Cybersecurity – Legal tweaks essential, but so is a road map
Policymakers, experts should consider how to fortify digital regulation in a pragmatic, commercially sensible and equitable manner.
SINCE its enactment in 2018, Singapore’s Cybersecurity Act has served as the statutory framework for safeguarding the nation’s digital infrastructure. However, as digital transformation accelerates, so too do the challenges of maintaining cybersecurity.
In recent years, Singapore has experienced a surge in significant data breaches to key digital infrastructure due to attacks on cloud storage services and data centres operated by third-party vendors. Even lawyers are not immune to cyberthreats, with a well-known Singapore law firm allegedly paying a ransom of S$1.89 million in Bitcoin to threat actors recently.
Globally, bad actors have also used generative artificial intelligence (gen AI) to create sophisticated phishing and ransomware communications, to steal data or lock up access to, among others, public health facilities, financial systems, political parties and even defence capabilities.
Recognising the evolving landscape of operational risks, the Cybersecurity (Amendment) Bill aims to broaden regulatory oversight to additional forms of critical information infrastructure (CII), and owners and third-party operators of essential services and key digital infrastructures.
Fit for purpose, but fit for every vendor?
The Bill seeks to enhance the regulatory powers of the Commissioner of Cybersecurity, including the authority to authorise on-site inspections and expand the types of incidents to be reported.
It also extends CII obligations beyond CII providers, to third-party computing vendors who own or manage outsourced computers or computing systems integral to the delivery of the provider’s essential services. Providers could even be required to obtain legally binding commitments from these third parties.
We agree that it is important to keep Singapore’s cybersecurity laws “fit for purpose”, as the national Cyber Security Agency (CSA) suggests.
However, we wonder if the Bill’s extended and possibly wide-ranging application to new categories of computer systems, vendors and third parties in an attempt to cover new technologies and cybersecurity threats has been made clear to, and is fully understood by, the very stakeholders it seeks to include within its remit.
Indeed, the Bill proposes legally binding commitments from these third parties regarding disclosure.
This expanded scope seems to include requirements for vendors regarding incident reporting, auditing and risk assessments. Though connected, these are separate cost centres in most large organisations and could be daunting to smaller ones.
Simply put, much is expected of these third parties, and they might need to consult professional advisers, take cyberinsurance and incur the attendant costs of both.
We wonder if the Bill (and its agencies) adequately equips operators and users of data infrastructure, including small and medium-sized enterprises (SMES) that are deemed foundational to Singapore’s economy, and thus subject to heightened incident reporting obligations.
We appreciate that reporting requirements are intended to address evolving tactics of advanced persistent threat actors, who exploit supply chains and other peripheral systems to attack CII and to disrupt the delivery of essential services.
But as rules are rolled out, there should be a clear road map and consultative discussions with potentially impacted businesses, particularly SMES.
The Bill, which was only open to public consultation for a month from Dec 15, 2023, focuses on “personal” information and seems to overlook other forms of business-confidential information, such as trade secrets. This narrow scope omits the full spectrum of data risks faced by modern enterprises.
Additionally, the Bill’s vague definition of “tools” capable of use by cybercriminals could raise concerns for businesses unsure if they are impacted.
It is unclear too whether the CSA has or will, for example, assess and recommend mitigation of gen Ai-enabled cybersecurity threats facing Singapore’s digital infrastructure, in partnership with leading industry partners and potentially impacted SMES that could help to develop, test and evaluate AI tools.
Moreover, the Bill lacks mechanisms for review and exemptions/exceptions for responsible business. Without avenues for relief, companies struggle to achieve full compliance while preserving operational efficiency. Collaboration with authorities to devise pragmatic approaches to incident reporting, especially concerning cybersecurity incidents along the supply chain is imperative, in our view.
Incentives, exemptions/exceptions could be given or made for organisations or sectors with robust cybersecurity measures. Such whitelisting could be grounded in a business’ cybersecurity track record in effective risk mitigation, for example, and subject to case-by-case evaluations by the CSA.
Further, a comprehensive code of practice should delineate clear requirements encompassing audit and risk management, due diligence standards and cybersecurity training programmes.
Absent such measures and training on how to comply, SMES could be hardpressed to detect and respond promptly to cyberthreats that jeopardise data security. It is possible that they could choose to pay the ransom to threat actors rather than sound the alarm early, as the Bill’s drafters hope.
Importantly, we wonder if there is a road map that cybersecurity policymakers and regulators have put in place since the Bill was first contemplated, that adopts or takes into account international best practices that other countries have co-developed together with private-sector representatives and individual experts.
After all, these best practices are designed to tackle imminent, Ai-powered and therefore potentially extensive cybersecurity threats.
When operationalising cybersecurity laws and standards, the CSA should also aim to align the latest cybersecurity road map with a whole-of-government plan, in line with the national AI strategy.
It would address efforts to promote the beneficial uses of AI to enhance cybersecurity capabilities, ensure AI systems are protected from cyber-based threats and importantly, deter the malicious use of AI capabilities to threaten the critical infrastructure Singapore’s residents rely on every day.
International best practices
Looking further afield, we observed the US executive order focusing on AI introduced by the Biden administration in late 2023. Although the executive order may not be perfect, its effort to establish an advanced cybersecurity programme reflects the proactive measures that states should be adopting. It is important to acknowledge the potential of this programme in identifying and resolving critical vulnerabilities.
Additionally, the focus on enhancing AI literacy and recruiting AI professionals demonstrates a forward-thinking approach to governance without hindering innovation. Essentially, the executive order offers a blueprint that encourages the prioritisation of oversight and safety measures, while still encouraging Ai-driven research and innovation in vital sectors of the economy.
Similarly, the Network and Information Systems (NIS) directive, which aims to achieve a common level of cybersecurity across the European Union, offers valuable insights into proactive approaches to cybersecurity governance, including publicprivate partnerships and continuous risk assessment methodologies.
By leveraging on the experiences and expertise of industry leaders, we hope Singapore’s cybersecurity policymakers can develop a road map that aligns with global best practices and addresses emerging cybersecurity threats, particularly those driven by gen AI.
With proper assistance and guidance from the CSA and experts, gen AI can instead be used by companies in red/purple team exercises to find zero-day vulnerabilities pre-emptively. In the event a breach occurs, gen AI can help businesses assess the scope of cyberattacks, and respond in accordance with new cybersecurity laws and regulations through data breach notification and disclosure.
The proposed cybersecurity amendments look to be an important strategic investment in Singapore’s position as a regional leader in cybersecurity resilience. But to be able to tackle thorny cybersecurity threats impacting the digital infrastructure ecosystem, policymakers and experts should consider how to fortify digital regulation in a pragmatic, commercially sensible and equitable manner.