Cybersecurity Act

Under section 7(1) of the Cybersecurity Act, a Critical Information Infrastructure is a computer or a computer system located wholly or partly in Singapore, necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore.

The Cyber Security Agency of Singapore (CSA) has worked closely with Sector Leads to identify the Critical Information Infrastructure (CII) supporting the provision of essential services across 11 critical sectors.

The critical sectors are Energy, Water, Banking & Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Government, Infocomm, Media, and Security & Emergency Services. The list of essential services in these sectors is published in the First Schedule of the Act.

Under Section 7 of the Act, CII refers to specific computers and computer systems that are explicitly designated by the Commissioner of Cybersecurity. It is not the case that firms and sectors will be considered as CII.

The list of CII and CII owners will be finalised before CSA and Sector Leads implement the Cybersecurity Act in the second half of 2018. The list of CII and CII owners is secret for national security reasons.

In arriving at the list of essential services in the Cybersecurity Act, the Cyber Security Agency of Singapore (CSA) took reference from the list of critical sectors in the Computer Misuse and Cybersecurity Act (CMCA). CSA also surveyed the definition of "essential services" in other jurisdictions.

CSA then identified a total of 11 sectors with Critical Information Infrastructure. For each of these 11 sectors, CSA worked with the relevant Sector Lead to identify their essential services based on criteria such as the impact on Singapore's economy.

We do not preclude gazetting new essential services in the future.

As a hyper-connected business hub, Singapore is vulnerable to cyber-attacks which are increasing in scale and sophistication. While we were fortunate to have escaped relatively unscathed so far, we have seen our share of cyber-attacks. One example is the breach of MINDEF's I-net system in February 2017 where the personal data of 850 national servicemen were leaked. In May 2017, Advanced Persistent Threat (APT) actors targeted two of our top universities.

Although none of our Critical Information Infrastructure (CII) has been disrupted, the global WannaCry and Petya malware attacks, which also surfaced in Singapore, are reminders of our vulnerability. We can expect more attempts to breach our cyber defences.

To enhance our defences against increasingly sophisticated cyber-attacks, the Cyber Security Agency of Singapore (CSA) works closely with Sector Leads to ensure that CII owners have capabilities and measures to detect, respond to and recover from cyber threats and cyber-attacks. CSA has been advocating that organisations should take cybersecurity into consideration when designing systems and networks to develop robust systems with defences against attacks, and not add them later as an afterthought.

Over 5 years, many aspects of the Critical Information Infrastructure (CII) may have changed - business, industry, clientele and market share. Hence, it would be useful to re-evaluate the status of a CII from time to time.

The key objective for the proposed amendments is to allow our cybersecurity legislation to keep pace with changes in technology, business models and our threat landscape. This is so that we can continue to ensure our cyberspace is safe and secure as Singapore progresses as a Smart Nation.

The amendments will address three significant shifts in the operating context since 2018.

Firstly, technology and business models have changed. For instance, cloud computing is increasingly mainstream, and digitalisation has opened up new opportunities for our CIIs. We need to ensure our cybersecurity legislation for our CII keep pace with such developments. Secondly, the cyber threat landscape has evolved. Malicious actors are increasingly using connections between their targets and adjacent systems or through the supply chain. We need to update our laws, so that we can stay ahead of such threats. Lastly, digitalisation has accelerated in Singapore and we are now more reliant on technology now for businesses and in our way of life. As such, it is important the scope of our cybersecurity legislation go beyond the CII, and also secure the digital infrastructure and services that Singaporeans rely on for business and way of life.

The CII regulatory framework is intended to protect and secure systems that are necessary for the delivery of essential services in Singapore. This is achieved by holding the person who delivers essential service in Singapore – the owner of a provider-owned CII   or the Provider of Essential Service as the case may be – responsible for the cybersecurity of the systems necessary to deliver the essential service regardless of whether the CII is on-premise or virtual. As such, cloud service providers will not be regulated under CII regulations.

This notwithstanding, in recognition of Singapore’s dependence on digital services, including cloud services, major cloud service providers and data centre providers will be regulated as major Foundational Digital Infrastructure  (FDI) service providers under the Bill. The FDI regulatory framework will ensure that infrastructure provided by major FDI  service providers meet baseline cybersecurity standards and provide CSA with oversight of the threats affecting them.

As STCC are systems that are important only for a limited time period from a cybersecurity perspective, the obligations placed on them also reflect this. So, many of the longer-term obligations placed on CII owners will not apply. STCC owners will not be required to carry out biennial cybersecurity audits and annual risk assessments. Owners of STCCs are also not required to participate in cybersecurity exercises.

Generally, respondents expressed support for the Government to do more to enhance and improve the cybersecurity of CIIs and other important entities and their systems. 

Some respondents raised concerns that the draft Bill, if passed, could potentially raise the cost of doing business for those who would be regulated. This enhanced cybersecurity understandably comes at a cost but can be mitigated.  CSA will adopt a calibrated approach to balance between business considerations, cost effectiveness and cybersecurity, and will continue to engage with industry and the CII owners, to make mitigating arrangements, eg. longer timelines for reporting of less significant incidents. 

CSA will continue to work closely with stakeholders to operationalise the proposed amendments. A grace period will be given to newly regulated entities to comply with the new provisions.

As the cyber threat landscape evolves, it is important for businesses and organisations to put in place a level of cybersecurity that is commensurate to the risks and threats that they face. This means that there is no one-size-fits-all approach when it comes to cybersecurity measures and cybersecurity standards. For this reason, CSA is mindful of the compliance cost that will be incurred, if certain cybersecurity measures or standards are made mandatory for a broad base of businesses and organisations.

Hence, for the broad base of businesses and organisations, CSA’s approach has been to make resources and programmes available to support their cybersecurity journey through the SG Cyber Safe Programme. This includes free cybersecurity toolkits to guide businesses and organisations on the cybersecurity measures appropriate to their context, free self-assessment tools such as the Internet Hygiene Portal, and CISO-as-a-Service cybersecurity consultants to help businesses and organisations develop tailored Cybersecurity Health Plans and get help with closing their cyber hygiene gaps.