Published on 07 May 2024
(A) Introduction
a. All Members who spoke have given strong support for the Bill. Several Members noted the rise in cyber threats both in Singapore and around the world and that this has become a growing concern amongst Singaporeans.
b. Mr Gerald Giam, Mr Alex Yam, and Mr Darryl David spoke about the potentially devastating impact that a successful attack on our CII could have on the lives of Singaporeans. Ms Hany Soh spoke about recent major cybersecurity incidents and their serious consequences, while Mr Desmond Choo said that it was crucial that we have robust and regularly-updated cybersecurity laws against the increase in cyber threats. I agree.
2. As the cyber threats we face intensify, it is clear that there is agreement in this House on the timeliness of this Bill, and the need to put CSA in a better position to safeguard Singapore’s cybersecurity.
3. Mr Melvin Yong spoke about the urgent need to tackle scams. The Government agrees. In January 2024, Minister Josephine Teo spoke about Building an Inclusive and Safe Digital Society, and outlined what the Government is doing to combat scams, so I will not belabour those points. The Cybersecurity Act is not aimed at tackling scams. Even so, Clause 7 of the Bill will allow us to take a stronger stance against impersonation scams, by making it an offence for any person to use CSA’s gazetted symbols or representations without the Commissioner’s prior written permission.
5. The Members who have spoken today have raised several important considerations relating to the Bill, and I would summarise them into three groups:
b. Secondly, will the new obligations be operationalised in a sensible and practical manner?
c. Finally, will there be safeguards in place to prevent abuse, as the Bill expands CSA’s powers?
6. Let me address these considerations in turn.
(B) Are the compliance costs justified?
7. Some Members raised concerns about the additional costs of regulatory compliance. Some have suggested that such costs could even adversely impact the community of SMEs in Singapore, or industry development more generally.
9. With the amendments covered in the Bill, the Cybersecurity Act will only be imposing obligations on four groups of entities:
a. The first is providers of essential services, whether they are Critical Information Infrastructure (CII) owners or rely on third party vendors for the CII. Securing the computers and computer systems that are necessary for the continuous delivery of our essential services is a matter of national security and survival.
c. The third group comprises Entities of Special Cybersecurity Interest (ESCI). The ESCIs. This is because we need them to be cybersecure if their computer systems contain sensitive information or they perform functions which if disrupted will have a significant detrimental effect on our national interests.
10. Some compliance cost cannot be avoided when regulation is concerned. It is something we are mindful of, we do not seek to regulate without good reason. For these four groups, it was a considered decision that we must have the necessary legislation in place to govern their cybersecurity because our national security and other national interests are at stake.
b. These security reasons are also why I had caveated in my Opening Speech that I will not disclose any specific real-life examples of the critical systems and entities we seek to regulate, which includes ESCIs. I seek Ms Ng Ling Ling’s understanding that I will not respond directly to her query on the entities that will be designated as ESCI. Ms Hany Soh asked whether there would be circumstances that go toward publication or disclosure of an ESCI’s identity - this will be on a case-by-case basis, and we must keep the security of the ESCI in mind.
12. Mr Mark Lee seemed to have the impression that the Bill only focuses on “personal information” and does not protect other types of confidential business information. This is not the case. The Cybersecurity Act does not differentiate between protecting personal information and business information, as the cybersecurity of all information in a CII must not be compromised. The Bill will do the same for the new categories of systems and entities we are proposing to regulate for cybersecurity.
14. I would also like to clarify that not all the amendments add to the operating costs of regulated entities and systems. Some of the key amendments I covered in my Opening Speech will allow CII owners to make use of new technologies and new business models. This can result in efficiencies while maintaining the cybersecurity of the CII. These include the use of commercial cloud solutions, and demand-aggregated system infrastructure owned by a third party. These could be business opportunities as Mr Neil Parekh observed in his speech.
(C) How will CSA ensure that the new obligations are operationalised in a sensible and practical manner?
15. How CSA will ensure that the new obligations are operationalised in a sensible and practical manner?
16. The technologies are constantly advancing, and changes our business and operating context. Malicious actors are inventive, and continually find new ways to compromise their targets. Several members have asked questions about how the amendments would be implemented. Underlying their questions is an important consideration – will CSA operationalise these new laws sensibly and give regulated entities support to meet their statutory obligations? The short answer to both is yes, but I am going to give a slightly longer answer.
17. CSA understands the need to take into account business realities and to be practical and sensible when implementing the Act. CII owners and other industry stakeholders representing potential ESCIs and major FDI service providers were consulted extensively. Many trade associations and chambers provided their views during the consultation process.
18. CSA’s practice is, has been, and will be, to provide ample support to our regulated entities, by ‘walking with them towards compliance’.
b. CSA will also consider waivers of the application of a code of practice or standard of performance on a designated entity where possible on a case-by-case basis, to account for specific operating contexts, or the developmental journey of the organisation in question.
