and vendors are not obliged by their own local laws to disclose instances of cyber incidents to CII owners in Singapore?
Stemming from the above question, would the refusal or inability to comply with the amendments to the Cybersecurity Bill automatically preclude vendors from supplying services to CII owners; and would the Government consider such vendors on a case-by-case basis if they are supplying unique critical services that cannot be supplied by vendors elsewhere?
Madam, one of the objectives of the amendment to the Bill is so that CSA can work with CII owners to secure their networks from cyber-attacks. Can the Government elaborate on how CSA would work with these CII owners and, possibly, their overseas suppliers and vendors to secure their systems?
And would this involve the possible secondment of CSA consultants to CII owners, their suppliers and vendors to audit and re-design their current cybersecurity system? Would there be funding or support that these companies could possibly tap on to strengthen their cyber systems, bearing in mind that different CII owners, suppliers and vendors could be at different stages of cybersecurity maturity and a one-size-fits-all cyber solution is unlikely to work.
I would like to speak next on whitelisting STCC. Under the current Government procurement framework, institutions that intend to participate in joint Government projects are mostly required to submit a bid for those projects via an open tender process. One of the specific amendments in the Bill is to allow CSA to exercise oversights on STCCs and proactively secure STCCs to ensure the cybersecurity of their systems.
While the open tender system will ensure fairness and transparency in the awarding of joint Government projects, this would also mean that tender specifications would need to include an extended elaboration on cyber security requirements, which potential STCC vendors might find difficult to meet within the tender period. This is especially so if the procurement of services by STCCs is on an urgent basis, for example, the distribution of COVID-19 vaccine, or something similar.
Would the Government, in this instance, consider setting up a whitelist of STCCs vendors and help them secure their systems ahead of time and appoint them directly for future joint projects without a public tender? If the answer is yes, then how would the Government decide which STCC to whitelist and to ensure transparency in the whitelisting process?
My final point is on the ESCI and FDI. While I can understand the rationale of having a "light touch" approach on regulating ESCI and FDI because they are not CII per se, can the Government, at this juncture, provide more information on how the "light touch" regulatory approach would look like?
Not requiring ESCI and FDI to submit audit risk reports or risk assessments to CSA and not requiring them to participate in national cybersecurity exercises might seem to defeat the purpose of designating and regulating them. Any forms of regulations, in my opinion, would need to be measurable, of course, assessable and contain penalties for non-compliance.
[Mr Speaker in the Chair]
[Mr Speaker in the Chair]
In this regard, my question is, how we could ensure that ESCI and FDI live up to their respective cybersecurity obligations without taking for granted that they are not subjected to the Government's scrutiny.
Mr Speaker, Sir, securing CII is essential to protect our national security and to ensure that our vital services are not disrupted by cyber-attacks carried out by malicious state and non-state actors. With cyber-attacks becoming more sophisticated and becoming a part of modern warfare that is used alongside conventional warfare, indeed, strengthening our oversight over the robustness of our cyber systems is paramount in safeguarding Singapore's interest.
Notwithstanding the questions that I have raised in my speech, I am supportive of the amendments to the Bill.
Speaker
Mr Yip Hon Weng.
Yip Hon Weng (Yio Chu Kang)
Mr Speaker, Sir, before I begin, I declare that I am working in an investment firm that has investments in cybersecurity companies. Singapore's digital economy is the engine of our nation's prosperity. But just as a strong house requires sturdy defenses, our digital realm necessitates robust cybersecurity. While I support strengthening our Cybersecurity Act, I believe some of the proposed amendments warrant further discussion. I would like to seek some clarifications on the Bill.
First, Mr Speaker, Sir, the financial burden on businesses, especially SMEs, must be carefully considered. We need transparency on the true cost of compliance across different sectors. Businesses are the foundation of our economic strength. We should not burden them with unnecessary red tape.
There are several concerns I want to raise on this aspect. The amendments may increase compliance costs for these businesses. The legal jargon may be too complex, something which the public consultation document has itself acknowledged. This raises concerns for smaller businesses that lack dedicated legal resources. And the mandatory requirement for CII operators to report all incidents targeting their systems is commendable. However, excessive reporting requirements may overwhelm businesses.
With these concerns in mind, I have several questions and suggestions for the Government.
