Australia: The Singapore draft Cybersecurity Bill and the way towards cyber security fitness

Last Updated: 15 October 2017
Article by Alexandra Wedutenko

Singapore's draft cyber security laws have a potentially wide reach, and could affect many Australian businesses.

Cyber security is one of the major global issues of our time. In September 2017, the Economist's Intelligence Unit ranked a major cyber-attack as one of the ten most probable and impactful global risks. For a sense of magnitude, risks considered to be lower include a war on the Korean peninsula, multiple countries withdraw from the euro zone and global growth surges . The ability of nations to withstand the shock of realised cyber threats and new forms of cyber-attacks is the new measure of national security and economic fitness. And as data inter-connectivity between counties increases so does the call for structures at home and abroad to address threats of such magnitude.

The Australian Government has just released for consultation an exposure draft of a Bill to regulate approximately 100 assets in the highest-risk sectors of ports, electricity and water, requiring operational information to be provided, and allowing the Minister to issue a direction to an owner or operator of a critical infrastructure asset to mitigate significant national security risks (for example, by implementing extra cyber security measures to guard against data theft or unauthorised access to the asset's control network through a legitimate connection to the asset. We'll be looking at this in more detail in future articles.

Given this context, it is a useful exercise to consider a new cyber security law proposed by one of Australia's nearby trading partners, which will affect:

  • Australians who own or operate a computer or computer systems in Singapore; and
  • Australians who provide cyber security services in Singapore, or to Australian organisations active in Singapore.

A comparative study - the Singaporean Cybersecurity Bill

Singapore is Australia's largest trade and investment partner in the Association of South Eastern Asian Nations. The Singapore-Australia Free Trade Agreement reflects our increasingly connected business environments. In 2016, Australia and Singapore agreed to enhance their military intelligence sharing operations via an inter-governmental memorandum of understanding.

Singapore's draft Cybersecurity Bill sets out a single, comprehensive framework for addressing cyber security threats on a national scale. Thus, Singapore has taken a step further than Australia. The Cybersecurity Bill complements and supports the obligations in the Singaporean privacy legislation, the Personal Data Protection Act by proposing to place new obligations on owners and controllers of computer systems. The Cybersecurity Bill is expected to be passed by the Singaporean parliament by the start of 2018.

Key Singaporean reforms

  • Establishes the Commissioner of Cyber Security with broad powers and functions to prevent cyber-attacks and implement cyber protection measures.
  • Establishes the concept of "critical information infrastructure" (CIIs) and a comprehensive regulatory framework for designated CIIs which includes a reporting regime and participation in national cyber security stress tests. CIIs are defined as computers or computer systems that are necessary for the continuous delivery of "essential services" (such as energy, water and banking and finance) which would debilitate. among other things, Singapore's national security, foreign relations, defence, economy and public order. A computer system is defined as an arrangement of interconnected computers and includes information technology systems and operational systems such as an industrial control system, programmable logic controller or distributed control system.
  • Grants the Commissioner broad powers to investigate and prevent cyber security incidents including by directing organisations to remediate cyber incidents, installing software and taking possession of computer systems to prevent serious cyber-attacks.
  • Establishes a framework for the sharing of cyber security information.
  • Sets up a regulatory regime for "cyber service providers".

New Commissioner of Cyber Security

Under the Cybersecurity Bill, the Minister may appoint a Commissioner of Cyber Security. The Commissioner will have an interesting mix of investigative and regulatory powers combined with a broader focus on advocating Singapore's cyber security interests overseas. The Commissioner will, among other things:

  • oversee and maintain the cyber security of computers and computer systems in Singapore;
  • advise the government or other public authority on national needs and policies in respect of cyber security matters generally;
  • monitor cyber security threats and respond to cyber security incidents that threaten Singapore's national security, defence, economy, foreign relations, public health, public order, public safety or essential services, whether such cybersecurity threats or incidents occur in or outside of Singapore;
  • identify and designate critical information infrastructure;
  • establish cyber security codes of practice and standards of performance for implementation of owners of critical information infrastructure;
  • represent the government and advocate Singapore's interests on cyber security issues internationally;
  • cooperate with CERTs internationally on cyber security incidents;
  • develop and promote the cyber security industry in Singapore; and
  • establish standards in relation to cyber security practitioners and products in Singapore.

We do not know how the Commissioner will utilise his/her resources to administer such a broad range of functions. In Australia the Privacy Commissioner, for example, has taken on an educational role rather than an enforcement role in the administration of the Privacy Act. From Australia's perspective, it will be interesting to see, if the Cybersecurity Bill gets up, which functions the Commissioner focuses on - regulatory, investigative, advisory or international co-operation.

Proactive measures to prevent cyber threats

An interesting feature of the Cybersecurity Bill is the Commissioner's (and investigating officer's) broad power to take significant proactive measures to prevent a cyber threat. The measures may affect any person who carries out commercial activities in Singapore and in particular, those who own or manage a computer or computer system even if those systems are not designated CIIs. Further, the duties on computer or computer system owners/managers substantially increases if the Commissioner decides that such systems may be involved in significant cyber security incidents.

