Singapore’s cybersecurity agency proposes law update

The Cyber Security Agency of Singapore (CSA) is proposing to amend the Cybersecurity Act 2018 through the Cybersecurity (Amendment) Bill, which parliament has seen through first reading on the 3rd of April. 

The law that came into force in August 2018establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. 

This is the first time amendments to the law have been proposed. The objective of the bill is to update the act so that it keeps pace with the developments in the cyber threat landscape, as well as our evolving technological operating context. 

Josephine Teo , Minister for Communications and Information, explained that CSA is seeking to amend the law to reflect the increasing importance of ensuring the cybersecurity of the digital infrastructure and services that power Singapore’s digital economy and enable citizens to meet their day-to-day needs, beyond the current critical information infrastructure (CII) it covers today.  

The bill proposes to update existing provisions relating to cybersecurity of CII and expand CSA’s oversight to cover the cybersecurity of systems of temporary cybersecurity concern (STCCs). 

In addition, we will be creating two new classes of regulated entities, which will be subject to a light-touch regulatory treatment. These are entities of special cybersecurity interest (ESCI) and foundational digital infrastructure (FDI). 

CII are computer systems that are necessary for the continuous delivery of essential services, like water, electricity, banking services and more. 

The key aspect of the Bill is that it will ensure that CII owners remain responsible for the cybersecurity and cyber resilience of the CII, even as they embrace new technological and business models, like the use of cloud computing.  

CII owners will also be required to report more types of incidents, such as those that happen in their supply chains. 

This is so that CSA can have better situational awareness of the cybersecurity threats that could potentially cause disruptions to our essential services and work with CII owners more proactively to secure our essential services. 

Also, the bill proposes to allow CSA to proactively secure STCCs — computer systems that are critical to Singapore and are at a high risk of cyberattacks because of certain events or situations. 

An example of an STCC would be the temporary systems used to support the distribution of critical vaccines during a pandemic. During the COVID-19 pandemic, the vaccine distribution systems deployed by healthcare organisations around the world were targeted by malicious cyber actors. 

Besides CIIs, there could also be other entities that are important to Singapore. The bill also allows CSA to designate and regulate ESCI for cybersecurity if they hold sensitive information or perform a function of national interest, such that their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, public safety, or public order of Singapore. 

Examples of such entities could include autonomous universities. Since they are not CII, the obligations imposed on the ESCI will not be at the same levels as that for CIIs. 

Further, the bill requires companies that provide digital infrastructure services that are foundational to our economy or way of life (such as cloud service providers and data centres) to shoulder responsibility for the cybersecurity of such digital infrastructure. 

This includes adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA, which will not be at the level of a CII.