First, can the Government elaborate on the specific cost considerations that informed the drafting of the Bill? What is the expected increase in compliance costs for businesses? Are there plans to provide assistance to businesses to help them cope with the increased costs?
Next, what steps will be taken to ensure that the final text of the Act can be easily understood by businesses of all sizes and the common man? How will the Government support businesses that struggle to navigate the legal changes?
In addition, the Government must ensure that the new CII reporting requirements are clear, concise and do not create an undue burden on businesses. Can the Ministry share what resources are available to assist businesses in complying with these requirements?
I urge the Government to outline a clear plan on how it will help SMEs comply with the new requirements, including any provision of financial support or specialised guidance.
Moving on, Mr Speaker, Sir, my second topic is on the impact on innovation, which is the bedrock of our digital ecosystem. Let us not stifle it on the altar of security. We must cultivate a cybersecurity culture that prioritises both robust security and a conducive environment for innovation. Singaporean ingenuity has always thrived on calculated risks. We must not lose that spirit.
How might the amendments in the Bill affect the agility and risk-taking appetite of tech companies? In this vein, I urge the Government to elaborate on measures that will be taken to strike a balance. Can we cultivate a cybersecurity culture that prioritises both robust security and a supportive environment for innovation?
The proposed amendments rightly acknowledge the importance of allowing CII operators to leverage new technologies. This is critical for Singapore to maintain its competitive edge in the digital arena. How can we create an environment that encourages the adoption of new technologies, while maintaining the highest security standards?
This Bill also has designations like "critical information infrastructure" and "entities of special cybersecurity interest" alongside additional reporting requirements. How will these measures affect Singapore's attractiveness for data centre companies? Particularly, how will this impact smaller players, subcontractors to larger providers, who may be responsible for third-party owned CII critical to service delivery?
Third, Mr Speaker, Sir, cybersecurity threats transcend borders. We must leverage international collaboration to strengthen our defenses. Aligning ourselves with global frameworks will enhance our collective response. For this reason, I urge the Government to elaborate on how these amendments align with international cybersecurity frameworks and standards. By aligning ourselves with international efforts, we can ensure that our defenses are interoperable and effective on a global scale. Can the Government elaborate on opportunities for collaboration with other countries to enhance our collective response to cyber threats?
While this Bill focuses on data centres and cloud servers within Singapore, many service providers utilise overseas facilities. How will this Bill address this cross-border aspect? Will providers still be held responsible for breaches occurring in overseas data centres if it disrupts their services in Singapore?
Lastly, Mr Speaker, Sir, the effectiveness of the Cybersecurity Act hinges on transparency and accountability. The proposed amendments empower authorities. This power must be balanced with public trust. Transparency and accountability are the cornerstones of a strong cybersecurity posture. The public deserves to know how these measures are being implemented. Can the Government clearly outline the mechanisms that will be established to ensure transparency and accountability in the implementation of these measures? How will the public be informed about how these powers are being used?
In conclusion, Mr Speaker, Sir, in addressing the proposed amendments to the Cybersecurity Act, I have made several clarifications in my speech. It is imperative that we strike a delicate balance between fortifying our national cybersecurity stance and mitigating undue burdens on businesses, especially smaller enterprises with limited resources. Delving into industry concerns about the cost of compliance, is critical to understand the specific financial implications across different business sizes and sectors to ensure transparency and sustainability. Additionally, providing clear guidance and support, particularly for SMEs, is essential to navigate the new requirements effectively.
Furthermore, fostering innovation must remain a priority alongside cybersecurity enhancements. While acknowledging the importance of leveraging new technologies in maintaining Singapore's competitive edge, it is equally critical to ensure that the amendments do not stifle innovation. Cultivating a cybersecurity culture that supports both robust security and a conducive environment for innovation is paramount for the continued growth of our digital ecosystem.
Moreover, in a world where cybersecurity threats transcend borders, international alignment is imperative. Collaborating with other countries to align with global cybersecurity frameworks and standards will enhance the effectiveness of our defenses on a global scale. Addressing the cross-border aspect of cybersecurity is vital, so that service providers are held accountable for breaches occurring in overseas facilities that impact services in Singapore.
In closing, let us fortify our digital defenses without hindering our economic progress. With careful consideration and a commitment to innovation, we can ensure Singapore remains a secure and thriving digital hub. I support the Bill.
