If China is defensively guarding the continent’s cybersecurity, then Singapore is, by contrast, sticking to the offensive playbook for the “smart” win.
A bill in Singapore is aiming to charter significant territory toward achieving a globally minded Smart Nation, which Prime Minister Lee Hsien Loong says will lean on a key cornerstone: a fortified cybersecurity ecosystem.
Since rising above the USA and taking the number one spot on the Global Cybersecurity Index (GCI) 2017, the world is watching to see if Singapore can continue commitment to cybersecurity without infringing on corporate or citizen privacies.
2017 Cybersecurity bill timeline
- The Singapore Government established the CSA in 2015
- The Singapore Government published a national cybersecurity strategy in 2016
- A centerpiece of that strategy is the introduction of a new overarching law to strengthen and empower Singapore’s existing legislative framework and pave the way for the CSA to address current cybersecurity challenges
- Spring 2017 the government birthed the Data Innovation Programme Office (“DIPO”) as well as a data sandbox programme. DIPO is developing a progressive data regulatory environment, helping small to medium enterprises adopt data analytics and guide the launching of data sharing initiatives. The data sandbox will allow for safe-mode big data experimentations by different regulatory authorities
- The omnibus bill is now in the public consultation stage. After which, it will be read in Parliament, debated and amended as necessary before being passed into law
- Parliament passage is expected by this year’s Q4 end or the beginning of Q1 2018
The right to protect
Some are concerned the bill—if accepted into law—may affect anyone who administers commercial or social activities on so much as a moderate scale. A significant portion of the cybersecurity bill focuses on “protecting computer systems.”
Systems which, according to our previous article, are very vulnerable for many countries.
“The threat from hackers is real,” explains Eugene Kaspersky, CEO of Kaspersky Labs. He warns infrastructure authorities have to build cybersecurity controls at every level of the infrastructure to narrow their exposure to large-scale attacks.
The sweeping legislation in queue for Singapore is now at the mercy of public consultation, where a coalition of cybsersec industry groups—including the U.S. Chamber of Commerce; BSA | The Software Alliance; and the Information Technology Industry Council—hope clarification on what “protecting critical information infrastructures (CII)” entails, will be articulated.
In other words, “if, in the absence of a designation from the Commissioner [of Cybersecurity], an organisation has a responsibility to determine for itself whether it owns any CII,” is the common query, according to a separate article in Lexology.
The CII designation is a classified label, under Singapore’s Official Secrets Act.
Cybersecurity bill goals
- Empower the Cyber Security Agency of Singapore (CSA) to defend against cyber threats.
- Introduce regulations for CII
- Establish SOP for sharing cybersecurity information, integrating with CSA
- Instilling a “light-touch” licensing framework
Three letters for cybersec providers: CII
As it stands CIIs of interest thus far are businesses [located partially or exclusively in Singapore] that provide technology services, including SaaS or PaaS, or cybersecurity services, such as endpoint security or threat detection services.
The following providers are advised to be cognizant of the obligations under this Cybersecurity Bill:
- Cybersecurity services that are non-investigative: design, solutions, event monitoring and advising
- White Hat Sec Ops: forensics and Security incident response
Vendors for self-install cyber protection don’t fall under the CII provision thus far, rather, would continue to follow obligations under the Personal Data Protection Act.
“The CSA’s chief, formally known as the Commissioner for Cybersecurity, can issue a written notice to designate your computer system as a CII. The Commissioner has the power to request for technical or other information on your computer system before making a CII designation.”
A computer system will be designated as a CII if it is necessary for the continuous delivery of essential services in Singapore. These sectors have been identified as essential: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
Resolve Systems, an enterprise-wide incident response, automation, and orchestration platform recently opened an APAC regional headquarters in Singapore that provides Security Incident Response technology to organizations helping them to stay in compliance with the legislation. Read more in the recent press release here.
A modicum of Sec Ops industry growth
According Foo Tsiang-Tse, the managing director of Quann, a Singapore-based cybersecurity vendor:
”[National infrastructure] vulnerabilities could emerge from lack of comprehensive security strategy that encompassed all network layers, applications and devices.” He adds cybersecurity “should include network design and integration, optimisation, and management. Scalability, in particular, was critical, he said, adding that public safety features should be available as software upgrades, so networks could support future requirements.”
To learn more, read Resolve Systems’ white paper: Security Incident Response Needs a Unified Platform.
Resolve Systems is a vanguard for addressing the entire Security and IT framework: Security, IT Ops, Service Desk and NOC. We are unparalleled in providing flexible and customizable automation orchestration options.
The Singapore legislation allocates certain roles for notifying the government of a security breach to make sure companies are responding to cybersecurity incidents efficiently. To be compliant with the legislation, every CISO will need an efficient security incident response plan in place to notify the Commissioner of Cybersecurity and to resolve all security incidents. Though notification of a breach will be mandatory, Singapore companies are responsible for their own incident response. Resolve Systems is the global leader in security incident response automation and orchestration. With a single platform for CISOs and SOCs to see all security threats, Resolve will help teams expedite response.
To learn more, come see a live demo at our booth 19-21 at Govware 2017.
The EU’s General Data Protection Regulation goes into effect May 25, 2018. What does that mean for your cybersecurity team? The most critical facets of the GDPR for cybersecurity teams are:
- Protecting personal data
- Erasing data, when requested and on demand
- Notifying EU citizens of a breach of their confidential data within 72 hours