Based on the current Cybersecurity Bill, the Commissioner or an appointed investigating officer may investigate the potential impact of a cyber security threat based on information received by the Commissioner to prevent further harm and includes the power to:

  • require statements from any person about the cyber security threat or incident;
  • require any person to produce a physical or electronic record, document with any information that the investigating officer considerers to be related to any matter relevant to the investigation; and
  • require the attendance of and orally examine any person who appears to be acquainted with the facts and circumstances relating to the cyber security threat (failure to attend without lawful excuse being an offence penalised by a fine and potentially imprisonment).

Where the Commissioner is satisfied the threat is sufficiently severe (assessed against criteria such as severity of harm and impact on national security) and the investigating officer has reasonable cause to suspect that system is impacted by a security threat:

  • direct any person to carry out remedial measures to a computer system. Remedial measures include installing software updates, disconnecting infected computers and redirecting malicious data traffic to designated computer servers;
  • require the owner of a computer or computer system to carry out steps to assist with the investigation including allowing investigating officers to install any software program on computers or interconnect any equipment to the computer for the purpose of investigations.

The Commissioner or an appointed investigating officer may also:

  • assess, inspect and check the operation of computers and copy extracts from any electronic record or program contained in a computer that may be impacted by a cyber security incident; and
  • with the consent, take possession of any computer or other equipment of the purpose of conducting a full examination or analysis.

Based on the current drafting, there seems to be a notable absence of structural checks and balances to guard against abuse of power or process with respect to the powers of investigating officers and their use of preventative measures.

Similar process issues may arise with respect to the relevant Minister's expansive powers to prevent cyber threats by implementing emergency cyber security measures. Under the draft Cybersecurity Bill, if the Minister is satisfied that it is necessary to prevent any threat to essential services or other national security concerns (including foreign relations and public order of Singapore), the Minister may direct any person or organisation to take such measures as may be necessary to prevent, detect or counter any threat to a computer system or any class of computers or systems or services.

Critical Information Infrastructure (CIIs)

Under the Singaporean Cybersecurity Bill, the Commissioner will regulate systems designated as CIIs. Owners of CIIs will need to comply with a range of obligations including to:

  • provide technical information to the Commissioner about the CII;
  • notify the Commissioner about cyber security incidents including in interconnected systems;
  • cause regular audits of compliance with the Act by an audited approved by the Commissioner;
  • notify the Commissioner about changes in ownership of CII;
  • carry out regular risk assessments of the CII as required by the Commissioner; and
  • participate in cybersecurity exercises as required by the Commissioner.

While regular audits and risk assessments are conventional risk management techniques, the obligation to provide technical information and to participate in cyber security exercises are broad measures.

There are risks for persons and organisations in providing technical information to government agencies. While the Commissioner will not require disclosure of information that is subject to a law prohibiting disclosure, the Commissioner is otherwise able to require disclosure. CII owners who fail to provide information or fail to comply with the notice requiring disclosure, without reasonable excuse, will be liable to pay up to $100,000 or may be imprisoned for up to two years. CII owners will also be liable to a fine of up to $25,000 and/or two years imprisonment if they do not notify the Commissioner of material changes to that information within 30 days of making that change.

While the Cyber Security Strategy has recognised the importance of cyber security stress tests to enhance cyber capabilities, it seems the Australian Government does not currently intend to require organisations to participate. Under the Singaporean Cybersecurity Bill, the Commissioner will have the power to conduct, and compel private sector participation in, national cyber security exercises for the purposes of testing the state of readiness of owners of different CIIs in responding to significant cybersecurity incidents at a national level. If an owner of a CII does not participate in this exercise they will be liable to pay a fine of up to $100,000 and may be imprisoned for up to two years and more if it constitutes a continuing offence.

At this stage, there is no guidance on what kinds of exercises will constitute a national cyber security exercise. It will be fascinating to see how such a requirement will be achieved in practice and how legitimate business interests with respect to proprietary systems, information and cost are addressed.

Cyber service provider licences

Singapore also proposes to set up a regulatory regime for persons or businesses defined as "cyber security service providers". Under the current Cybersecurity Bill, cyber security services include non-investigative services such as designing and implementing cyber security solutions and investigative services such as forensic analysis and cyber threat responses.

If a provider supplies such services, they must obtain a licence from the Cyber Security Agency and if licensed, will have significant duties to keep records (including personal information of customers) and provide that information to the Commission. If any person fails to comply with this duty, they will be guilty of an offence and liable to pay up to $10,000 or may be imprisoned for up to one year or both.

The way forward

Singapore has a culture of compliance with international standards. If passed, Singapore's implementation of the new cyber security law and associated policies will be important to monitor to see if a unified cyber law is a preferable way to address the issue in Australia. In addition, the proposed Singaporean law may impact on Australians who own or operate a computer or computer systems in Singapore.

Australians who provide cyber security services in Singapore or to Australian organisations active in Singapore should also be aware of the licensing obligations proposed under the Singaporean Cybersecurity Bill.

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Corrs Chambers Westgarth
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Corrs Chambers Westgarth
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions