A landmark Bill to fortify Singapore’s essential services against cyber attacks was passed into law on Monday (Feb 5), but not before Members of Parliament raised some concerns. These included compliance costs for businesses that could be passed on to consumers, and whether the measures would infringe on personal data.

Under the Cybersecurity Bill, owners of critical information infrastructure in 11 key sectors that provide essential services must report cyber-security incidents and provide information to the Commissioner of Cybersecurity. This is so that the authorities may assess the impact or potential effects of an incident, and prevent other incidents from happening, for instance.

Industries with critical information infrastructure are those dealing with energy, water, banking and finance, healthcare, transport (including land, maritime and aviation), infocomm, media, security and emergency services, and government.

The Commissioner — who is the chief executive of the Cyber Security Agency of Singapore (CSA) — is also given powers to investigate cyber-security incidents, categorised according to the seriousness of the threat and the responses needed.

Owing to the interconnectedness of computer systems, the CSA will also have the authority to investigate threats relating to systems in Singapore, including those that are not deemed critical information infrastructure.

COMPLIANCE COSTS

On Monday, 19 MPs rose to speak during the three-hour debate on the Bill.

A number among them touched on the costs that businesses — including small and medium-sized enterprises (SMEs) — may have to bear in enhancing cyber-security measures.

Talking about the “exorbitant” costs of audits, reporting and risk assessments, Nominated MP Mahdev Mohan asked if the Government had plans to minimise added compliance costs borne by firms.

Pointing to data revealed during a recent proposal to amend the United States Homeland Security Acquisition Regulation, he said that putting in place cyber-security rules includes having independent assessments that could cost a company more than US$150,000 (close to S$200,000), and up to US$350,000 in equipment costs to carry out continuous monitoring.

“If these processes are not properly managed in Singapore, considerable sums could be unproductively spent,” Assistant Professor Mohan said.

Mr Zaqy Mohamad (Chua Chu Kang GRC), said that consumers would be concerned if these costs trickle down to them.

In response, Communications and Information Minister Yaacob Ibrahim said that the Government bears much of the cost to burnish cyber-security and strengthen responses to threats at the national level, including regular cyber-security exercises and deploying national cyber-incident response teams to counter threats.

Many critical information infrastructure owners already have cyber-security measures in place as a result of regulations in sectors such as banking and finance, he noted, adding that the requirements under the Bill were “carefully scoped and are considered not too onerous”.

Acknowledging that the Bill would have cost implications for some owners of critical information infrastructure, Dr Yaacob said that the authorities would work with the sector regulators to streamline the cyber-security and incident-reporting processes, so as to minimise regulatory costs where possible.

He urged owners and their vendors to consider not only the costs of putting the measures in place, but also the cost of potential breaches, which could dent their reputations. “If organisations follow security-by-design practices, they will spend less overall in the long run to fix cyber-security issues,” he said.

MPs also raised concerns that requirements under the Bill and investigations into systems could encroach on the privacy of individuals, especially when they contain sensitive personal data, such as health records held by insurance firms.

Dr Yaacob assured the House that the measures and requirements under the Bill are mainly technical, operational or procedural in nature and are “non-intrusive with respect to personal privacy”. Any information required to deal with threats would also be “primarily technical and not personal”, he added.

ACCOUNTABILITY FOR OVERSEAS SYSTEMS

Aljunied GRC MP Pritam Singh from the Workers’ Party noted that some entities hosting critical information infrastructure have parts of their systems located overseas, and asked how the Bill ensures that this does not render such infrastructure susceptible to cyber attacks.

Ms Sun Xueling (Pasir Ris-Punggol GRC) asked how owners of critical information infrastructure that have systems housed away from Singapore would be held accountable for their cyber-security responsibilities.

Dr Yaacob said that a significant majority of critical information infrastructure is based wholly or partly in Singapore, and owners of systems that are partly based here would still have to comply with the laws.

While some systems serving important functions here may be located outside Singapore completely or operated by organisations based abroad, Dr Yaacob said that the Government cannot control such systems as they fall outside the country’s jurisdiction. There could also be potential conflicts with regulatory regimes in other countries.

The authorities have, however, forged strong global partnerships and links with overseas computer emergency response teams to aid in investigations into incidents.

Non-Constituency MP Daniel Goh and Nee Soon GRC MP Louis Ng suggested that the Bill mandate the reporting of all cyber-security breaches, but Dr Yaacob said that this would be resource-intensive for the CSA and firms, especially SMEs.

Other features of the Bill include a licensing framework for providers of penetration testing and managed security operations centre monitoring services.

A public consultation exercise on the draft Bill, held between July and August last year, drew 92 submissions. Of these, 61 were from companies and 13 from associations.

After the exercise, the authorities dropped plans to license individual cyber-security practitioners as part of the Bill. Instead, the CSA will work with the industry to establish voluntary accreditation and certification regimes to raise the quality of cyber-security services.

Source:
courtesy of TODAY

by KENNETH CHENG

If you have any stories or news that you would like to share with the global online community, please feel free to share it with us by contacting us directly at [email protected]