With widening attack surfaces and technology infrastructures that are no longer necessarily physical, Singapore says its cybersecurity legislation must keep up with the changing threat landscape and be adequately administered to keep its critical infrastructures resilient.
Singapore passed the Cybersecurity (Amendment) Bill on Tuesday following two readings in parliament to address "shifts in the operating context in cybersecurity" and operational challenges that its administrator, the Cyber Security Agency (CSA), faced amid such changes, Janil Puthucheary, Singapore's senior minister of state for Ministry of Communications and Information (MCI), said in parliament.
Also: AI is changing cybersecurity and businesses must wake up to the threat
The updates are meant to keep pace with developments in technology and business practices and extend the CSA's regulatory oversight to other entities and systems beyond physical assets. The amendments will enable the regulator to better respond to evolving cybersecurity challenges and operate on a risk-based approach in regulating entities, Puthucheary said.
For instance, when the Cybersecurity Act was first established in 2018, it sought to regulate physical CIIs (critical information infrastructures). The minister noted that new technology and business models have since emerged, particularly with the advent of cloud computing.
Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online
He noted that an estimated 60% of local enterprises use some form of cloud technology in their operations and, as a result, business models have changed. This change led to challenges in applying the Act, which was written when physical on-premise IT systems were still commonplace and controlled or owned by the CII owner, he said.
With the latest updates, the CSA can better regulate CIIs and ensure they can withstand online threats, regardless of the technology or framework on which they sit, he added.
In particular, the definition of "computer" and "computer system" in some portions of the bill now include "virtual computers" and "virtual computer systems." The bill also includes provisions to establish what ownership of such systems entails, as this can include both physical and virtual systems to deliver essential services, Puthucheary said.
In a virtual CII, such as in a cloud environment where underlying physical infrastructure might be shared or easily replaced, it would not be meaningful to regulate the underlying hardware, he noted.
Also: The best VPN services (and how to choose the right one for you)
The updated legislation allows the government to make it clear the CII owner is responsible for the cybersecurity of its virtualized infrastructure, not third parties involved in the supply of the underlying physical infrastructure, he said.
The Cybersecurity Act lists 11 CII sectors, which include water, health care, maritime, infocommunications, banking and finance, and aviation. The Act outlines a regulatory framework that formalizes the duties of CII providers in securing systems under their responsibility, including before and after a cybersecurity incident has occurred.
Increased digitalization, too, has resulted in the aggregation and sharing of common digital services and functions across borders to deliver essential services in different global markets, Puthucheary said.
Furthermore, digital technology is now an integral part of life in Singapore, where more than 90% of residents communicate online, he said. Organizations also use digital technologies extensively, growing their technology adoption rate from 74% in 2018 to 94% in 2022.
"More of us are now online for longer and online for more varied purposes. This means that we are exposed to more cyber risks, as every digital technology we use, every transaction we make, and every connection made between computers, is a possible route for attack," Puthucheary said, pointing to an increased attack surface.
Also: How AI firewalls will secure your new business applications
He added that bad actors are increasingly turning to new ways to breach systems, in particular, through supply chain attacks or by targeting adjacent systems. The 2020 SolarWinds breach, for one, enabled its attacker to use the software's regular updates to implant a backdoor and gain a foothold in the networks of organizations that downloaded and installed the malicious update. This gave the attacker privileged access to internal networks, the Singapore minister said.
"To cause significant disruption to the way we work and live, those who mean us harm can take down the digital infrastructure we depend on, or the institutions and entities that hold our sensitive information or perform functions of national interest. Hence, when it comes to securing Singapore in cyberspace, regulating the cybersecurity of CIIs is no longer sufficient," he said.
Legislators have added a new clause to regulate providers of essential services that rely on CIIs owned by third parties for the delivery of the essential service. For instance, a third-party vendor could own, operate, and supply a critical operations management system used by multiple providers of an essential service. This third-party vendor could have greater expertise in operating systems and can do so at a lower cost, due to demand aggregation.
The 2018 Cybersecurity Act did not provide for such environments, since it was the norm for providers of essential services to own and operate their critical systems. However, even with the emerging business model, providers of essential services must remain responsible for the cybersecurity and cyber resilience of the computer systems on which they depend to deliver the essential services, Puthucheary said.
The new clause ensures they cannot outsource this responsibility for cyber, even if they rely on a third party's computer system for the continuous delivery of the essential service, he said.
This does not put providers of essential services under the CSA's regulatory oversight, but they must ensure the systems they rely on meet comparable cybersecurity standards and requirements of a CII through legally binding commitments, such as contracts, he explained.
The amendments do not seek to impose cybersecurity obligations on the general business community, Puthucheary said, in response to questions during parliament on the cost implications of compliance.
"[The Act aims to] regulate only the cybersecurity of systems, infrastructure, and services that are important at a national level because their disruption or compromise could affect our survival, security, safety, or other national interests," he said. "This is a known and finite set of systems and entities. Our approach is a targeted and calibrated one, precisely because we recognize that regulation will involve compliance costs."
Also: Want to work in AI? How to pivot your career in 5 steps
He clarified that the amendments impose obligations on four groups of entities, encompassing providers of essential services, whether they are CII owners or rely on third-party vendors for the CII, and entities of "special cybersecurity interest," which are ICT systems that may contain sensitive information or perform functions that will harm national interests if disrupted.
The updated Act also applies to owners of "systems of temporary cybersecurity concern," in which the loss of such systems temporarily would have a serious detrimental impact on Singapore's national interests.
The CSA must be able to proactively oversee the cybersecurity of such systems, Puthucheary said.
Major providers of "foundational digital infrastructure" services also have obligations under the updated legislation because disruption to these services could have "knock-on disruptions" to organizations operating in Singapore, he said.
Also: Employees input sensitive data into generative AI tools despite the risks
Companies that fall under this category are listed in the updated Act and will initially cover cloud computing and data center services. More companies will be added to the list as new types of digital infrastructures gain importance in supporting the needs of local businesses and consumers, the minister said.
Under this provision, the CSA can issue or approve standards of performance and codes of practice that providers of foundational digital infrastructure services must have in place. These providers will also have to report cybersecurity incidents that result in a disruption or degradation of their services in Singapore or that have a significant impact on their local business operations.