New law mooted to minimise digital service disruptions due to cloud, data centre outages

MPs said recent outages in the banking and healthcare sectors have dented public confidence. ST PHOTO: STEPHANIE YEOW
Irene Tham
Tech Editor
Updated
Mar 01, 2024, 08:32 PM
Published
Mar 01, 2024, 05:43 PM

SINGAPORE – Singapore is mulling over a new law to hold cloud services and data centre operators to greater accountability, recognising that any failure of their infrastructure could disrupt Singapore’s economy and society.

The Digital Infrastructure Act (DIA) comes on the back of recent outages in the banking and healthcare sectors that MPs said have dented public confidence.

“The DIA will focus on digital infrastructure that can cause significant impact on the economy and society, if disrupted,” Minister for Communications and Information Josephine Teo told Parliament on March 1.

She said that cloud service players and data centres power a wide array of digital services that enterprises and consumers use daily. These include online banking and payments, e-government services, ride-hailing and digital identity management.

“These operators may, therefore, need to meet higher security and resilience standards to reduce the likelihood of systemic disruptions,” Mrs Teo said during the debate on her ministry’s budget.

For instance, on Oct 14, 2023, more than 2.5 million payment and ATM transactions could not be completed by DBS Bank and Citibank customers.

The disruptions were caused by a fault in the cooling system of an Equinix data centre used by the two banks.

While the disaster recovery and contingency plans of both banks kicked in, their services were fully restored only in the early hours of Oct 15.

Also, on Nov 1, 2023, the websites of major public hospitals, polyclinics and healthcare clusters in Singapore crashed for seven hours.

Ms Tin Pei Ling (MacPherson) said that the disruptions affected the public’s trust in digital services and urged that minimum standards be put in place.

Mr Christopher de Souza (Holland-Bukit Timah GRC) also said that risks must be properly allocated to the right commercial entities to incentivise risk management.

Meanwhile, Ms Jessica Tan (East Coast GRC) and Mr Xie Yao Quan (Jurong GRC) asked how Singapore could bolster the security and resilience of its infrastructure.

Mrs Teo replied that an inter-agency task force led by the Ministry of Communications and Information is drafting the scope of the DIA, which will complement upcoming amendments to the six-year-old Cybersecurity Act.

The Cybersecurity (Amendment) Bill, to be tabled in Parliament next week, seeks to compel digital infrastructure and service providers to report cyber attacks within hours or comply with specified safety standards.

Failing to do so may result in penalties.

“While enhancing our cyber-security posture is important, it is not enough. Past outages in Singapore and elsewhere have shown that disruptions can occur due to non-cyber causes,” said Mrs Teo.

Thus, the DIA aims to address a broader set of resilience risks faced by digital infrastructure and service providers, including misconfigurations in cloud architecture and outages caused by fires, water leakages and cooling system failures, said Mrs Teo.

The Cybersecurity (Amendment) Bill and DIA borrow concepts from similar legislations in the European Union, Germany and Australia that require major outages and cyber incidents to be reported to the authorities, among other obligations.

Players that could come under both legislations in Singapore include data centre operators Equinix and Microsoft, as well as cloud service providers Google and Amazon Web Services. 

More On This Topic
Our data problems are getting harder to ignore
‘I carried around my piggy bank’: Amid DBS, Citibank service outage, cash is king

Mrs Teo said the cross-border nature of cloud service providers, as well as the trade-offs between mitigating risks and compliance costs need to be considered.

“While we cannot fully eliminate disruptions, we will do more to minimise their occurrence,” she said.

“We will continue to consult industry players and relevant stakeholders, and ensure coherence in requirements between the DIA and the Cybersecurity Act.”

Outages are not unique to Singapore. In April 2023, a fire in a Global Switch data centre in Paris brought down Google Cloud services in Europe for weeks for some customers.

A cooling system water pump failure reportedly caused water to leak into the battery room, which sparked the fire. Several French government websites and services, including the Lyon airport website, went offline.

In June 2023, an outage at Amazon Web Services left the websites of The Boston Globe, the New York Metropolitan Transportation Authority and Southwest Airlines, among others, inaccessible for hours.

Cloud downtime can cost business users US$100,000 (S$134,650) an hour, according to New York-based insurance company Parametrix Solutions.

More On This Topic
MAS suspends DBS from new business ventures, reducing branch and ATM networks over disruptions
Disruptions to critical services highlight urgent need to dig deep into digital vulnerabilities

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top