Speaker
Mr Louis Ng.
Louis Ng Kok Kwang (Nee Soon)
Sir, this Bill will enhance national cybersecurity. It will update existing provisions relating to the cybersecurity of CIIs and expand CSA.
I commend CSA for conducting a public consultation on the Bill and publishing its responses to the feedback provided. CSA has also continued closed-door industry consultations and has committed to further consultations in coming up with codes and standards.
I have three points of clarifications to raise.
My first point is on the legally-binding commitment that designated providers are required to obtain from the owners of third-party-owned CIIs. The new sections 16A and 16F require designated providers to obtain legally binding commitments to provide certain information and notifications and to maintain certain standards.
Given that the commitment is provided by the third-party-owned CIIs to the designated providers, in the event of any breach of the commitment, the designated provider is the entity with any right to recourse.
Can the Ministry confirm that the legally binding commitment must be stated to be governed by Singapore law, subject to the jurisdiction of the Singapore courts and be enforceable in Singapore? This may be important if the third-party-owned CIIs are not located in Singapore. Can the Senior Minister of State clarify whether the Commissioner can compel a designated provider to take action against the third-party-owned CIIs pursuant to the legally binding commitment?
If so, can Senior Minister of State also clarify what are the intended actions and remedies that the designated provider is supposed to pursue against the third-party-owned CIIs in the event of a breach? Can the Senior Minister of State clarify how the remedies sought, pursuant to any breach of the legally binding commitment will serve to protect Singapore's cybersecurity? For instance, will a Commissioner require a designated provider to obtain an order of specific performance to compel third-party-owned CIIs to provide information it is required to provide under the legally-binding commitment?
If the remedy for any breach of the legally-binding commitment is only monetary damages for the designated provider, it may be difficult to see how this will contribute to cybersecurity. Can the Senior Minister of State also clarify how it envisions any remedies being effectively enforced against third-party-owned CIIs that are not located in Singapore?
My second point is on the information collected by CSA. A number of provisions empower CSA to collect information. For instance, the new sections 17A, 18A and 18H empower the Commissioner to obtain information from an entity to determine if an entity fulfils the criteria for designation.
The new section 15(4) allows the Commissioner to carry out a site inspection and audit of a provider-owned CII that appears to be in breach of any requirement. The new section 29A provides monitoring powers for licensing officers to inspect records of licensed cybersecurity service providers.
Respondents to the public consultation raised concerns about the use of such extensive powers to obtain the CII owner's business confidential information. Respondents also suggested guidelines and safeguards to prevent abuse of such powers. CSA clarified that the amendments prevent CSA from obtaining confidential information beyond the scope of what is necessary for the on-site inspection.
CSA also clarified that it would endeavour, where possible, to give notice to CII owners before conducting on-site inspections. The reality is that what is necessary for on-site inspections can be very broad, depending on how CSA scopes the investigation. This is especially since the investigation is for CSA to determine whether the CII owner has complied with any requirement or submitted any false or incomplete information. This means that the scope of investigation is likely going to be very open-ended.
Giving the CII owner notice before conducting on-site inspection also does not directly address the concerns to do with information collection. Can the Senior Minister of State elaborate on what steps will be taken to protect information obtained from respondents? How long will the information obtained be retained for and how will the information be retained?
Can the Senior Minister of State also confirm that the power to obtain information does not extend to legally privileged information, and will CSA require entities to waive legal privilege?
My third and final point is on the basis for the Commissioner's decisions and beliefs. A number of provisions allow the Commissioner to make orders or directions where it appears to the Commissioner that certain conditions are met. For instance, under the new section 16F(3), where it appears to the Commissioner that a third-party-owned CII do not meet standards and there is no reasonable excuse for failing to meet these standards, the Commissioner may order the designated provider to cease using the CII.
As I mentioned earlier, under the new section 15(4), where it appears to the Commissioner that a provider-owned CII has not met any standard or provided false or misleading information, the Commissioner can order an audit or on-site inspection. Under the new section 16F(3), where it appears to a Commissioner that a third-party-owned CII has not met any standards or provided false or misleading information, the Commissioner can order a designated provider to cease using the CII.
