Proposed cybersecurity laws tweaked following public feedback

Posted by SGCS Admin, 13-11-2017

Following public feedback, the Government will scrap plans to introduce a licensing regime for cybersecurity professionals.


Cybersecurity service providers will also face less stringent controls, such as being bound by the Official Secrets Act (OSA).


These are among the changes that will be made to the Cybersecurity Bill that will be tabled in Parliament early next year. The draft Bill, unveiled in July this year, aims to beef up Singapore’s defences against increasingly sophisticated cyber-attacks by requiring CII owners in 11 key sectors — including healthcare, government, media, and banking and finance — to report cybersecurity incidents and to share information with the authorities when ordered.


At a media briefing, the Cyber Security Agency (CSA) said concerns were raised during a six-week public consultation exercise on the Bill that certain clauses were too sweeping. Conducted from July 10 to Aug 24, the public consultation exercise garnered 92 submissions, of which 61 came from companies and 13 from associations.


The initial plan was to introduce a licensing regime for cybersecurity providers and practitioners who offer penetration testing and who manage security operations centre services.


But industry players feared this approach could stunt the growth of a vibrant cybersecurity ecosystem. They also pointed out that they may not be able to bring in help from global cybersecurity service providers at short notice as a result, which could hamper time-critical operations.


The CSA said the Bill will do away with licensing for individual practitioners. Instead, the agency will work with the industry to establish voluntary accreditation regimes to raise the quality of cybersecurity services.


Some of those who gave feedback said the proposed definition of CII — computer systems necessary for the continuous delivery of essential services — was “too broad”.


The CSA will thus tighten the definition to refer to those that are “explicitly designated” by the Commissioner of Cybersecurity. This means that third-party vendors helping with the operations of a CII, for instance, will not face the same requirement imposed on CII owners, such as reporting cybersecurity incidents.


Plans to bound CII owners to the OSA will also be done away with, after industry players highlighted some practical challenges. For instance, CII owners may need to reveal certain information to their vendors, or when communicating with their employees based outside Singapore.


While the CSA will remove the requirement, it stressed that CII owners will need to ensure the technical and operational details are kept confidential.


There were also concerns over the broad powers in the hands of the Commissioner, with some calling for safeguards. But CSA emphasised that the powers of investigation are calibrated depending on the severity of the cyber threat.


While the Commissioner may authorise the seizure of a computer without consent in the event of a serious threat or incident, the Bill specifies that such actions may be taken only if the Commissioner is satisfied that there is “no less disruptive method of achieving the purpose of the investigation”.


It pointed out that CSA officers may also be criminally liable should they misuse any of the information obtained.


“The Bill gives CSA the powers to investigate and to respond in the event of a cybersecurity incident that affects the nation. It doesn’t give CSA broad powers to oversee every computer in Singapore,” said CSA’s chief executive David Koh.


“The Bill actually defines the powers that CSA has, and it’s only in respect to the event of a cybersecurity incident.”


The Bill, if passed, is expected to take effect in the second half of next year.