SINGAPORE - Amendments to the Cybersecurity Act were tabled in Parliament on April 3 to take into account risks introduced by suppliers, outsourcing and offshoring.
Critical information infrastructure (CII) operators in the essential services sectors remain answerable to the Cyber Security Agency of Singapore (CSA) for any lapses.
The sectors are: energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security and emergency services, and government.
Here is a quick look at the key changes in the Cybersecurity (Amendment) Bill.
1. Securing supply chains CII operators must report all incidents aimed at their systems, including those managed by or linked to their suppliers, as long as they impact the CII’s services. The proposal comes after major cyber attacks around the world that have targeted peripheral systems to sabotage critical services. In 2019, hackers introduced malicious code into an IT monitoring tool from US software firm SolarWinds that serviced thousands of organisations. Over several months, the attackers gained access to the data of more than 30,000 public and private firms in the US. In 2021, Colonial Pipeline, which operates the US’ largest fuel pipeline, was forced to shut down after attackers took control of its corporate payment services, which lie outside of its critical functions. 2. Oversight of cloud services The definition of “computers” will include virtual systems and cloud infrastructure – servers hosted on the internet that store and process data – that are rising in usage. CII owners have the option of moving to commercial cloud solutions, such as those offered by Amazon Web Services, Microsoft or Alibaba Cloud, while still bearing responsibility for any cyber-security lapses. The CII operator must make clear to third-party vendors that they have to comply with Singapore’s rules. At least one of the physical computing resources of the cloud services provider that support the virtual system has to be deployed locally. Data centres, cloud services and other foundational digital infrastructure that provide services to or out of Singapore will be regulated under a separate framework from main CII operators that will subject them to “light touch” regulations. They will have to provide cybersecurity-related details upon request, report any incidents and comply with standards of performance set by CSA. In 2021, critical vulnerabilities were found in cloud computing platform Microsoft Azure’s database that could permit hackers to access sensitive databases. The changes to the Cybersecurity Act will make it mandatory for service providers to share details of such attacks, so that lessons can be shared with the wider industry and necessary action taken. 3. Regulation of systems used in key events CSA can designate systems that are critical to Singapore for a limited period as “systems of temporary cyber-security concern” and require their owners to comply with heightened cyber-security standards. Operators of designated systems will have to provide cybersecurity-related information upon request, comply with CSA’s standards, and report cyber-security incidents. These can be systems used for high-key activities akin to major vaccine distributions, forums or international events, such as the 2018 North Korea-US summit in Singapore. In 2020, organisations around the world that were distributing Covid-19 vaccines were targeted by cyber attackers, who attempted to steal network log-in credentials to disrupt the distribution of doses, IBM reported. 4. Entities of special cyber-security interest Some autonomous universities and others deemed entities of special cyber-security interest will have to provide cybersecurity-related information to CSA upon request. Such entities are attractive targets for bad actors due to the sensitive data they hold or function that they perform. Their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, public safety or public order of Singapore, said CSA. CSA does not intend to publish the full list of designated entities, for security reasons.
Essential services providers to meet higher cyber-security standards under proposed law amendment
New law mooted to minimise digital service disruptions due to cloud, data centre outages
Unlock unlimited access to ST exclusive content, insights and analyses
ST One Digital - Annual
$9.90 $4.95 /month
Get offer
$59.40 for the first year and $118.80 per year thereafter.
ST One Digital - Monthly
29.90 $9.90 /month
Subscribe today
No lock-in contract
Unlock more knowledge, unlock more benefits
New feature: Stay up to date on important topics and follow your favourite writers with myST All subscriber-only content on ST app and straitstimes.com Easy access any time via ST app on one mobile device
Join ST's WhatsApp Channel and get the latest news and must-reads.
Cyber security Singapore Parliament Ministry of Communications and Information Technology sector
Facebook Telegram More Whatsapp Linkedin Twitter FB Messenger Email Print Purchase Article Copy permalink https://str.sg/dMWZ
Read this subscriber-only article for free!
Just sign up for a free account and log in to continue reading.
Proposed changes to Cybersecurity Act of S’pore, and what triggered them
Sign up
Already have an account? Log in.
All done! This article is now fully available for you
Proposed changes to Cybersecurity Act of S’pore, and what triggered them
Read now
Please verify your e-mail to read this subscriber-only article in full
Proposed changes to Cybersecurity Act of S’pore, and what triggered them
Resend verification e-mail
The gift link for this subscriber-only article has expired.
Get unlimited access to all stories at $0.99/month for the first 3 months.
Subscribe now
You have reached your limit of subscriber-only articles this month.
Get unlimited access to all stories at $0.99/month for the first 3 months.
Subscribe now
Read and win!
Read 3 articles and stand to win rewards
Let's go! Terms & conditions apply
Frequently asked questions
Good job, you've read 3 articles today!
Spin the wheel now
Let's go! Terms & conditions apply
Frequently asked questions