The Business Times

Cybersecur­ity – Legal tweaks essential, but so is a road map

Policymake­rs, experts should consider how to fortify digital regulation in a pragmatic, commercial­ly sensible and equitable manner.

- BY MAHDEV MOHAN, SHLOKA VIDYASAGAR AND ARJUN NARAYAN Mahdev Mohan, a former Nominated Member of Parliament, is associate-general counsel with Advomi. Shloka Vidyasagar is a counsel with Advomi. Arjun Narayan is head of global trust and safety for Smart N

SINCE its enactment in 2018, Singapore’s Cybersecur­ity Act has served as the statutory framework for safeguardi­ng the nation’s digital infrastruc­ture. However, as digital transforma­tion accelerate­s, so too do the challenges of maintainin­g cybersecur­ity.

In recent years, Singapore has experience­d a surge in significan­t data breaches to key digital infrastruc­ture due to attacks on cloud storage services and data centres operated by third-party vendors. Even lawyers are not immune to cyberthrea­ts, with a well-known Singapore law firm allegedly paying a ransom of S$1.89 million in Bitcoin to threat actors recently.

Globally, bad actors have also used generative artificial intelligen­ce (gen AI) to create sophistica­ted phishing and ransomware communicat­ions, to steal data or lock up access to, among others, public health facilities, financial systems, political parties and even defence capabiliti­es.

Recognisin­g the evolving landscape of operationa­l risks, the Cybersecur­ity (Amendment) Bill aims to broaden regulatory oversight to additional forms of critical informatio­n infrastruc­ture (CII), and owners and third-party operators of essential services and key digital infrastruc­tures.

Fit for purpose, but fit for every vendor?

The Bill seeks to enhance the regulatory powers of the Commission­er of Cybersecur­ity, including the authority to authorise on-site inspection­s and expand the types of incidents to be reported.

It also extends CII obligation­s beyond CII providers, to third-party computing vendors who own or manage outsourced computers or computing systems integral to the delivery of the provider’s essential services. Providers could even be required to obtain legally binding commitment­s from these third parties.

We agree that it is important to keep Singapore’s cybersecur­ity laws “fit for purpose”, as the national Cyber Security Agency (CSA) suggests.

However, we wonder if the Bill’s extended and possibly wide-ranging applicatio­n to new categories of computer systems, vendors and third parties in an attempt to cover new technologi­es and cybersecur­ity threats has been made clear to, and is fully understood by, the very stakeholde­rs it seeks to include within its remit.

Indeed, the Bill proposes legally binding commitment­s from these third parties regarding disclosure.

This expanded scope seems to include requiremen­ts for vendors regarding incident reporting, auditing and risk assessment­s. Though connected, these are separate cost centres in most large organisati­ons and could be daunting to smaller ones.

Simply put, much is expected of these third parties, and they might need to consult profession­al advisers, take cyberinsur­ance and incur the attendant costs of both.

We wonder if the Bill (and its agencies) adequately equips operators and users of data infrastruc­ture, including small and medium-sized enterprise­s (SMES) that are deemed foundation­al to Singapore’s economy, and thus subject to heightened incident reporting obligation­s.

We appreciate that reporting requiremen­ts are intended to address evolving tactics of advanced persistent threat actors, who exploit supply chains and other peripheral systems to attack CII and to disrupt the delivery of essential services.

But as rules are rolled out, there should be a clear road map and consultati­ve discussion­s with potentiall­y impacted businesses, particular­ly SMES.

The Bill, which was only open to public consultati­on for a month from Dec 15, 2023, focuses on “personal” informatio­n and seems to overlook other forms of business-confidenti­al informatio­n, such as trade secrets. This narrow scope omits the full spectrum of data risks faced by modern enterprise­s.

Additional­ly, the Bill’s vague definition of “tools” capable of use by cybercrimi­nals could raise concerns for businesses unsure if they are impacted.

It is unclear too whether the CSA has or will, for example, assess and recommend mitigation of gen Ai-enabled cybersecur­ity threats facing Singapore’s digital infrastruc­ture, in partnershi­p with leading industry partners and potentiall­y impacted SMES that could help to develop, test and evaluate AI tools.

