On the Cybersecurity Act

Let us take a look at the Cybersecurity Act 2018 and see how it affects professionals in the industry. I believe it is a good first step, however more can be done in terms of enforcement as well as to ensure better wording of the law.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
S2 Interpretation
“cybersecurity” means the state in which a computer or computer system is protected from unauthorised access or attack, and because of that state —
(a) the computer or computer system continues to be available and operational;
(b) the integrity of the computer or computer system is maintained; and
(c) the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer system is maintained;

“cybersecurity service” means a service provided by a person for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person (A), and includes the following:
(redacted for brevity)

(2)  For the purposes of the definition of “cybersecurity service”, a person does not provide a cybersecurity service only because the person —
(a) sells, or sells licences for, cybersecurity programs intended to be installed by a user without the assistance of the seller for the protection of the cybersecurity of a user’s computer; or
(b) provides services for the management of a computer network or computer system, that are aimed at ensuring the availability of or enhancing the performance of the computer network or computer system.

This is particularly interesting. Cybersecurity refers to the state where a computer system is not under attack and thus continues to be available and operational. However, if a person provides services that are aimed only at ensuring the availability of a computer system, it is not considered a cybersecurity service. Is this what the government really intended, to not consider anti-DDOS services as a cybersecurity service? Or did the government have a much narrower definition of availability in mind when drafting 2b, i.e. availability when caused by technical or equipment failure and not when caused by a cyber attack. If the latter intention is true, then the law should have been worded better.

1
2
S3 Application of Act
(5)  To avoid doubt, no person is immune from prosecution for any offence under this Act by reason that the person is a public officer or is engaged to provide services to the Government.

This is a welcome move. The Personal Data Protection Act 2012 does not apply to public agencies or an organisation acting on behalf of a public agency. It is high time that the government also be held accountable for their shortcomings. The impact of a data breach on the populace is the same regardless of the origin of the breach. Allowing for double standards will just cause hackers to shift their attention to the softer government targets.

1
2
3
4
5
6
S20 Powers to investigate and prevent serious cybersecurity incidents, etc.
(d) after giving reasonable notice to the owner or occupier of any premises, enter those premises if the incident response officer reasonably suspects that there is within the premises a computer or computer system that is or was affected by the cybersecurity incident;
(redacted for brevity)
(h) subject to subsection (5), with the consent of the owner, take possession of any computer or other equipment for the purpose of carrying out further examination or analysis.
(5)  Where the owner of the computer or other equipment does not consent to the exercise of the power mentioned in subsection (2)(h), the power may be exercised if the Commissioner is satisfied that —
(a) the exercise of the power is necessary for the purposes of the investigation;

If your personal computer has been infected and is being used to attack the the power grid, the officers can enter your home and seize your personal computer. These are some wide ranging powers indeed. We have seen supply chain attacks, where attackers hack vendors and try to use the foothold to get to the target. However, I don't think there has been a case so far where personal computers have been used in such a manner. Given the threat landscape today, I question the need to include residential premises in the scope, perhaps it would be sufficient to limit the scope to only commercial premises.

1
2
3
4
5
S22 Appointment of cybersecurity technical experts
22.—(1)  The Commissioner may in writing appoint any of the following as a cybersecurity technical expert for a specified period to assist any incident response officer in the course of an investigation under section 19 or 20:
(a) a public officer or an employee of a statutory body;
(b) an individual (who is not a public officer or an employee of a statutory body) with suitable qualifications or experience to properly perform the role of a cybersecurity technical expert;
(c) a full-time national serviceman enlisted in any force constituted under the Singapore Armed Forces Act (Cap. 295) or in the Special Constabulary constituted under section 66 of the Police Force Act (Cap. 235).

I don't know of any suitable individual who would be happy to be lumped together with an NSF who has only undergone a few months of vocational training in cybersecurity. It just demeans the industry and the professionals who have worked hard at their craft.

1
2
3
4
5
6
7
8
9
S36 Offences by corporations
Where a corporation commits an offence under this Act, a person —
(a) who is —
(i) an officer of the corporation, or a member of the corporation (in the case where the affairs of the corporation are managed by its members); or
(ii)    an individual involved in the management of the corporation and in a position to influence the conduct of the corporation in relation to the commission of the offence; and
(b) who —
(i) consented or connived, or conspired with others, to effect the commission of the offence;
(ii)    is in any other way, whether by act or omission, knowingly concerned in, or is party to, the commission of the offence by the corporation; or
(iii)   knew or ought reasonably to have known that the offence by the corporation (or an offence of the same type) would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence, shall be guilty of that same offence as is the corporation, and shall be liable on conviction to be punished accordingly.

Employees who shirk their responsibilities may be held personally liable. This will be a good way to ensure people take their jobs seriously. Nonetheless, legislating is not sufficient, the government must be willing to enforce it. With the recent SingHealth case, several employees were found to be grossly negligent, contravening S14 Duty to report cybersecurity incident in respect of critical information infrastructure. However, no individual was held accountable.

Update (27-11-2019) - The government has announced that third-party vendors handling government data who misuse personal data will also come under the Personal Data Protection Act.