SINGAPORE: A Bill aimed at bolstering Singapore’s cybersecurity defences while accounting for changes in technology was passed by parliament on Tuesday (May 7).
Under amendments to the Cybersecurity Act, owners of critical information infrastructure (CII) must now report more types of incidents including those that happen in their supply chains.
This is to address the “inventiveness” of malicious cyber actors, said Senior Minister of State for Communications and Information Janil Puthucheary.
“As the tactics and techniques of malicious actors evolve to target systems at the periphery or along supply chains, we must also start placing our alarms at those places,” he added.
The new law will allow authorities to regulate a new type of system called Systems of Temporary Cybersecurity Concern (STCC). These are systems that, for a time-limited period, are at high risk of cyberattacks, and if compromised, would damage Singapore’s national interests.
The Cyber Security Agency of Singapore (CSA) will now also be able to manage entities beyond its current regulatory regime. These include Entities of Special Cybersecurity Interest (ESCIs).
Attacks on ESCIs could have a “significant detrimental effect” on Singapore’s defence, foreign relations, economy, public health, public safety, or public order, because of the disruption of the function they perform, or the disclosure of sensitive information their computer systems contain, explained Dr Janil.
The specific list of entities designated as ESCIs should not be disclosed publicly to avoid inadvertently advertising these entities as “worthy targets” to malicious actors, he added.
CSA will now also be able to deal with situations where a CII is supporting an essential service from overseas. With the new changes, CSA can designate and regulate such CIIs so long as its owner is in Singapore and the computer system would have been designated as a CII had it been located in Singapore.
Tabling the Bill for a second reading, Dr Janil said that it aims to tackle “shifts in the operating context” in cybersecurity, and strengthen the administration of the Act to address “operational challenges” CSA has faced.
“The Cybersecurity Act has now been in force for six years. The core objectives continue to be relevant today. We’ve reviewed the Act, learning from our experiences, and taking into account changes in technology,” he explained.
“In order to continue to ensure Singapore’s cybersecurity, a review and an update to the Act is needed as several aspects of our operating context have changed.”