Can the Senior Minister of State clarify whether the Commissioner will provide the grounds of its belief for any decision made or action taken to entities subject to its decision or action? Can the Senior Minister of State share if the entity will be given the opportunity to make representations or to challenge the grounds of the Commissioner's belief?
Sir, notwithstanding my clarifications, I stand in support of the Bill.
Speaker
Senior Minister of State Janil Puthucheary.
Janil Puthucheary
Mr Speaker, I thank the many Members who have spoken for their interest in and strong support for the Bill. Sir, several Members have noted the rise in cyber threats both in Singapore and around the world and that this has become a growing concern amongst Singaporeans.
Mr Gerald Giam, Mr Alex Yam and Mr Darryl David spoke about the potentially devastating impact that a successful attack on our CII could have on the lives of Singaporeans. Ms Hany Soh spoke about recent major cybersecurity incidents and their serious consequences, while Mr Desmond Choo said that it was crucial that we have robust and regularly updated cybersecurity laws against the increase in cyber threats. I agree.
As the cyber threats we face intensify, it is clear that there is agreement in this House on the timeliness of this Bill and the need to put CSA in a better position to safeguard Singapore's cybersecurity.
Mr Melvin Yong spoke about the urgent need to tackle scams. The Government agrees. In January 2024, Minister Josephine Teo spoke about building an inclusive and safe digital society and outlined what the Government was doing to combat scams, so I will not belabour those. The Cybersecurity Act is not aimed at tackling scams. Even so, clause 7 of the Bill will allow us to take a stronger stance against impersonation scams, by making it an offence for any person to use CSA's gazetted symbols or representations without the Commissioner's prior written permission.
Cybersecurity threats are ever-evolving. Mr Melvin Yong also spoke about the need to secure operational technology (op-tech) systems. The cybersecurity of op-tech is a nascent field, but it is already one of CSA's key areas of work as part of its national cybersecurity mission. CSA has established thought leadership when it published the Op-tech Cybersecurity Masterplan in 2019, which is a strategic blueprint to guide Singapore's efforts to foster a resilient and secure cyber environment for our op-tech CII. CSA also organises the Op-tech Cybersecurity Expert Panel Forum every year, which is a platform for cybersecurity practitioners, operators, researchers and policy-makers to discuss governance policies, best practices and trends related to op-tech cybersecurity.
The Members who have spoken today have raised several important considerations in relation to the Bill and I would summarise them into three groups.
The first is: are the compliance costs arising from the cybersecurity measures introduced by the Bill justified? Secondly, how will CSA ensure that the new obligations are operationalised in a sensible and practical manner? Third and finally, will there be safeguards in place to prevent abuse, as the Bill does expands CSA's powers?
Let me address these considerations in turn.
Some Members raised concerns about the additional costs of regulatory compliance: are these costs justified? Some have suggested that such costs could even adversely impact the community of SMEs in Singapore, or industry development more generally.
To clarify, neither the Cybersecurity Act nor the amendments proposed in this Bill impose cybersecurity obligations on the business community at large. What the Act and the amendments proposed in this Bill seek to do, is to regulate only the cybersecurity of systems, infrastructure and services that are important at a national level because their disruption or compromise could affect our survival, security, safety or other national interests. This is a known and finite set of systems and entities. Our approach is a targeted and calibrated one, precisely because we recognise that regulation will involve compliance costs.
With the amendments covered in the Bill, the Cybersecurity Act will only be imposing obligations on four groups of entities. The first is providers of essential services, whether they are themselves CII owners or rely on third-party vendors for the CII. Securing the computers and computer systems that are necessary for the continuous delivery of our essential services is a matter of national security and survival.
The second group, comprises owners of STCC where there is a loss of a computer system, or even a system established on a temporary basis would have a serious detrimental effect on Singapore's national interests. CSA must be allowed to proactively oversee the cybersecurity of such systems.
The third group comprises ESCIs. This is because we need them to be cybersecure if their computer systems contain sensitive information or they perform functions which if disrupted will have a significant detrimental effect on our national interests.
The last group comprises major providers of FDI services because disruption to these FDI services – the services that FDI services provide – could have knock-on effect, disrupting to Singapore-based organisations and the lives of Singaporeans who rely on them for business operations, work and day-to-day living.
Some compliance cost cannot be avoided where regulation is concerned. It is something we are mindful of and we do not seek to regulate without good reason. For these four groups, it was a considered decision that we must have the necessary legislation in place to govern their cybersecurity because our national security and other national interests are at stake.
