The government of Singapore released the first draft of a proposed cybersecurity bill, which contained framework for monitoring and managing the country’s digital wellbeing and gave authorities the necessary power to implement their functions. In order to enable the relevant authorities to proactively protect local critical information infrastructures (CIIs) and swiftly respond to threats and incidents, it became necessary to enable new legislations. According to a joint statement by Singapore’s Ministry of Communications and Information (MCI) and Cyber Security Agency (CSA), these new laws also facilitated information sharing across many critical sectors.
Singapore is one of the most digitally connected countries in the world, so a serious cyberattack could have catastrophic consequences if its CIIs were affected. In 2015, the Singapore government established its CSA, and has since unveiled a national cybersecurity strategy to substantiate the country’s security posture. Singapore noted recent cyberattacks like WannaCry and Petya malware as grim reminders of the country’s overall vulnerabilities to these kinds of threats, along with how frequent and sophisticated these attacks have become in recent years. With many of these attacks targeting utility plants, transportation networks, healthcare institutions, and other essential services, these incidents put a lot more emphasis on the need to improve the country’s safeguarding of their CIIs.
The newly proposed bill is aiming to establish framework to help monitor and manage the country’s national cybersecurity efforts, while empowering the government’s CSA to perform its job functions. One key component of the bill targeted CII owners through its regulatory framework, whose duties primarily entailed them being responsible for securing their own systems. According to the bill, CII owners would be responsible for providing information on technical architecture of CII, enforcing regular CII risk assessments, complying with practice codes, along with reporting any cybersecurity-related incidents.
The bill also provides distinct powers to CSA officers to address cybersecurity threats in a swift and vigilant manner. The new laws would also offer framework to oversee information sharing with and by CSA officers to help prevent, detect, counter, or investigate any kind of cybersecurity threat or incident. For regulations of selected cybersecurity service providers, the bill would introduce a new licensing model that includes those offering penetration testing and managed security operations center (SOC) services.
The goals of focusing on CII are to level out the playing field, raise maturity, and increase preparedness of the country’s industries. Singapore’s Cybersecurity Head Daryl Pereira noted that small and midsized businesses and sectors (like healthcare) generally invest less money and attention into cybersecurity, especially when compared to industries like banking. Consequently, this is one of the main reasons behind the spike in cyberattacks on CIIs like hospitals. In turn, Singapore’s cybersecurity bill would boost local readiness for cyberattacks and establish a concrete foundation for the country to continue thriving as a digital economy.