Singapore is not alone in proposing a far-reaching Bill to beef up cyber security, said experts, even as it wins the support of stakeholders following a recently concluded public consultation on the issue.
Concerns about the Cyber Security Agency (CSA) of Singapore’s far-reaching powers had surfaced during the consultation. Firms must surrender any information requested when CSA investigates a suspected cyber attack, as its proposed Bill would take precedence over bank and privacy rules that prohibit data sharing.
Convinced that Singapore should not have it any other way, lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said: “The far-reaching Bill is justifiable in the light of the potential damage from state-sponsored cyber espionage.”
CSA’s powers, like those of the police, are calibrated and are strictly meant to keep the lights on for essential services, Mr Leong said.
In announcing on Monday (Nov 13) its decision to keep most of its proposed ideas in the Bill, CSA responded to public feedback received during the consultation, and said the designation of a computer as critical information infrastructure would no longer be an official secret under the Official Secrets Act.
The proposed Bill, to be tabled for debate in Parliament next year, also mandates that owners of critical information infrastructure, such as those in banking, telecom and energy sectors, report security breaches and attacks “within hours”.
Similar mandatory data breach reporting requirements have been in place in the US, Europe, Japan, Australia and South Korea for years.
Mr Shlomo Kramer, founder and chief executive officer of Israeli cyber-security start-up Cato Networks, said Singapore is, in fact, playing “catch-up” with these nations in this respect.
“Such regulation will move the needle in a positive way and make organisations feel accountable,” said Mr Kramer, who also co-founded what was the first firewall solutions provider Check Point in 1993.
He spoke to The Straits Times three weeks ago when he was in Singapore to meet local cyber-services resellers ViewQwest and Quann.
Checks and balances – which are included in the proposed Bill – prevent the abuse of disclosed information, Mr Kramer noted. For instance, CSA officers may be held criminally liable if they are found to have misused the information.
Mr Bryce Boland, chief technology officer for Asia-Pacific at cyber-security firm FireEye, said laws are generally stronger in countries with a high dependence on technology. Thus, the far-reaching aspects of Singapore’s cyber-security Bill could be compared to similar laws in the United States and Britain, said Mr Boland.
Said lawyer Koh Chia Ling from law firm OC Queen Street: “The general global trend is that countries are enacting such laws and Singapore is essentially doing the same.”
Mr Jack Ow, technology partner at law firm RHTLaw Taylor Wessing, said Germany, the Czech Republic and China have similar cyber-security regimes. “The loss or compromise of such computers and computer systems could adversely affect national security or public health, safety and order,” said Mr Ow.
Technology lawyer Bryan Tan of Pinsent Masons MPillay said that debates are ongoing in the United States just like they have taken place in Singapore, arising from an ever-growing tension between security and privacy.
Referring to preserving privacy in the US, he added: “All bets are off when it comes to fighting terror or a national security issue – no one will compromise.”
Owners of critical information infrastructure said the Bill is necessary. They are waiting to work out implementation details with CSA and their sectors’ regulators.
A spokesman for telco Singtel said: “The risk of cyber-security breaches is growing, especially now as Singapore pursues its ambition to become a Smart Nation.”
An M1 spokesman said: “It is important that the powers under the Bill are exercised reasonably.”
Meanwhile, such stringent reporting requirements are not new to the banking sector.
Mr Patrick Chew, OCBC Bank’s head of operational risk management, said: “Under the Technology Risk Management Guidelines introduced in 2013, financial institutions in Singapore are already required to notify our regulator as soon as possible of any critical system failures arising from (technology) and cyber security incidents.”