Cyber-attacks can have serious consequences. Where essential services are concerned, lives and livelihoods can be affected. Attacks like these can also indirectly hurt the reputation of the organisation or Singapore. It can have an external impact on the customers and business partners of the victim organisation.
These are in addition to potential financial costs. According to some reports, the average cost of a cyber-attack on an organisation with more than one thousand employees is around $71,000; and one in eight firms suffered costs of S$330,000 or more.
These security reasons are also why I had caveated in my opening speech that I will not disclose any specific real-life examples of the critical systems and entities we seek to regulate, which includes ESCIs. So, I seek Ms Ng Ling Ling's understanding that I will not respond to her query on the entities that may be designated as an ESCI. Ms Hany Soh asked whether there would be circumstances that go toward publication or disclosure of an ESCI's identity – this will be on a case-by-case basis and we must keep the security of the ESCI in mind.
Sir, the issue for consideration is not whether a regulated entity is a large company, a multinational corporation or an SME. The key consideration is whether a cyber-attack on the entity could have serious implications on our national security or other national interests. We do not take these decisions to impose obligations lightly. For instance, we are proposing the expansion of the incident reporting requirements for CII owners under Part 3 because the evidence shows that malicious actors are using CII-adjacent systems and supply chains to attack the CII; and so, we need to stay situationally aware of what is happening around the CII in order to keep the CII itself safe.
Mr Mark Lee had the impression that the Bill only focuses on personal information and does not protect other types of confidential business information. This is not the case. The Cybersecurity Act does not differentiate between protecting personal information and business information as the cybersecurity of all information in a CII must not be compromised. The Bill will do the same for the new categories of systems and entities we are proposing to regulate for cybersecurity.
Mr Sharael Taha asked about how we asked about how we would address the cybersecurity threats posed by machine learning and generative AI. The Act and this Bill allow CSA to compel regulated entities to take the necessary measures to mitigate cyber risk regardless of the technologies used by the regulated entities or by the malicious actors to perpetuate their attacks.
The AI landscape is still developing and relatively nascent. CSA will continue to monitor our threat landscape carefully, work with the regulated entities to take the necessary steps to protect themselves and address the challenges as the technology emerges and becomes clearer.
I would like to clarify that not all the amendments add to the operating costs of regulated entities and systems. Some of the key amendments I covered in my opening speech will allow CII owners to make use of new technologies and new business models. This can result in efficiencies while maintaining the cybersecurity of the CII. These include the use of commercial cloud solutions and demand-aggregated system infrastructure owned by a third-party. These could be business opportunities, as Mr Neil Parekh observed in his speech.
How will CSA ensure that the new obligations are operationalised in a sensible and practical manner? The technology is constantly advancing and it changes our business and operating context. The malicious actors are inventive. They continually find new ways to compromise their targets.
Several members have asked questions about how the amendments would be implemented. Underlying their questions is an important consideration. Will CSA operationalise these new laws sensibly and give regulated entities support to meet their statutory obligations? The short answer to both is yes, but I am going to give a slightly longer answer.
CSA understands the need to take into account business realities and to be practical and sensible when implementing the Act. CII owners and industry stakeholders representing potential ESCIs and major FDI service providers were consulted extensively. Many trade associations and chambers provided their views during the consultation process.
CSA's practice is – has been, will be – and is to provide ample support to our regulated entities, by helping them walk towards compliance – walking with them towards compliance.
This begins even before a system or an entity is designated. Where CSA has reason to believe that a system or entity should be designated, CSA's general practice has been to first engage the system owner or the entity to better understand their operating context, such as the cybersecurity measures already implemented and their level of cybersecurity capabilities, to ensure that any designation is appropriate. Subsequently, CSA will then work with the system owner or entity to assess what needs to be done for the entity or system to be in compliance with the Act, as well as the support and lead time that the organisation will need.
Sir, I hope this addresses Mr Mark Lee, Mr Neil Parekh and Ms Hany Soh's clarifications on the designation process, as well as Ms Tin Pei Ling's question on how we calibrate our implementation approach and Ms Joan Pereira's query on whether all ancillary or supporting infrastructure will be designated as STCCs for high-profile, high-security or high-level events in Singapore. We will only make such decisions after fully understanding the context and how the relevant systems are designed.
