SINGAPORE - Cloud service providers and data centre operators may soon have to comply with Singapore’s cyber-security laws under proposed legislative amendments to better protect people’s way of life here.

The Cybersecurity (Amendment) Bill seeks to widen the oversight of the Commissioner of Cybersecurity beyond critical information infrastructure (CII) owners – such as banks, telecommunications companies and energy companies – to include others in charge of key digital infrastructure.

This is so more can be done to safeguard systems and entities that increasingly play an important role in meeting Singapore’s connectivity, computing and data storage needs. Businesses, for instance, are stepping up their use of cloud computing. For individuals, a growing proportion of their work and daily lives now takes place online. 

“Our ability to function has become increasingly dependent on the good functioning of the digital infrastructure that underpins this connectivity,” said the Cyber Security Agency of Singapore (CSA) in its consultation paper launched on Dec 15 to gather public feedback on the proposed amendments.

“Disruptions to the functioning of digital infrastructure can also have a significant impact, given the potentially pervasive knock-on impact on the services that rely on them.”

The digital infrastructure players in question could include data centre operators Equinix and Microsoft, as well as cloud service providers Google or Amazon Web Services, if they have a large market share here.

The aim is to prevent widespread service disruptions caused by malicious hackers. Organisations added to the Act could be asked to report cyber attacks within hours or comply with specified safety standards, failing which penalties may be imposed.

“The Bill seeks to ensure that Singapore’s cyber-security laws remain fit for purpose and can address the emerging challenges in cyberspace,” said the CSA.

The one-month consultation ends on Jan 15, and is the first review of the five-year-old Cybersecurity Act, which sets out a framework for the oversight and maintenance of national cyber security.

Under the Act, the CII sectors are government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency services, and media.

Their obligations include having specified safeguards, reporting cyber attacks within hours and complying with directions issued by the commissioner – Mr David Koh, chief executive of CSA – to better secure the systems under their charge. 

Institutions that participate in joint projects with the Singapore Government could also come under the amended law. They store sensitive information, potentially making them of special interest to malicious actors. Cyber attacks on them could be detrimental to the defence, foreign relations, economy, public health, public safety or public order of Singapore.

The Bill requires designated digital infrastructure players and entities of special cyber-security interest to follow similar obligations currently imposed on owners of CIIs, or face penalties for non-compliance. Their obligations have yet to be spelt out, pending industry consultation.

Systems set up temporarily to support high-key international events in Singapore, such as the World Economic Forum or Shangri-La Dialogue, and those set up to support the distribution of vaccines during the Covid-19 pandemic will also come under the Bill.

Owners of these systems will be obliged to follow similar rules that apply to CII owners for a year, or face criminal penalties for non-compliance. If the Bill is passed, subsidiary legislation and further administrative guidance on the operational details will be published. 

As part of ongoing efforts to combat scams, CSA has proposed a new section in the Act making it an offence to use a symbol or representation that is identical to CSA’s without the commissioner’s written permission. It will also be an offence to use a symbol or representation that is confusingly similar to that of CSA.

“In recent times, CSA has received reports of unauthorised persons claiming to represent CSA in order to carry out scams against members of the public,” said CSA.