Public Consultation on the Cybersecurity (Amendment) Bill

Published on 12 Dec 2023 | Updated on 02 Apr 2024

CLOSING NOTE TO THE PUBLIC CONSULTATION ON THE CYBERSECURITY (AMENDMENT) BILL

Issued by the Cyber Security Agency of Singapore


2 April 2024

Introduction 

1. The Cyber Security Agency of Singapore (“CSA”) held a public consultation on the draft Cybersecurity (Amendment) Bill (“Bill”) from 15 December 2023 to 15 January 2024.

2. The Bill is the first amendment of the Cybersecurity Act since the Act was enacted in 2018. The Bill seeks to update the Act so that it keeps pace with the developments in our cyber threat landscape and business environment. This will enable CSA to continue to secure Singapore’s cyberspace and safeguard our digital way of life.

3. CSA thanks all who contributed their views on the Bill. The list of respondents to the public consultation is published in Annex. CSA received responses from 55 respondents, who included Critical Information Infrastructure (“CII”) owners, industry representatives, and members of the public. CSA has thoroughly considered the respondents’ feedback and this closing note seeks to address the key points of feedback received.

Overview of Feedback Received

4. Respondents generally expressed support and understood the need for the Government to expand the regulatory ambit of the Act beyond CIIs to cover other entities1 as these entities could hold sensitive information and/or played important roles or functions that undergirded our economy and way of life. 

5. While most feedback was clarificatory in nature, there are some respondents who highlighted that the draft Bill, if passed, could potentially raise the cost of doing business for those who would be regulated. Industry respondents who were not responsible for CII expressed interest in better understanding the CII-related provisions, and asked if they could be impacted by these draft provisions. Several respondents also provided feedback that the text of the Bill was complicated to follow. Since the close of the public consultations, CSA has also continued closed-door industry consultations with relevant stakeholders.


Key Points of Feedback Received 

CII
 
6. Feedback on the proposed CII-related amendments were primarily in three areas:
 
a. Whether the proposals to regulate CII owners’ use of distributed system architecture (e.g., commercial cloud computing solutions) or computing vendors would create statutory obligations (directly or indirectly) for the cloud service providers or vendors keen to serve these CII owners; 

b. The potential increase in compliance costs that CII owners and Providers of Essential Services (“PES”) would have to bear with respect to the proposed expansion of their obligations such as incident reporting and the need to obtain legally binding commitments; and

c. How the amended Act will be operationalised including the designation process for PES and the extent to which the Commissioner could exercise the proposed power to conduct on-site inspections.

FeedbackCSA’s Response 
Some respondents shared with CSA that the proposals to regulate CII owners’ use of distributed system architecture or computing vendors would create statutory obligations (directly or indirectly) for the cloud service providers (“CSPs”) or computing vendors keen to serve PES.  

In this respect, some respondents sought clarification on whether CSPs providing cloud computing solutions to support the virtualisation of the CII or computing vendors supplying the CII itself to PES would also be regulated by CSA as CII owners, or if the “liabilities” of that CII owner or PES could “flow through” to the CSPs or computing vendors. 

Several respondents expressed that the draft legal text that set out the amendments relating to the use of "non-provider-owned" CII was difficult to follow. 

Finally, a number of respondents have asked if a CII owner can be designated as a PES at the same time and whether the designation of PES would happen immediately after the amended act is passed. 

 

 

 

 

 

 


The proposed amendments to Part 3 and 3A of the draft Bill are not intended to regulate (a) CSPs providing cloud solutions to support the CII or (b) the computing vendors of a PES as CII owners.  

The statutory responsibilities imposed on a CII owner under Part 3 of the Act, or a designated PES under Part 3A, cannot be passed on to the CSP or the computing vendor. This will also apply to any penalties that are imposed on the CII owner or PES for non-compliance. 

In response to the feedback received, CSA will: 

a. Introduce additional provisions, relating to virtual computers or virtual computer systems, to clarify that it is the person who has:

  1. control over the operations of the virtual computer or virtual computer system; 
  2. the right and ability to perform security configuration and management tasks in respect of the virtual computer or virtual computer system, including to make any modification as necessary for the cybersecurity of the virtual computer or virtual computer system; and

  3.  where applicable, responsibility for security of the virtual computer or virtual computer system under a person’s contractual arrangement with a CSP,

    who will be considered the owner of a virtual CII system. This will effectively mean that the existing CII owner, who has the necessary control over the said CII system, will continue to be responsible for the system, even after virtualisation, and not the CSP.   

b. Simplify the draft legal text by replacing references to a “non-provider”, which was used in the consultations draft to refer to the computing vendor that provides the CII to a PES, with “third-party”.  

 

To clarify, a PES who relied on an outsourced CII to deliver the essential services (but does not own it) would not be considered as a CII owner for that CII. Nevertheless, the PES will still be required to meet the obligations under Part 3A of the Act.

Finally on the designation of a PES, CSA would like to clarify that designation will involve a considered process. For example, CSA will first need to work very closely with any parties that we identify as potential providers of essential services and the relevant sector regulator to understand the operating environment and the computer or computer system involved for delivering the essential services before we decide if there is a basis to proceed with designation.

