SINGAPORE is getting ready to vote on the proposed Cybersecurity Bill which will impose stricter requirements on critical information infrastructure (CII) owners and cybersecurity vendors to plug remaining security gaps across various industries.
A draft of the Computer Misuse and Cybersecurity Act was made available on July 10 for public consultation. It would require CIIs to report any security breach they undergo as well as making it compulsory for vendors to obtain a license before being able to provide highly sensitive services.
— EY Singapore (@EY_Singapore) July 10, 2017
The drafting of the Bill comes in line with Singapore’s crackdown on weak cybersecurity defenses in the wake of a series of cybercrimes that have battered corporations and governments across the globe in the last three months. The government has put into place a handful of foreign and domestic policies to shore up their cyberdefenses. These include working with international allies and pouring money into strengthening the weak defenses of CII owners, such as those that control transportation, healthcare, banking and communications.
The law is two years in the making, according to the Straits Times that spoke to Singapore’s Cyber Security Agency (CSA). Chief executive David Koh said the Bill in question would be specifically targeted at tackling cybercrimes though there are hopes of a future omnibus Bill that would oversee the entire cybersecurity landscape.
“Around the world we have seen attacks affecting critical infrastructures such as energy and power supply,” Koh said, referring to the recent WannaCry and NotPetya attacks. The Bill would be in particular effect against large-scale attacks like those as it would bestow expanded powers to the CSA chief to investigate threats and incidents to ensure essential services remain untouched.
Koh also warned though Singapore’s critical sectors remained unaffected by the global attacks in the last two months, the country had to remain vigilant, particularly as hackers become increasingly sophisticated in the long term. Singapore, he said, remains vulnerable unless CII owners take the necessary steps to protect themselves in the long term.
The Bill will also standardize security protocols across all industries in both the private and public sectors to ensure organizations are able to share information with regulators and officials investigating any future attack.
The Bill aims to harmonize the requirements to protect CII across the public and private sectors. It also aims to clarify organisations’ obligations to share information to facilitate the investigations of cybersecurity threats or incidents undertaken by CSA. Other policies include CIIs submitting to regular security audits and risk assessments by a third party as well as compliance with regulators.
Cybersecurity vendors providing investigative and security management services will be required to obtain licenses to conduct their work, which could prove to be cumbersome and costly for smaller firms.
“It is a matter of (time that) cybersecurity incidents happen in Singapore,” PwC Singapore’s Asia-Pacific cybercrime and financial crime leader Vincent Loy told the Straits Times.
“This cybersecurity Bill will provide a good foundation for Singapore to manage cybersecurity risk… for the continuous delivery of essential services.”