The Challenges Posed by Singapore's New Cybersecurity LawSecurity Leaders Debate Pros and Cons of the Measure
Some security practitioners are already raising concerns about a bill passed by Singapore's parliament on Monday that establishes an information sharing platform by appointing a commissioner of cybersecurity to obtain confidential information from owners of critical information infrastructure on their security postures.
For example, some practitioners are concerned about the law giving exclusive powers to the new commissioner to demand data or seize computers from owners of critical information infrastructure as well as others under the guise of investigations and information sharing. They argue this could hamper privacy, and they say the information sharing carries high risks (see: Singapore Refines Cybersecurity Bill).
The law recommends that the commissioner will have the power to decide the certifications a company needs to get, its security posture and best practices. Some security practitioners contend that this will make it tough for companies to plan their own cybersecurity posture and in some cases may lead to increases in costs if the recommendations provided by the commissioner are beyond the scope of a company.
"The law leans toward full disclosure rather than implementing security-by-design principles," says Aloysius Cheang, CEO for an IoT startup in stealth mode. "Thus, this law will be quite onerous to companies to prepare themselves to meet a minimum level of security competency, which itself hasn't been clearly mentioned."
Michael R. K.Mudd, managing partner at Asia Policy Partners, notes: "It provides investigative power and penalties, which may act as a wake-up call for data owners and processors to increase safeguards."
Ingredients of the New Law
The final version of the bill that was passed this week includes changes from the original draft, based on public feedback.
For example, the law now defines the owner of critical information infrastructure as the legal owner of the CII and, where the CII is jointly owned by more than one person, includes every joint owner. A legal owner will be answerable for any breach on CII.
Furthermore, computer systems in the supply chain supporting the operations of a CII will not be designated as CII, and therefore third-party vendors will not be considered as owners of CII.
Also, a CII owner will be required to disclose, upon request of the commissioner, any information requested, notwithstanding that doing so may amount to a breach of the owner's obligations contractual obligations. The law specifically states that the CII owner's performance of a contractual obligation would not be an excuse for failing to disclose the information.
And the final version of the bill narrows licensing requirements, only requiring vendors that provide penetration testing services and/or managed SOCs monitoring services to be licensed. There is no longer a requirement for individual cybersecurity professionals to be licensed; licensing will be done at the company level.
Parliament: Bill passed to grant cybersecurity commissioner powers to obtain confidential information for investigations The Straits Times SINGAPORE - Singapore will have a cybersecurity czar who is empowered to obtain confidential... https://t.co/out672rxuY #CyberSecurity pic.twitter.com/325lkxPn8V— Saeed Valadbaygi (@SaeedBaygi) February 5, 2018
Conflicts With Other Laws?
Some security practitioners say the new measure requiring full disclosure may conflict with certain privacy and data protection legislation, especially for companies that have significant operations based in Europe and elsewhere, where the privacy requirements are strict.
Also, although some security experts acknowledge that the bill will help in extracting information from the owners of CII, some fear its tough requirements may drive away companies from Singapore.
"In today's day and age, when people are concerned about data privacy, the bill seems to clearly ignore this aspect," says a Singapore-based security practitioner who did not want to be named. "The bill is regressive in nature, especially when it comes to powers given to a commissioner."
Cheang argues that the new bill gives the commissioner of cybersecurity overwhelming power and responsibility.
"There is little clarity on what critical infrastructure is, along with the standards, guidelines and best security practices that companies are supposed to comply with and be certified to ensure a good security posture," Cheang says. Plus, the bill fails to define the credentials of a commissioner, he argues.
"It is highly likely that the new commissioner may not even be a cybersecurity expert and practitioner," Cheang contends. "So it is akin to going into a surgery but the person that is going to operate on you is an administrator of the hospital and not a surgeon."
In response to the concerns raised around the exclusive powers bestowed on the commissioner, the minister for communications and information, Yaacob Ibrahim, contends that the commissioner's powers are calibrated and meant to help ensure that essential services remain available. He notes that any information to be shared with the commissioner will primarily be technical in nature. For example, it could include network and system audit logs and network configuration.
"Such powers are necessary given the potential impact from serious cybersecurity threats and incidents, which can disrupt our essential services, potentially cause physical damage and harm, and affect our economy and way of life," Yaacob told Parliament.
The minister said the Cybersecurity Agency of Singapore will work with the sector regulators and CII owners to define the boundaries of the systems that will be designated as CII on a case-by-case basis. CII owners are ultimately responsible for the cybersecurity of their infrastructure.
Many CII owners engage third-party vendors to support their efforts. In deciding which vendors to engage and what conditions to impose on them, CII owners should carry out the necessary risk assessments and due diligence to ensure that their obligations under the new law are met, Ibrahim says.
The government will conduct intrusive network scanning or seize computers only when the benefits outweigh the inconveniences, he adds.
The law says CII owners will be required to conduct regular cybersecurity audits to ensure that their obligations are met. This provides an added layer of assurance that the CII owner would be in compliance with cybersecurity codes of practice and standards of performance.
While the law recommends companies perform regular security testing as well as build a security operations center to detect threats early and then share that information with the commissioner, critics argue that smaller companies may find it tough to make such huge investments in security.
"It is not feasible to run individual SoCs as it doesn't justify the cost and run a periodical pen test in-house owing to the huge cost involved as the RoI is also not accrued," Cheang argues.
(Managing Editor Geetha Nandikotkur contributed to the story.)