New law aims to strengthen critical information infrastructure in the island nation

A bill aimed at establishing a framework for the legal oversight and maintenance of national cybersecurity in Singapore passed in Parliament yesterday.

In light of last year’s WannaCry ransomware attack, power grid hacks in Ukraine, and recent cyber-attacks against global media outlets, the Cybersecurity Bill places strong emphasis on the “proactive protection” of the island city-state’s critical information infrastructure (CII).

In addition to imposing a series of obligations on those operating in various CII sectors, the bill will authorize the Cyber Security Agency of Singapore (CSA) to prevent and respond to cybersecurity threats and incidents, while establishing a licensing framework for cybersecurity providers.

Taking the floor yesterday, Yaacob Ibrahim, Singapore’s Minister for Communications and Information, cited the limitations of the country’s existing Computer Misuse and Cybersecurity Act (CMCA) as a leading factor in the establishment of fresh, targeted legislation.

“The CMCA, which mainly deals with cybercrimes such as the unauthorized access of computer material, does not provide a regulatory framework for the routine and proactive protection of CII,” Ibrahim stated.

“The Cybersecurity Bill seeks to establish a legal framework for the oversight and maintenance of national cybersecurity in Singapore, with an emphasis on the proactive protection of CII against cyber-attacks.”

While the CMCA and other relevant legislation will continue to govern the investigation and prosecution of cybercriminals, the new bill will impose obligations on entities operating in the defined CII sectors of energy, water, banking and finance, healthcare, transport, information communications, media, security and emergency services, and government.

Under the new law, CII owners will be required to conduct cybersecurity audits. And similar to the Notifiable Data Breaches scheme that is due to be implemented in Australia later this month, reporting of cybersecurity incidents will be mandatory for those organizations.

Non-compliance with the obligations will carry a maximum penalty of S$100,000, two years’ imprisonment, or both.

According to Ibrahim, Singapore remains an attractive target to attackers because of its high dependence on internet-based transactions.

“In 2017 alone, we saw attacks against our government agencies, universities, financial institutions, both large and small enterprises and individuals who had their computers locked by ransomware,” the minister stated.

“With cyber-threats growing globally, the bill is timely to empower CSA to safeguard essential services from disruptions by cyber-attacks, prevent and respond to cybersecurity threats and incidents, and to establish a licensing framework to improve the credibility of cybersecurity services in Singapore.”