Singapore’s CSA seeks public input on Cybersecurity Amendment Bill 2023 to boost digital infrastructure protection

The Cyber Security Agency of Singapore (CSA) has initiated a public consultation to gather input on the Cybersecurity (Amendment) Bill 2023 until Jan. 15, 2024. The bill’s objective is to ensure that Singapore’s cybersecurity laws are up-to-date and capable of addressing the evolving challenges in the digital realm.

The CSA identified that entities regulated under the Cybersecurity Act will be required to adhere to cybersecurity standards of practice, report cybersecurity incidents to the CSA, and comply with directions issued by the Commissioner to ensure the cybersecurity of specific computer systems under their charge. 

In reviewing the Cybersecurity Act, CSA has sought to keep pace with developments in technology and industry practices. This entails updating existing laws about the protection of critical information infrastructure (CII), and maintaining a high standard of protection for these systems so that cyber threats do not disrupt essential services. 

It also seeks to look beyond CII to ensure the cybersecurity of other important systems and infrastructure by extending the coverage of the Cybersecurity Act. To this end, it is proposed that the regulatory oversight of the Commissioner of Cybersecurity be extended to nationally important computer systems that face heightened risks during crucial periods, as well as entities of special cybersecurity interest, as breaches of such organizations could have detrimental implications for the defense, foreign relations, economy, public health, public safety, or public order of Singapore.

Lastly, the CSA aims to respond to evolving cybersecurity challenges by updating regulations to provide the Commissioner of Cybersecurity with greater situational awareness such that there is early and timely information on the cybersecurity vulnerabilities, threats, and incidents that affect CIIs, and other identified systems and infrastructure.

“As Singapore digitalises, there is an increased risk of organisations falling victim to cyber attacks. This update of the Cybersecurity Act is important to ensure that the necessary safeguards are put in place for the digital infrastructure and services that we use,” David Koh, commissioner of cybersecurity and chief executive of CSA, said in a media statement. “This way, Singaporeans and businesses can embrace digitalisation with confidence, knowing that they are safe and secure in the digital domain. We welcome feedback from all interested parties to help shape the Act and better protect Singaporeans and our businesses.”

The draft Cybersecurity (Amendment) Bill seeks to update existing laws about the protection of CII, and to continue to maintain a high standard of protection for these systems. 

Amendments to the Act will consider technology developments, and enable existing CII owners to leverage new technologies, such as cloud services. Also, amendments will be made to facilitate the operationalization and administration of the CII regulation, such as the introduction of powers for the Commissioner of Cybersecurity to grant time extensions for requirements under the Act, and to authorize an onsite inspection to ascertain compliance.

The Amendment Bill also seeks to extend the commissioner of cybersecurity’s oversight, so that CSA can do more to safeguard nationally important computer systems that face heightened risks during crucial periods and support entities of special cybersecurity interest, which, if breached or disrupted, could have detrimental implications for the defense, foreign relations, economy, public health, public safety, or public order of Singapore, which may, in turn, affect trust and confidence in Singapore’s digitalization efforts.

Additionally, entities regulated under the Cybersecurity Act will be required to adhere to cybersecurity standards of practice, report cybersecurity incidents to CSA, and comply with directions issued by the Commissioner to take necessary steps to secure the cybersecurity of specific computer systems under their charge. 

Lastly, the Amendment Bill enables greater situational awareness of the cybersecurity threats to foundational digital infrastructure that undergird the country’s digital economy and digital way of life, and the power to mandate baseline cybersecurity standards for these foundational digital infrastructures. 

The Amendment Bill seeks to “identify and designate provider-owned critical information infrastructure or systems of temporary cybersecurity concern, and to regulate owners of provider-owned critical information infrastructure or systems of temporary cybersecurity concern with regard to the cybersecurity of the provider-owned critical information infrastructure or systems of temporary cybersecurity concern.”

It also aims to identify and designate providers responsible for non-provider-owned critical information infrastructure, major foundational digital infrastructure service providers, or entities of special cybersecurity interest. The bill also looks to regulate providers responsible for non-provider-owned critical information infrastructure, major foundational digital infrastructure service providers, or entities of special cybersecurity interest concerning the cybersecurity of the non-provider-owned critical information infrastructure, the major foundational digital infrastructure, or the system of special cybersecurity interest.

The bill identified that at any time before the expiry of the designation of a provider-owned critical information infrastructure, the Commissioner may, by written notice, extend the designation of the provider-owned critical information infrastructure, if the Commissioner believes that the computer or computer system continues to fulfill the criteria of a provider-owned critical information infrastructure. 

“Any extension of a designation has effect for a period of 5 years starting from the expiry of the earlier designation unless the designation is withdrawn by the Commissioner before the extension takes effect or before the expiry of the period of extension,” the bill detailed. 

Addressing supply chain attacks, the bill also seeks the designation of the provider of essential service responsible for the cybersecurity of non-provider-owned critical information infrastructure. 

The bill requires the identification of non-provider-owned critical information infrastructure for which the provider is designated as responsible. It also calls for identifying the provider of the essential service so designated as a provider responsible for non-provider-owned critical information infrastructure; identifying the person who appears to be the owner of the non-provider-owned critical information infrastructure; and informing the provider responsible for non-provider-owned critical information infrastructure regarding the provider’s duties and responsibilities under this Act that arise from the designation. 

The bill also stipulates providing the name and contact particulars of the officer assigned by the Commissioner to supervise the provider responsible for non-provider-owned critical information infrastructure about non-provider-owned critical information infrastructure. 

It also calls for informing the provider responsible for non-provider-owned critical information infrastructure that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and inform the provider responsible for non-provider-owned critical information infrastructure that the provider may appeal to the Minister against the designation, and provide information on the applicable procedure.

The agency calls upon interested parties to access the public consultation documents on the REACH consultation portal. This form is intended for interested parties to provide their feedback on the proposals set out in the public consultation documents on the Cybersecurity (Amendment) Bill. It also recommends completing the form in one session, and keeping a copy of the response if working on it over a long period.

In September, the CSA conducted the fifth iteration of Exercise Cyber Star (XCS23) to evaluate and enhance Singapore’s crisis response capabilities, ensuring a swift and efficient response to cyberattacks. The Singapore Armed Forces’ Digital and Intelligence Service actively joined forces in XCS23. The exercise witnessed the active participation of over 450 individuals, including CSA personnel and representatives from the 11 CII sector leaders and owners, collectively contributing to the success of XCS23.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.