There was feedback that there could be an increase in compliance costs that CII owners would have to bear with respect to the proposed expansion to their incident reporting obligations.

For example, some respondents expressed concerns that the expanded scope of the incident reporting obligations was broad and could lead to a higher compliance burden on the CII owner. Some respondents sought clarity on whether the new incident reporting requirements extended to computer or computer systems outside of Singapore. Some respondents also raised questions as to what is considered as “interconnected” when it relates to incident reporting involving the supply chain. 

Similarly for the Part 3A provisions relating to PES, respondents commented that it would be difficult to secure a legally binding commitment from computing vendors for the use of the outsourced CII without significant additional costs given the bargaining powers such computing vendors wield.

Finally, some respondents also queried if it would be feasible for the Commissioner to require a PES to cease the use of the outsourced CII in the event if the PES is not able to secure a legally binding commitment, given that this may potentially disrupt the delivery of essential services. 
The proposed expansion of incident reporting requirements is intended to address evolving tactics of Advanced Persistent Threat (“APT”) actors and cybercriminals that involve exploiting supply chains and other peripheral systems to attack CII and to disrupt the delivery of essential services. 
 
To help CII owners manage the compliance burden, CSA will work with CII owners to develop a pragmatic approach to the submission of incident reports including those involving the supply chain. In this respect, CSA will continue to work with CII owners in operationalizing the new incident reporting requirements before the requirements come into force.

The decision to use an outsourced- CII from a third-party computing vendor is a business decision that a CII owner may undertake depending on its own assessment of the costs and benefits involved.  As the national cybersecurity authority, CSA holds the view that all CIIs, regardless of whether they are outsourced or owned by CII owners should be subjected to similar levels of cybersecurity requirements and this is why we have introduced a new Part 3A to the Act to address such situations.

Likewise, if CSA is of the view that the PES is unable to meet its obligations under the new Part 3A of the Act, CSA may take further actions, including asking the PES to cease the use of the outsourced CII to deliver the essential services.  

 

 

 

 

Some respondents sought clarification on the extent to which the Commissioner would be able to exercise the proposed new power to conduct on-site inspections for provider-owned CII. 

For example, some respondents suggested that the inspections be used to address material compliance gaps that pose a significant risk to the CII or the delivery of essential services. Some respondents requested to have clear guidelines and safeguards put in place to prevent the abuse of this power (e.g. using this power to obtain the CII owner’s business confidential information.) One respondent suggested that CSA should provide notice to CII owners before conducting on-site inspections. 

There are safeguards provided in the proposed amendment to prevent CSA from obtaining confidential information beyond the scope of what is necessary for the on-site inspection. For example, the proposed amendment makes it clear that it must first appear to the Commissioner that the CII owner has not complied with something they ought to have complied with or has submitted false, misleading, inaccurate or incomplete information. Thereafter, the Commissioner may only exercise this power to conduct on-site inspections to ascertain compliance or the accuracy or completeness of information submitted. 

CSA understands the concerns raised by the respondents, and as far as possible, CSA will endeavour to give notice to CII owners prior to conducting on-site inspections pursuant to this proposed amendment. 


 

Major Foundational Digital Infrastructure (“FDI”)

7. Respondents supported the proposed regulation of major FDI service providers. Feedback received on these proposed amendments largely related to how CSA intended to operationalise these amendments. 

 

IssueCSA’s Response 
Feedback was received on how CSA intends to operationalise proposed amendments. 

For example, several respondents asked CSA to provide further details on the incident reporting parameters and cybersecurity codes of practice or standards of performance that could be issued or approved if the amendments were passed. A few respondents suggested that CSA consider harmonizing any codes or standards adopted with sector regulations (if any), and with international best practice.

CSA has communicated that further industry consultations will be conducted on the development of the incident reporting parameters and applicable cybersecurity codes or standards. CSA remains committed to this. 

As stated in the public consultation paper, CSA intends to take reference from international best practices and will work closely with sectoral regulators towards the harmonisation of any new sectoral regulations in Singapore.

 

Entities of Special Cybersecurity Interest (“ESCI”) 

8. Respondents supported the proposed regulation of ESCI. The key point of feedback pertained to uncertainty over what entities could be designated ESCI.  

 

IssueCSA’s Response 

Several respondents said that it was unclear from the draft Bill what entities could be designated as ESCI, and that this could create uncertainty. One respondent asked if CSA would reconsider our position on not disclosing the list of ESCI.

 

 

 

The key reason for regulating ESCI for cybersecurity is that they are entities that hold sensitive information and/or play nationally important roles or functions. A cyberattack on these entities could have significant detrimental effect on the defence, foreign relations, economy public health, public safety, or public order of Singapore. As ESCIs could come from a range of sectors, it is important for the proposed draft provisions to be drafted in a manner that would allow CSA to work with these entities on their cybersecurity in our evolving threat landscape. 


CSA does not intend to publish the full list of designated ESCI for security reasons. Examples of ESCIs could include autonomous universities. CSA will engage entities before they are designated as ESCI. 

