Singapore To Refine Upcoming Cybersecurity Bill Following Public Feedback

The Singapore government will finetune several provisions in the country's upcoming cybersecurity bill in response to public feedback regarding its proposed licensing framework and definition of responsibilities.

Slated to be introduced in parliament early-2018, the Cybersecurity Bill was first unveiled in July this year and touted as a necessary step to enable the relevant authorities to take proactive measures to protect local critical information infrastructures (CIIs) and swiftly respond to threats and incidents. It listed 11 sectors considered to own CIIs, including water, healthcare, government, maritime, energy, and aviation.

Amongst the proposed new laws was a regulatory framework that formalised the duties of CII providers in securing systems under their responsibility, including before a cybersecurity had occurred. Should they breach any mandate outlined in the legislation, CII operators faced a fine of up to S$100,000 or imprisonment of up to two years, or both.

The bill also would introduce a licensing model for the regulation of selected cybersecurity services providers as well as individuals, including those that offered penetration testing as well as managed security operations centre (SOC) services.

Public feedback on the proposed legislation was sought and these now would be considered as part of efforts to "refine" several aspects of the bill, according to a joint statement by the Ministry of Communications and Information (MCI) and Cyber Security Agency (CSA), which received 92 submissions from the industry. These included law firms such as Allen & Gledhill, which said it submitted its feedback on behalf of nine financial institutions, all three local carriers--M1, StarHub, and Singtel--consulting firms such as PricewaterhouseCoopers Risk Services and KPMG, and tech vendors such as Amazon Web Services, FireEye, Microsoft, and Palo Alto Networks.

Amongst the feedback were requests for a clearer definition of systems that were deemed to be part of CIIs, which CSA said would exclude computer systems "in the supply chain supporting the operation of a CII'. As such, third-party contractors would not be considered CII owners.

The duties of CII owners also would be streamlined and aligned with other existing codes and standards to which these operators already would have to adhere in accordance with their respective sectoral regulations.

In addition, reservations were expressed with regards to the licensing of cybersecurity service providers, which some said would impact the development of the local industry. To "strike a balance" between security needs and industry development, MCI and CSA said individual cybersecurity professionals would no longer need to be licensed.

In addition, the bill would not distinguish between "investigative" and "non-investigative" services that needed to be licensed. "At this point, we intend to license only penetration testing and managed SOC monitoring service providers, as such services are already mainstream and widely-adopted," the government organisations said.

They added that the duration of service record-keeping would be slashed from five years to three years, in response to feedback that the new framework would impose an administrative burden on licensed service providers.

Elaborating on this, CSA and MCI said: "We intend to keep licensing fees minimal and requirements simple to minimise the operational costs on businesses. The licensing framework will be light-touch when introduced and will be akin to a registration regime. We do not foresee significant operational costs on businesses."

The government entities further noted industry support for provisions to protect voluntary disclosure of information in good faith, which they concurred would improve timeliness of information-sharing with regards to cyber threats.

They said the bill already included protection of informers, adding that CSA was not compelled to reveal the identities of such informers during criminal proceedings. The cybersecurity agency further noted that it was exploring other "administrative arrangements" to facilitate and encourage information-sharing.