Highlights of the Singapore Cybersecurity Bill

If China is defensively guarding the continent’s cybersecurity, then Singapore is, by contrast, sticking to the offensive playbook for the “smart” win.

A bill in Singapore is aiming to charter significant territory toward achieving a globally minded Smart Nation, which Prime Minister Lee Hsien Loong says will lean on a key cornerstone: a fortified cybersecurity ecosystem.

Singapore Parliament against the city skyline

Singapore is upholding its new post at #1 on The Global Cybersecurity Index (GCI) 2017; proffering its latest CyberSec bill to the public for review.

Since rising above the USA and taking the number one spot on the Global Cybersecurity Index (GCI) 2017, the world is watching to see if Singapore can continue commitment to cybersecurity without infringing on corporate or citizen privacies.

2017 Cybersecurity bill timeline

  • The Singapore Government established the CSA in 2015
  • The Singapore Government published a national cybersecurity strategy in 2016
  • A centerpiece of that strategy is the introduction of a new overarching law to strengthen and empower Singapore’s existing legislative framework and pave the way for the CSA to address current cybersecurity challenges
  • Spring 2017 the government birthed the Data Innovation Programme Office (“DIPO”) as well as a data sandbox programme. DIPO is developing a progressive data regulatory environment, helping small to medium enterprises adopt data analytics and guide the launching of data sharing initiatives. The data sandbox will allow for safe-mode big data experimentations by different regulatory authorities
  • The omnibus bill is now in the public consultation stage. After which, it will be read in Parliament, debated and amended as necessary before being passed into law
  • Parliament passage is expected by this year’s Q4 end or the beginning of Q1 2018

The right to protect

Some are concerned the bill—if accepted into law—may affect anyone who administers commercial or social activities on so much as a moderate scale. A significant portion of the cybersecurity bill focuses on “protecting computer systems.”

Systems which, according to our previous article, are very vulnerable for many countries.

“The threat from hackers is real,” explains Eugene Kaspersky, CEO of Kaspersky Labs. He warns infrastructure authorities have to build cybersecurity controls at every level of the infrastructure to narrow their exposure to large-scale attacks.

The sweeping legislation in queue for Singapore is now at the mercy of public consultation, where a coalition of cybsersec industry groups—including the U.S. Chamber of Commerce;  BSA | The Software Alliance; and the Information Technology Industry Council—hope clarification on what “protecting critical information infrastructures (CII)” entails, will be articulated.

In other words, “if, in the absence of a designation from the Commissioner [of Cybersecurity], an organisation has a responsibility to determine for itself whether it owns any CII,” is the common query, according to a separate article in Lexology.

The CII designation is a classified label, under Singapore’s Official Secrets Act.

Cybersecurity bill goals

  1. Empower the Cyber Security Agency of Singapore (CSA) to defend against cyber threats.
  2. Introduce regulations for CII
  3. Establish SOP for sharing cybersecurity information, integrating with CSA
  4. Instilling a “light-touch” licensing framework

Three letters for cybersec providers: CII

As it stands CIIs of interest thus far are businesses [located partially or exclusively in Singapore] that provide technology services, including SaaS or PaaS, or cybersecurity services, such as endpoint security or threat detection services.

The following providers are advised to be cognizant of the obligations under this Cybersecurity Bill:

  • Cybersecurity services that are non-investigative: design, solutions, event monitoring and advising
  • White Hat Sec Ops: forensics and Security incident response

Vendors for self-install cyber protection don’t fall under the CII provision thus far, rather, would continue to follow obligations under the Personal Data Protection Act.

“The CSA’s chief, formally known as the Commissioner for Cybersecurity, can issue a written notice to designate your computer system as a CII. The Commissioner has the power to request for technical or other information on your computer system before making a CII designation.”

A computer system will be designated as a CII if it is necessary for the continuous delivery of essential services in Singapore. These sectors have been identified as essential: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.

Resolve Systems, an enterprise-wide incident response, automation, and orchestration platform recently opened an APAC regional headquarters in Singapore that provides Security Incident Response technology to organizations helping them to stay in compliance with the legislation. Read more in the recent press release here

A modicum of Sec Ops industry growth

According Foo Tsiang-Tse, the managing director of Quann, a Singapore-based cybersecurity vendor:

”[National infrastructure] vulnerabilities could emerge from lack of comprehensive security strategy that encompassed all network layers, applications and devices.” He adds cybersecurity “should include network design and integration, optimisation, and management. Scalability, in particular, was critical, he said, adding that public safety features should be available as software upgrades, so networks could support future requirements.”

To learn more, read Resolve Systems’ white paper: Security Incident Response Needs a Unified Platform.

Resolve Systems is a vanguard for addressing the entire Security and IT framework: Security, IT Ops, Service Desk and NOC. We are unparalleled in providing flexible and customizable automation orchestration options.

The Singapore legislation allocates certain roles for notifying the government of a security breach to make sure companies are responding to cybersecurity incidents efficiently. To be compliant with the legislation, every CISO will need an efficient security incident response plan in place to notify the Commissioner of Cybersecurity and to resolve all security incidents. Though notification of a breach will be mandatory, Singapore companies are responsible for their own incident response. Resolve Systems is the global leader in security incident response automation and orchestration. With a single platform for CISOs and SOCs to see all security threats, Resolve will help teams expedite response. 

To learn more, come see a live demo at our booth 19-21 at Govware 2017.

What's Next?

Agile Automation Incident Response

Agile Automation & Orchestration: Take a Bite out of Incident Response

Security automation and orchestration can be the secret ingredient to an effective incident response program, but many teams overcomplicate it or feel overwhelmed by trying to automate every activity in the workflow.

When getting started with security automation and orchestration, think agile:

  • Prioritize business drivers
  • Identify key stakeholders and process owners
  • Examine automation opportunities
  • Define requirements with a workshop
  • And more