Next year, the Singapore parliament will consider a cybersecurity bill that was revised after government officials reviewed numerous public comments on a draft version. The purpose of the bill is to establish a framework for the oversight and maintenance of cybersecurity in the government and the private sector.
The Ministry of Communications and Information, or MCI, and the Cyber Security Agency of Singapore, or CSA, have made changes in the bill after obtaining feedback on draft cybersecurity legislation that was released in July. Those offering feedback included members of the public, local and international organizations as well as industry and academia, CSA notes.
The revised bill has narrowed down the proposed licensing framework for vendors and has done away with strict regulations around it. Other changes include refinements of the definitions of: a commissioner who would interact with the government as well as industry players; critical information infrastructure; and risk and audit management.
Some security experts say the bill could be a good preliminary step toward improving data security in Singapore.
“Compliance alone won’t create an adequate security posture for the industries involved, but it will make them accountable to achieve and maintain a certain security baseline,” says a CISO of a bank in Singapore, who asked not to be named.
Changes Based on Feedback
In July and August, CSA participated in dialogues with industry organizations and attended clarification sessions organized by professional associations to address queries regarding the bill. Additionally, the MCI and CSA held several closed-door consultations with key stakeholders, including those from the 11 critical information infrastructure sectors.
“Respondents were generally supportive of the bill,” CSA says in a statement. “However, several respondents expressed reservations with the proposed licensing for certain cybersecurity vendors. They felt that the requirements to be imposed on businesses should not be too onerous. Several suggested simplifying the licensing framework, or making it voluntary, through an accreditation regime.”
The draft cybersecurity legislation had proposed to make it mandatory for all security vendors to be licensed. The revised bill narrows the licensing requirement to apply only to providers of penetration testing and security operation centers.
“This is a practical move taking into account that Singapore is a small country with a shortage of cybersecurity talent and a high local demand for services that exceeds the local supply,” says Tom Wills, director at Ontrack Advisory, a consulting firm.
Dharshan Shanthamurthy, CEO at SISA Information Security, a payments security specialist, says: “It remains to be seen what norms are going to be considered for licensing moving forward and if it’s going to add an additional burden for organizations addressing the Singapore market.”
Defining Critical Information Infrastructure
The lack of a clear definition of CII has created confusion among practitioners on what are their most critical assets that need protection. The new bill makes it mandatory for firms to follow certain security postures for CII, as defined in the bill.
The draft legislation had defined critical information infrastructure as a computer or computer system that is necessary for the continuous delivery of essential services that the nation relies on. Many of those commenting on the proposal, however, said that proposed definition was too broad and asked for more clarity on the scope of “computers” and “computer systems.”
As a result, CSA has clarified in the revised bill that computers in the supply chain used for supporting CII will no longer be included in this definition.
Audits and Risk Assessments
Some commenters on the draft bill said its proposal to require that firms conduct audits and risk assessments at least once every three years was inadequate, given the pace of technological change and the dynamic nature of the cybersecurity threat landscape.
“Once in three years was absolutely not enough when it comes to effectively responding to today’s threat environment, which evolves in real time,” Wills says. “Again, critical infrastructure providers will have to go further than what is required for compliance if they’re going to achieve an adequate security posture.”
CSA tells Information Security Media Group: “We will consider increasing the minimum required frequency for audits and risk assessments to ensure that the objectives of the bill can be met. Sectors will also be allowed to conduct audits and risk assessments at a higher frequency as may be required in the sectoral regulations.”
The bill creates a new position of commissioner of cybersecurity, who would be appointed by the minister in charge of cybersecurity. The commissioner would interact on a regular basis with industry and manage the nation’s day-to-day cybersecurity issues.
According to CSA, several of those offering feedback on the draft measure said the broad powers of the commissioner to investigate cybersecurity threats and incidents should be subjected to safeguards.
In response, CSA states: “The bill provides for calibrated powers of investigation, for the prevention and countering of cybersecurity threats, depending on the severity of the threat or incident. The commissioner’s powers over CII owners as well as powers that the commissioner may invoke and authorize in cases of serious cybersecurity incidents have been specified in the bill.”
Critical First Step
Some security practitioners say the proposed legislation would be a good start toward improving protection of critical infrastructure against cyberattacks.
“It is really just a beginning, since real security is an ongoing process rather than a one-time action, which requires the full cooperation of government, critical infrastructure providers and security service providers,” Wills contends. “There’s still a lot more work to be done in terms of execution, and as always, results are what count.”
The audit process, experts say, is about more than paper compliance. “It’s not about just about getting certified VAPT [vulnerability assessment and penetration testing] service providers,” says Ken Soh, CIO and director of e-strategies at BH Global. “I personally believe in getting VAPT vendors who have strong world-class credentials … and real CII hacking experiences.”
Shanthamurthy notes: “Information security risk assessments should be made annual and should not be linked to audits. It should be a separate exercise that should be carried annually using well accepted and known methodologies like NIST, ISO 27005 or OCTAVE.”