CSA will also consider waivers of the application of a code of practice or standard of performance on a designated entity, where possible, on a case-by-case basis to account for specific operating contexts or the developmental journey of the organisation in question.
As Mr Sharael Taha noted, our CII supply chains are getting more complex. If a breach occurs to a supply system that is not directly interconnected with or communicates with a CII, the Bill will not require the owner of a compromised system to report such breaches to CSA.
Mr Darryl David asked how we would manage if vendors and suppliers to our CIIs are not directly obliged by statute to disclose cybersecurity incidents. The principle we apply is that CII owners are responsible for the security and resilience of their essential services. That means that it is in their interest, and it is also their responsibility to be situationally aware of supply chain attacks that could affect their CII and report such incidents to CSA when they become aware of them.
It was a deliberate decision on the Government's part not to compel reporting of cybersecurity incidents from all the suppliers of a CII owner to CSA directly. Doing so would just add the reporting burden to more parties and may not be directly useful for enhancing the security of the CII itself; which ultimately, is what all this work is focused on.
Where the CII is owned by a third-party, clause 14 requires the provider of essential service from the third-party vendor to obtain legally binding commitments from the vendor that would put the provider in a position to discharge its statutory obligations, so that the cybersecurity of the CII is not compromised.
Mr Louis Ng asked several questions relating to how the Government would ensure that we would have sufficient levers against such a third-party. The intent behind these provisions is to allow the provider of essential service to consider market solutions from third-parties, so that they can be more efficient in the provision of their essential services without compromising cybersecurity. It is not to indirectly regulate these third-parties.
Where the third-party is unwilling or unable, as Mr Darryl David noted could happen, CSA could direct the provider of essential services to stop using the system owned by that third party under the provisions in new sections 16E(2), 16H(2), 16I(2) and 16J(2).
Ms Joan Pereira asked if it would be feasible for CSA to require a provider of essential services to cease using a third-party vendor in the market. Ultimately, what Part 3A seeks to do is to ensure that providers of essential services who use a third-party's system, in place of operating their own CII, do so without compromising cybersecurity. Where a provider of essential services faces certain constraints, CSA is prepared to work with them on possible arrangements that could be made. However, if there are no solutions on the market that are adequately secure, the provider of essential services should take responsibility for building the CII it needs. The security of our essential services cannot be and should not be compromised.
In response to Mr Desmond Choo's question on data securities when CII owners move to the cloud, CSA will work with CII owners to conduct cybersecurity risk assessments of any migration of a CII to the cloud. The principle remains – they must be able to meet their statutory obligations with respect to the cybersecurity of the CII, regardless of the operating model.
The same principle applies to Ms Tin Pei Ling's and Mr Gerald Giam's questions about overseas CII. Under the new Part 3 provisions proposed by the Bill, the owner of the CII will be held responsible for the cybersecurity of their CII. It does not matter whether the CII is located in Singapore or located wholly overseas and designated under the new section 7(1)(a). Section 7(1)(a) only applies when the owner is in Singapore. Similarly, the new Part 3(a) applies to a provider of essential service located in Singapore, who will be held responsible for the cybersecurity of the CII that they rely on. It does not matter whether the CII owned by the third-party is located in Singapore or located wholly overseas. The obligations are placed on the CII owner or the provider of essential service in Singapore, so there is no extraterritoriality enforcement of the provisions in new Part 3 and Part 3(a).
Mr Yip Hon Weng asked how we will deal with the cross-border nature of FDI services, such as cloud services and data centre operations. We have designed the new provisions to account for this.
For example, where cloud computing is concerned, it is entirely possible that the cloud services provided to the Singapore market are provided using infrastructure that can be located in any part of the world. In fact, the ability to tap on infrastructure from any part of the world is a key part of the value proposition of cloud computing because it bolsters the resilience of a given cloud service. So, the focus of our proposed laws is not to insist that designated major FDI service providers report cybersecurity incidents affecting all their digital infrastructures around the world. Rather, the new section 18M will require them to report only prescribed incidents that result in the disruption or degradation of the designated provider's FDI service in Singapore or has a significant impact on the designated provider's business operations in Singapore.
