13 Nov 2017
The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) received 92 submissions from a wide and diverse range of stakeholder groups at the close of the public consultation on the draft Cybersecurity Bill (the “Bill”) from 10 July to 24 August 2017. The original submission deadline of 3 August 2017 was extended in response to requests for more time to provide feedback.
Respondents generally shared the Singapore Government’s concerns on the impact of increasingly sophisticated cyber-attacks which could potentially cause major disruptions, or even cripple our economy. Respondents acknowledged the timeliness and importance of the Bill in setting the necessary legislative framework for pro-active oversight and response to cyber threats and incidents. Several respondents also agreed with the need for cybersecurity information-sharing between CSA and other organisations, including the need to safeguard the information source and information disclosed. However, respondents had some reservations about the proposed licensing framework.
Following careful deliberation, MCI and CSA intend to refine the Bill in several aspects. Some of these clauses that will be refined include:
- Designation of Critical Information Infrastructures (CIIs) - Some respondents felt that the proposed definition of CIIs was too broad and asked for more clarity on the scope of “computers” and “computer systems” that might be designated as CIIs. We wish to clarify that this definition is intended to formalise our existing engagements with CII stakeholders, which has been in place since 2013. We will amend the Bill to clarify that only systems which have been explicitly designated by the Commissioner will be considered CIIs. All other computers and computer systems will not be considered CIIs, and the obligations in Part 3 of the Bill therefore do not apply to them. Specifically, computer systems in the supply chain supporting the operation of a CII will not be designated as CIIs, therefore third-party vendors will not be considered as owners of CIIs.
- Duties of CII owners - Respondents suggested that any codes of practices and standards of performance required under the Bill should take into consideration any existing codes and standards that CII owners were already required to comply with, e.g. sectoral regulations, in order to avoid inconsistencies and confusion. We will work closely with sector regulators to streamline and harmonise the obligations of CII owners under the Bill with their respective sectoral regulations. The appointment of Assistant Commissioners to oversee CIIs in each sector will ensure that the Bill requirements are sensible and take into account existing sector-specific requirements, including international requirements. This is because the sector regulators understand the unique contexts and complexities in each sector, and are in a good position to balance the sectors’ cybersecurity needs and business requirements.
- Requirements of licensing regime - Several respondents expressed reservations about the proposed licensing framework. Some respondents were against licensing of cybersecurity service providers in any form as they felt that licensing could impact the development of a vibrant cybersecurity ecosystem in Singapore. To strike a balance between industry development and security needs, MCI and CSA intend to simplify the licensing framework by doing away with the licensing of individual cybersecurity professionals, and removing the distinction between “investigative” and “non-investigative” types of licensable services. This will allow the Bill to be more future-proof, and enable it to stay relevant even as cybersecurity services continue to evolve. At this point, we intend to license only penetration testing and managed security operations centre (SOC) monitoring service providers, as such services are already mainstream and widely-adopted.
MCI and CSA would like to thank our stakeholders and all respondents, including local and international organisations, multi-national companies, industry and professional associations, sector regulators, academia and members of the public, who provided feedback on the draft Cybersecurity Bill. During this period, CSA also participated in dialogues with industry organisations and attended sessions organised by professional associations for their members and the public to address queries regarding the Bill. Please refer to the full report on the public consultation and Annex A for the list of respondents to the public consultation on the Bill.
Report on Public Consultation on the Draft Cybersecurity Bill