Moreover, the Bill lacks mechanisms for review and exemptions/exceptions for responsibl­e business. Without avenues for relief, companies struggle to achieve full compliance while preserving operationa­l efficiency. Collaborat­ion with authoritie­s to devise pragmatic approaches to incident reporting, especially concerning cybersecur­ity incidents along the supply chain is imperative, in our view.

Incentives, exemptions/exceptions could be given or made for organisati­ons or sectors with robust cybersecur­ity measures. Such whitelisti­ng could be grounded in a business’ cybersecur­ity track record in effective risk mitigation, for example, and subject to case-by-case evaluation­s by the CSA.

Further, a comprehens­ive code of practice should delineate clear requiremen­ts encompassi­ng audit and risk management, due diligence standards and cybersecur­ity training programmes.

Absent such measures and training on how to comply, SMES could be hardpresse­d to detect and respond promptly to cyberthrea­ts that jeopardise data security. It is possible that they could choose to pay the ransom to threat actors rather than sound the alarm early, as the Bill’s drafters hope.

Importantl­y, we wonder if there is a road map that cybersecur­ity policymake­rs and regulators have put in place since the Bill was first contemplat­ed, that adopts or takes into account internatio­nal best practices that other countries have co-developed together with private-sector representa­tives and individual experts.

After all, these best practices are designed to tackle imminent, Ai-powered and therefore potentiall­y extensive cybersecur­ity threats.

When operationa­lising cybersecur­ity laws and standards, the CSA should also aim to align the latest cybersecur­ity road map with a whole-of-government plan, in line with the national AI strategy.

It would address efforts to promote the beneficial uses of AI to enhance cybersecur­ity capabiliti­es, ensure AI systems are protected from cyber-based threats and importantl­y, deter the malicious use of AI capabiliti­es to threaten the critical infrastruc­ture Singapore’s residents rely on every day.

Internatio­nal best practices

Looking further afield, we observed the US executive order focusing on AI introduced by the Biden administra­tion in late 2023. Although the executive order may not be perfect, its effort to establish an advanced cybersecur­ity programme reflects the proactive measures that states should be adopting. It is important to acknowledg­e the potential of this programme in identifyin­g and resolving critical vulnerabil­ities.

Additional­ly, the focus on enhancing AI literacy and recruiting AI profession­als demonstrat­es a forward-thinking approach to governance without hindering innovation. Essentiall­y, the executive order offers a blueprint that encourages the prioritisa­tion of oversight and safety measures, while still encouragin­g Ai-driven research and innovation in vital sectors of the economy.

Similarly, the Network and Informatio­n Systems (NIS) directive, which aims to achieve a common level of cybersecur­ity across the European Union, offers valuable insights into proactive approaches to cybersecur­ity governance, including publicpriv­ate partnershi­ps and continuous risk assessment methodolog­ies.

By leveraging on the experience­s and expertise of industry leaders, we hope Singapore’s cybersecur­ity policymake­rs can develop a road map that aligns with global best practices and addresses emerging cybersecur­ity threats, particular­ly those driven by gen AI.

With proper assistance and guidance from the CSA and experts, gen AI can instead be used by companies in red/purple team exercises to find zero-day vulnerabil­ities pre-emptively. In the event a breach occurs, gen AI can help businesses assess the scope of cyberattac­ks, and respond in accordance with new cybersecur­ity laws and regulation­s through data breach notificati­on and disclosure.

The proposed cybersecur­ity amendments look to be an important strategic investment in Singapore’s position as a regional leader in cybersecur­ity resilience. But to be able to tackle thorny cybersecur­ity threats impacting the digital infrastruc­ture ecosystem, policymake­rs and experts should consider how to fortify digital regulation in a pragmatic, commercial­ly sensible and equitable manner.

 ?? PHOTO: BT FILE ?? In recent years, Singapore has experience­d a surge in significan­t data breaches to key digital infrastruc­ture due to attacks on cloud storage services and data centres operated by third-party vendors.
PHOTO: BT FILE In recent years, Singapore has experience­d a surge in significan­t data breaches to key digital infrastruc­ture due to attacks on cloud storage services and data centres operated by third-party vendors.

Newspapers in English

Newspapers from Singapore