Mr Yip Hon Weng also asked if the designated providers of major FDI service will be held responsible for breaches occurring in overseas data centres if they disrupt their services in Singapore. Sir, I would like to make it quite clear that the Act, even if amended by the Bill before the House today, does not penalise victims of cyber-attacks for being attacked. The statutory duties under the Act require the designated provider to work with CSA to prevent and mitigate the cybersecurity risks by, for instance, reporting cybersecurity incidents and complying with the necessary cybersecurity standards and written directions.
Penalties would apply when there is willful non-compliance. Mr Neil Parekh asked about the types of penalties that could be imposed. If the proposed amendments are passed, such penalties could be criminal or civil in nature. Ms Hany Soh asked what factors would be taken into consideration on the penalties to impose for non-compliance – in making a recommendation to the Public Prosecutor, CSA will consider a range of factors, including the risks created by the non-compliance, egregiousness and facts of the case.
Assoc Prof Razwana Begum asked how we would enforce the provisions relating to major FDI service providers, if many of these providers are based overseas. Indeed, this could be the case for the cloud service sector. To facilitate enforcement, the new section 18G(6) requires a designated major FDI service provider who is located outside of Singapore, to appoint a person in Singapore to accept service of notices or directions under the Act.
Several Members pointed out that some of the operational details are not contained within the Bill. Matters relating to the technical or other standards that regulated entities must meet and how CII owners should work with the providers of cloud services they use, will be designed to reflect current business realities and prevailing industry norms. What the Bill does is to allow CSA to address these in codes of practice or standards of performance and subsidiary legislation, so that we can be more agile in reflecting the operating context. CSA will be consulting the industry on these matters, if the Bill is passed.
Many Members like Ms Ng Ling Ling, Ms Jean See and Mr Melvin Yong also gave suggestions on how the Government can provide more support to regulated entities to help them comply with their statutory obligations and provide some assurance that their cybersecurity measures are adequate. We will consider these suggestions very carefully. As CSA operationalises the new amendments, CSA will continue to take onboard stakeholder feedback. Where appropriate and feasible, we will harmonise the cybersecurity standards and incident reporting parameters to be imposed under the Act with international practices.
Mr Gerald Giam asked about step-in rights and CSA's incident response frameworks. I understand the concern to be whether CSA is adequately empowered to respond effectively to cybersecurity incidents and do what it takes to secure our CII. Part 4 of the 2018 Act already provides CSA with the necessary powers to respond to cybersecurity threats and incidents and to take appropriate measures to secure the threatened or attacked system. Operationally, CSA and the DIS of the Singapore Armed Forces (SAF) have an excellent working relationship and will work together to secure Singapore's cyberspace.
Sir, let me move on to the third consideration, that is, what safeguards are in place to prevent abuse? The Bill seeks to strengthen CSA's regulatory powers, but as some Members have pointed out, it is also important that CSA exercises its powers responsibly.
Safeguards have been built into the Act from the outset and will be extended to cover the proposed amendments.
First, any entity that receives a designation notice can appeal against it. A regulated entity may also appeal against CSA's decisions, orders and directions, as well as codes of practice and standards of performance. This appeal mechanism was created in the 2018 Act to protect regulated CII owners and will be extended to cover providers of essential services under Part 3A, STCC owners, ESCI and major FDI providers as well.
Second, the powers that the Bill seeks to confer on CSA are not unfettered. For example, the power of inspection provided for in the amended section 15(4)(d) inserted by clause 13, can only be used for the specified purpose and under the specified circumstances set out in the provision.
Third, section 43 of the 2018 Act, which we are retaining, requires specified persons to preserve the secrecy of stipulated matters that come to these persons' knowledge in the discharge of their statutory duties. This includes information relating to business, commercial or official affairs of any persons and identities of informants. Section 43 will continue to govern any such information that CSA obtains through the exercise of existing and new powers provided for by the amendments.
Ms Tin Pei Ling, Mr Gerald Giam and Mr Sharael Taha noted that the Bill will significantly expand the scope of the Act and asked if CSA will be sufficiently equipped to manage this expanded gambit. If the Bill is passed, the Government will ensure that CSA is resourced accordingly. CSA will also continue to develop its personnel and their expertise so that it can continue to deliver its mission at a high level.
I hope that I have sufficiently addressed the queries raised in this House.
