Proposed changes to Cybersecurity Act of S’pore, and what triggered them

The Cybersecurity (Amendment) Bill seeks to expand the Cyber Security Agency of Singapore's oversight of critical information infrastructure. PHOTO: REUTERS
Osmond Chia
Updated
Apr 03, 2024, 09:53 PM
Published
Apr 03, 2024, 03:04 PM

SINGAPORE - Amendments to the Cybersecurity Act were tabled in Parliament on April 3 to take into account risks introduced by suppliers, outsourcing and offshoring.

Critical information infrastructure (CII) operators in the essential services sectors remain answerable to the Cyber Security Agency of Singapore (CSA) for any lapses.

The sectors are: energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security and emergency services, and government.

Here is a quick look at the key changes in the Cybersecurity (Amendment) Bill.

1. Securing supply chains

  • CII operators must report all incidents aimed at their systems, including those managed by or linked to their suppliers, as long as they impact the CII’s services.
  • The proposal comes after major cyber attacks around the world that have targeted peripheral systems to sabotage critical services.
    • In 2019, hackers introduced malicious code into an IT monitoring tool from US software firm SolarWinds that serviced thousands of organisations. Over several months, the attackers gained access to the data of more than 30,000 public and private firms in the US.
    • In 2021, Colonial Pipeline, which operates the US’ largest fuel pipeline, was forced to shut down after attackers took control of its corporate payment services, which lie outside of its critical functions.

2. Oversight of cloud services

  • The definition of “computers” will include virtual systems and cloud infrastructure – servers hosted on the internet that store and process data – that are rising in usage.
  • CII owners have the option of moving to commercial cloud solutions, such as those offered by Amazon Web Services, Microsoft or Alibaba Cloud, while still bearing responsibility for any cyber-security lapses. The CII operator must make clear to third-party vendors that they have to comply with Singapore’s rules.
  • At least one of the physical computing resources of the cloud services provider that support the virtual system has to be deployed locally.
  • Data centres, cloud services and other foundational digital infrastructure that provide services to or out of Singapore will be regulated under a separate framework from main CII operators that will subject them to “light touch” regulations. They will have to provide cybersecurity-related details upon request, report any incidents and comply with standards of performance set by CSA.
  • In 2021, critical vulnerabilities were found in cloud computing platform Microsoft Azure’s database that could permit hackers to access sensitive databases.
    • The changes to the Cybersecurity Act will make it mandatory for service providers to share details of such attacks, so that lessons can be shared with the wider industry and necessary action taken.

3. Regulation of systems used in key events

  • CSA can designate systems that are critical to Singapore for a limited period as “systems of temporary cyber-security concern” and require their owners to comply with heightened cyber-security standards.
  • Operators of designated systems will have to provide cybersecurity-related information upon request, comply with CSA’s standards, and report cyber-security incidents.
  • These can be systems used for high-key activities akin to major vaccine distributions, forums or international events, such as the 2018 North Korea-US summit in Singapore.
    • In 2020, organisations around the world that were distributing Covid-19 vaccines were targeted by cyber attackers, who attempted to steal network log-in credentials to disrupt the distribution of doses, IBM reported.

4. Entities of special cyber-security interest

  • Some autonomous universities and others deemed entities of special cyber-security interest will have to provide cybersecurity-related information to CSA upon request.
  • Such entities are attractive targets for bad actors due to the sensitive data they hold or function that they perform.
  • Their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, public safety or public order of Singapore, said CSA.
  • CSA does not intend to publish the full list of designated entities, for security reasons.
More On This Topic
Essential services providers to meet higher cyber-security standards under proposed law amendment
New law mooted to minimise digital service disruptions due to cloud, data centre outages

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top