 

Systems of Temporary Cybersecurity Concern ("STCC")

9. Respondents supported the proposed regulation of STCC and feedback received was largely clarificatory in nature.  

 

Monitoring Powers for Licensing Officers   

10. Respondents’ feedback on this proposed amendment was largely in relation to the limits that would be placed on the proposed monitoring powers.

 

Issue CSA’s Response
Feedback was received on the limits of proposed monitoring powers.

For example, some respondents said that there should be clear boundaries for monitoring powers, and the conditions under which the monitoring powers will be activated. Some respondents also suggested that the exercise of the powers should be limited to ascertaining whether the licensee had complied with licence conditions
The intention of providing monitoring powers for CSA is to ensure that Part 5 of the Act can be properly executed. As a matter of good regulatory practice, CSA will endeavour to inform the licensee the basis for exercising any of the monitoring powers.

CSA does not agree that the exercise of the monitoring powers should be limited to ascertaining whether the licensee had complied with license conditions, as the scope in ensuring the proper execution of Part 5 extends beyond ascertaining compliance with license conditions (such as to assess compliance with the duty to keep proper records or to assess if a license should be revoked or suspended).  

 

Conclusion

11. CSA would like to thank all respondents for their feedback.

12. The public consultations were just one part of the overall consultation process on the Bill, which started back in September 2022. CSA remains committed to holding further industry consultations on the development of subsidiary technical and operational matters (e.g. codes of practice, incident reporting parameters) and implementation of the proposed amendments. We welcome the continued engagement with all stakeholders and interested parties.

1 The regulatory ambit of the Act will be extended to cover entities such as Systems of Temporary Cybersecurity Concern, Entities of Special Cybersecurity Interests and Foundational Digital Infrastructure.

 




Public Consultation on the Cybersecurity (Amendment) Bill

Consultation Period: 15 Dec 2023 to 15 Jan 2024 

The Cyber Security Agency of Singapore (CSA) is seeking views on the draft Cybersecurity (Amendment) Bill.

Background 

The Cybersecurity Act, which came into force in August 2018, is the legislative framework that governs the oversight and maintenance of national cybersecurity in Singapore.

Since the Act was enacted, the cyber threat landscape and business environment have been continually changing. Singapore’s digitalisation efforts have also been progressing rapidly, and Singapore is now amongst one of the most digitally connected countries in the world. These developments have accelerated our connectivity, computing, and data storage needs.  These bring about new considerations for cybersecurity. 

The draft Cybersecurity (Amendment) Bill seeks to ensure that Singapore’s cybersecurity laws remain fit-for-purpose, and capable of addressing the emerging challenges in cyberspace.

Scope of Consultation 

In reviewing the Cybersecurity Act, CSA has sought to:  

i. Keep pace with developments in technology and industry practices. To ensure that the Act remains relevant as technology and business models evolve.

ii. Look beyond the Critical Information Infrastructure (CII) to ensure the cybersecurity of other important systems and infrastructure. To extend the coverage of the Cybersecurity Act to address the broader ecosystem as the increased adoption of digital technologies has also increased exposure to growing cyber threats.

iii. Respond to evolving cybersecurity challenges. To update regulations to ensure that the Commissioner of Cybersecurity has early and timely information of the cybersecurity vulnerabilities, threats, and incidents that affect CIIs, and other identified systems and infrastructure. 

The draft Cybersecurity (Amendment) Bill seeks to:

  1. Update existing laws pertaining to the protection of CII, and to continue to maintain a high standard of protection for these systems.
    • Amendments to the Act will consider technology developments, and enable existing CII owners to leverage new technologies, such as cloud services.
    • Amendments will also be made to facilitate the operationalisation and administration of the CII regulation, such as the introduction of powers for the Commissioner of Cybersecurity to grant time extensions for requirements under the Act, and to authorise an onsite inspection to ascertain compliance.
  2. Extend the Commissioner of Cybersecurity’s oversight, so that CSA can do more to safeguard nationally important computer systems that face heightened risks during crucial periods, and support entities of special cybersecurity interest, which, if breached or disrupted, could have detrimental implications for the defence, foreign relations, economy, public health, public safety, or public order of Singapore, which may in turn affect trust and confidence in Singapore’s digitalisation efforts.
    • Entities regulated under the Cybersecurity Act will be required to adhere to cybersecurity standards of practice, report cybersecurity incidents to CSA, and comply with directions issued by the Commissioner to take necessary steps to secure the cybersecurity of specific computer systems under their charge. 
  3. Enable a greater situational awareness of the cybersecurity threats to foundational digital infrastructure that undergird our digital economy and digital way of life, and the power to mandate baseline cybersecurity standards for these foundational digital infrastructure. 

Invitation for Comments 

CSA invites members of the public and stakeholders to provide their feedback no later than 5pm on 15 Jan 2024.  Feedback is to be provided online via the Public Consultation on Cybersecurity (Amendment) Bill online form. 

The public consultation documents can be downloaded below:

  1. Public Consultation Document
  2. Draft Cybersecurity (Amendment) Bill

Press release is available here.