Mr Speaker, cybersecurity is ultimately about risk management. The only way we can absolutely guarantee cybersecurity is to not use digital technology at all. So, the task at hand is to find the appropriate balance between security, usability and cost. The Bill is the sum of the Government's proposal to address this trilemma for the most important systems that affect the national interests. It does involve some trade-offs.
Where national interests are at stake, the Government needs to proactively ensure that security considerations are optimised. Those responsible for our CII, STCCs and FDI services, as well as our ESCIs will have to bear some compliance costs, but this is what it takes to keep Singapore and Singaporeans safe and secure in the digital domain.
Let me emphasise, again, that these proposed new laws do not extend to the wider business community. That is not to say that their cybersecurity is not important. As Mr Mark Lee had noted in his speech, confidential business information that our companies and organisations hold are also important and potentially sensitive in their own context. Our companies and organisations must recognise this and take commensurate steps to address their data security risks. The Government offers our support to them through other non-regulatory means.
For example, the SG Cyber Safe Programme is a scheme to help the Singapore business community be more cyber secure. This includes the Cyber Essentials and Cyber Trust marks, which are certification schemes that recognise enterprises that have implemented good cybersecurity practices. CSA has also developed the cybersecurity informational toolkits for companies of various profiles, to guide enterprise leaders and their employees on cybersecurity best practices.
Additionally, enterprises getting started on cybersecurity can use the Cybersecurity Health Plans programmes, where consultants help them improve their cyber resilience and help to develop a plan tailored to their needs. So, I urge all enterprises to apply for the various schemes and marks and take advantage of the resources available to uplift their cybersecurity posture.
I also thank Ms Jean See, Mr Neil Parekh, Assoc Prof Razwana Begum and Mr Mark Lee for their suggestions of other non-regulatory initiatives that the Government could consider, particularly on shifting the mindset of stakeholders from one of compliance to one of partnership. CSA will study these suggestions.
CSA has had a good track record in administering the Cybersecurity Act over the past six years. CSA works closely with the regulated entities to address their needs and concerns and, to date, no appeals have been made against CSA's decisions, orders or directions.
Sir, cybersecurity is a team effort. At the national level, we must continually improve our defences against cyber threats that are growing in scale and sophistication. Today, the Government proposes to strengthen our legislation so that we can ensure the cybersecurity of systems and entities that are important to Singapore's national interests.
Cybersecurity is a team effort and one of the important teams are the personnel that we have in our cybersecurity agency. We have been able to attract and retain officers with a high degree of expertise, professionalism and integrity; who are able to balance the considerations of security, usability and cost; who understand and believe in the mission of securing Singapore's cyberspace. Sir, I would like to thank the personnel of CSA for the important work that they do in keeping our digital systems and spaces safe for all Singapore and Singaporeans.
I thank Members for their support of this Bill. Mr Speaker, I beg to move.
Speaker
Are there any clarifications for the Senior Minister of State? Mr Gerald Giam.
Gerald Giam Yean Song
I thank the Senior Minister of State for responding to my many queries. Specifically, about the step-in order, I would just like to clarify with the Senior Minister of State whether he thinks that the step-in order of the Cybersecurity Act is on the same scale as the step-in order that is in the Bus Services Industry Act that I mentioned? Because the Bus Services Act has very specific mention of a step-in function that LTA can order. But, I read through Part 4 of the Cybersecurity Act again and I do not see anything that had the same kind of language or the same strength that the Bus Services Industry Act has. Can I get the clarification from the Senior Minister of State on that?
Janil Puthucheary
Sir, I thank Mr Giam for his question. To be clear, the way that the cybersecurity of CII is dealt with has to be part of the operations of the CII operator. So, in the example that he has cited, the step-in orders for bus functions, for example, if that function and the systems associated with that function were designated as part of a CII, then the operator that steps in would have to take on that responsibility as part of its duties to discharge that function. And that already is part of how the sectoral regulators for each domain, who are also the sectoral regulators of cybersecurity, regulate the domains.
Speaker
Any other clarifications from Members? I do not see any.
Question put, and agreed to.
Bill accordingly read a Second time and committed to a Committee of the whole House.
The House immediately resolved itself into a Committee on the Bill. – [Dr Janil Puthucheary].
Bill considered in Committee; reported without amendment; read a Third time and passed.