The Cyber Security Agency of Singapore (CSA) has proposed amending the Cybersecurity Act 2018 through the Cybersecurity (Amendment) Bill. This will enable the law to keep pace with the developments in the cyber threat landscape and evolving digital economy.
Firstly, the Bill will update existing provisions relating to the cybersecurity of critical information infrastructure (CII) to ensure continuous delivery of essential services such as water, electricity and banking services.
CII owners will remain responsible for ensuring their CII are secure and resilient even as they embrace new technological and business models, like the use of cloud computing. They will also be required to report more types of cyber incidents, including those happening in the supply chain. Doing so will empower CSA to be more situationally aware of the cyber threats that could disrupt essential services and work with CII owners to proactively protect those services further.
Secondly, the Bill seeks to expand CSA’s oversight to cover the cybersecurity of Systems of Temporary Cybersecurity Concern (STCCs). STCCs are computer systems critical to Singapore and are at a high risk of cyberattacks due to certain events or situations. For instance, the temporary systems used to support the distribution of critical vaccines during the Covid-19 pandemic were targeted by malicious actors.
The third proposed amendment is to allow CSA to designate and regulate entities of special cybersecurity interest (ESCI). ESCIs hold sensitive information or perform a function of national interest so disruption to their services could potentially have adverse effects on the defence, foreign relations, economy, public health, public safety, or public order of Singapore.
Autonomous universities are one example of ESCIs. Since they are not CII, the obligations imposed on the ESCI will not be at the same levels as that for CIIs, states CSA in a press release.
See also: ‘Disease X’ outbreak widens as UN sends health team to Congo
Finally, the Bill will require companies providing digital infrastructure services foundational to Singapore’s economy – such as data centres and cloud service providers — to be responsible for securing the digital infrastructure. This includes adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA, which will not be at the level of a CII.
According to CSA, the Bill incorporates stakeholder and public feedback gathered from consultations that began as early as 2022. If the Bill is passed, CSA will continue to consult closely with stakeholders to operationalise it.
