#WorkinginCSA: Administering the Cybersecurity Act

19 Jan 2021

As a cybersecurity investigation and compliance officer, Karl Gerard Jonathan, Manager, Regulations Division, is responsible for the day-to-day administration and enforcement of the Cybersecurity Act. Find out what gives him job satisfaction, and how he is involved in pioneering the regulation of cybersecurity service providers in Singapore.

1. What sparked your interest in cybersecurity? 
I have always been drawn to technology and when I found out that there was an opportunity for me to tie my legal skills to my interest in cybersecurity, it made sense for me to steer my career in this direction. I find it very fulfilling to be able to analyse cyber laws and explain them to the stakeholders I work with, such as Critical Information Infrastructure (CII) sectors leads and cybersecurity service providers. 

With technology continuously advancing and ever-present in our lives, there is a need to safeguard the data that we work with and the systems we rely on. One of the many ways this can be achieved is through the implementation of legislations, policies and frameworks to guide entities and individuals in working towards this objective. 

2. What is a typical day at work like for you?
I assist the Commissioner of Cybersecurity in the day-to-day administration of the Cybersecurity Act. This includes assessing and approving auditors who conduct the audits of CIIs and monitoring and liaising with CII owners on the performance of their statutory obligations.  

I am also appointed as a cybersecurity investigation officer under the Act, which empowers me to conduct investigations against any individual or entity who failed to fulfil their obligations under the Act, and also recommend any enforcement actions against the incumbent. 

We are also looking to operationalise a new cybersecurity service providers licensing scheme, specifically for penetration testers and managed security operations centre monitoring service providers. This is to provide greater assurance on security and safety to consumers of such services and raise the quality and standing of cybersecurity service providers. These two services are also prioritised because providers of such services have access to sensitive information from their clients. 

My work in this project involves assisting with the drafting of licence conditions, penalty framework and implementation of the licensing regime. 

3. What makes you excited about coming to work? 
One of the many things I love about my work is how varied the work is – from developing legislative frameworks to conducting on-site investigations. Cyber threats are constantly evolving and staying ahead is critical. We also need to know where and what to look out for when presented with a new case.

Since I started working in CSA, I have learnt how cybersecurity is such a unique domain. For example, each CII sector has different maturity levels of cybersecurity standards and faces a different set of challenges, so there is never a one-size-fits-all solution. 

Investigations against cases of non-compliance also present a unique set of facts and evidence which must be thoroughly examined to achieve a just outcome.

Every task I have been assigned gives me a chance to work with colleagues and stakeholders of different seniority levels and backgrounds and there are many learning opportunities too. There is great satisfaction in a job that keeps me on my toes!

4. Tell us something interesting about your job that not many people know about.
The cybersecurity service providers licensing scheme that I am working on now, when implemented, will make Singapore one of the first countries in the world to do so! 

I will be conducting background screenings on the licence applicants with the relevant authorities and ensuring that they do not have any convictions or judgement entered against him/her in civil proceedings involving fraud, dishonesty or moral turpitude.

When this licensing regime is implemented, we will be under the watchful eyes of both the local and international cyber community. Many years down the road, I will be able to tell my son that I am part of the team that implemented the first ever cybersecurity licensing regime in Singapore!

5. What are 3 qualities that are important for someone in your role to have?

Strong interpersonal skills to work with the various stakeholders; perseverance, as each case could present a different set of challenges and meticulousness while working within tight timelines.