20. Where the CII is owned by a third party, Clause 14 requires the provider of essential service from the third-party vendor to obtain legally-binding commitments from the vendor that would put the provider in a position to discharge its statutory obligations, so that the cybersecurity of the CII is not compromised.
b. Where the third party is unwilling or unable, as Mr Darryl David noted could happen, CSA could direct the provider of essential services to stop using the system owned by that third party under the provisions in new Sections 16E(2), 16H(2), 16I(2) and 16J(2).
d. In response to Mr Desmond Choo’s question on data security when CII owners move to the Cloud, CSA will work with CII owners to conduct cybersecurity risk assessments of any migration of a CII to the Cloud. The principle remains – they must be able to meet their statutory obligations with respect to the cybersecurity of the CII regardless of the operating model.
22. Mr Yip Hon Weng asked how we will deal with the cross-border nature of FDI services such as cloud services and data centre operations. We have designed the new provisions to account for this.
b. Mr Yip Hon Weng also asked if the designated providers of major FDI service will be held responsible for breaches occurring in overseas data centres if they disrupt their services in Singapore. Sir, I would like to make it quite clear that the Act, even if amended by the Bill, does not penalise victims of cyber attacks for being attacked. The statutory duties under the Act only require the designated provider to work with CSA to prevent and mitigate the cybersecurity risks by, for instance, reporting cybersecurity incidents, and complying with the necessary cybersecurity standards and written directions.
d. Ms Razwana Begum asked how we would enforce the provisions relating to major FDI service providers if many of the providers are based overseas. Indeed, this could be the case for the cloud service sector. To facilitate enforcement, new Section 18G(6) requires a designated major FDI service provider who is located outside of Singapore to appoint a person in Singapore to accept service of notices or directions under the Act.
24. Many Members like Ms Ng Ling Ling, Ms Jean See, and Mr Melvin Yong also gave suggestions on how the Government can provide more support to regulated entities to help them comply with their statutory obligations and provide some assurance that their cybersecurity measures are adequate. We will consider these suggestions very carefully. As CSA operationalises the new amendments, CSA will continue to take onboard stakeholder feedback. Where appropriate and feasible, CSA will harmonise the cybersecurity standards and incident reporting parameters to be imposed under the Act with international practices.
25. Mr Gerald Giam asked about step-in rights and CSA’s incident response frameworks. I understand the concern to be whether CSA is adequately empowered to respond effectively to cybersecurity incidents and do what it takes to secure our CII. Part 4 of the 2018 Act already provides CSA with the necessary powers to respond to cybersecurity threats and incidents and to take appropriate measures to secure the threatened or attacked system. Operationally, CSA and the DIS of the SAF have an excellent working relationship, and will work together to secure Singapore’s cyberspace.
(D) Safeguards
27. Safeguards have been built into the Act from the outset, and will be extended to cover the proposed amendments.
b. Second, the powers that the Bill seeks to confer on CSA are not unfettered. For example, the power of inspection provided for in the amended Section 15(4)(d) inserted by Clause 13, can only be used for the specified purpose and under the specified circumstances set out in the provision.
28. Ms Tin Pei Ling, Mr Gerald Giam and Mr Sharael Taha and noted that the Bill will significantly expand the scope of the Act, and asked if CSA will be sufficiently equipped to manage this expanded ambit. If the Bill is passed, the Government will ensure that CSA is resourced accordingly. CSA will also continue to develop the personnel and their expertise so that it can continue to deliver its mission at a high level.
(E) Conclusion
29. I hope that I have sufficiently addressed the queries raised in this House.
a. Where national interests are stake, the Government needs to proactively ensure that security considerations are optimised. Those responsible for our CII, STCCs, and FDI services, as well as our ESCIs will have to bear some compliance costs, but this is what it takes to keep Singapore and Singaporeans safe and secure in the digital domain.
a. For example, the SG Cyber Safe Programme. These are schemes to help the Singapore business community, be more cyber secure. This includes the Cyber Essentials and Cyber Trust marks, which are certification schemes that recognise enterprises that have implemented good cybersecurity practices. CSA has also developed cybersecurity informational toolkits for companies of various profiles to guide enterprise leaders and their employees on cybersecurity best practices. Additionally, enterprises getting started on cybersecurity can use the Cybersecurity Health Plans programme, where consultants help them improve their cyber resilience, and help to develop a plan tailored to their needs. I urge all enterprises to apply for the various schemes and marks and take advantage of the resources available to uplift their cybersecurity posture.
32. CSA has had a good track record in administering the Cybersecurity Act over the past six years. CSA works closely with the regulated entities to address their needs and concerns, and to date, no appeals have been made against CSA’s decisions, orders or directions. This is in large part due to the good work of our CSA officers. We have been able to attract and retain officers with a high degree of expertise, professionalism and integrity, who are able to balance between the considerations of security, useability and cost, and who understand and believe in the mission of securing Singapore’s cyberspace.
33. Cybersecurity is a team effort. We must continually improve our defences against cyber threats that are growing in scale and sophistication. Today, the Government proposes to strengthen our legislation so that we can ensure the cybersecurity of systems and entities that are important to Singapore’s national interests. I thank Members for their support of this Bill. Mr Speaker, I beg to move.