Computer Misuse and Cybersecurity (Amendment) Bill

1.31 pm

Order for Second Reading read.

The Senior Minister of State for Home Affairs (Mr Desmond Lee): Mdm Speaker, I beg to move, "That the Bill be now read a Second time."

Madam, in recent years, cyberattacks have increased in complexity, frequency and scale. The Government has taken steps on multiple fronts to deal with such threats. The Cyber Security Agency of Singapore (CSA) was formed in 2015 as the central agency to oversee and coordinate Singapore's cybersecurity strategy.

CSA nurtures ties with the industry and raises cybersecurity awareness through public outreach programmes. It is responsible for developing a robust cybersecurity industry and ecosystem. CSA also seeks to strengthen cybersecurity in critical sectors, such as energy and banking, and ensure effective coordination and deployment in responding to cyber threats.

The Ministry of Defence (MINDEF) will be setting up the Defence Cyber Organisation (DCO), which will take charge of developing the military's cyber defence capabilities. The Ministry of Home Affairs (MHA) launched the National Cybercrime Action Plan (NCAP) last year, which sets out the Government's key priorities and strategies to combat cybercrime. The plan focuses on four areas.

First, educating and empowering the public to stay safe in cyberspace through public outreach programmes.

Second, enhancing the Government's capacity and capability to combat cybercrime. One key initiative was the establishment of the Police Cybercrime Command in 2015. The Command integrates the Police's cyber-related investigations, forensics, intelligence and crime prevention capabilities.

The third priority area is stepping up close partnerships with the industry and Institutes of Higher Learning (IHLs), as well as international engagement with foreign counterparts.

The fourth area is strengthening legislation and the criminal justice framework.

This Bill will help ensure that our legislation remains effective in dealing with the transnational nature of cybercrime and the evolving tactics of cybercriminals.

Madam, in Singapore, the term "cybercrime" typically refers to two categories of offences. The first category involves traditional, real-world crimes that are perpetrated using a computer. Offences in this category, for example, e-commerce scams, are covered by criminal laws, such as the Penal Code.

The second category involves criminal acts that target computer systems. Offences in this category are covered by the Computer Misuse and Cybersecurity Act (CMCA) which this Bill seeks to amend. These include criminal acts like the unauthorised access of computer material and we would commonly refer to these as acts of "hacking".

This Bill will enable the Police to be more effective in dealing with this second category of cybercrime. For the first category of cybercrime, the Police will continue their current efforts, including public education and working with international counterparts. MHA is also reviewing whether changes to other laws are required to tackle the evolving nature of how criminals are using the Internet to commit crime.

Madam, we have seen an increase in the number of cybercrime cases in recent years. In 2016, the Police investigated 691 cases under CMCA. This was more than double the 280 cases in 2015. Apart from the increase in volume, cybercrime cases have also increased in complexity. Cybercriminals use a variety of tactics and tools to carry out elaborate attacks.

For example, the Police investigated nearly 300 cases last year, where the perpetrators hacked into victims' bank accounts. The criminals developed a fake banking App, with accompanying fake banking websites. This tricked victims into keying in their personal details and login credentials, which were then stolen by these criminals.

The growth of cybercrime is a global phenomenon, facilitated by technological advances and the ubiquity of the Internet and smart mobile devices. Internet of Things (IoT) devices have also been attacked. Last October, an estimated 100,000 IoT devices were compromised and used to trigger a Distributed Denial of Service (DDoS) attack against the servers of Dyn, a company that controls much of the Internet's Domain Name System infrastructure. This disrupted major websites in the United States (US) and Europe, including Twitter, Netflix and Cable News Network (CNN).

Massive breaches of personal information have also become commonplace. Yahoo has suffered one of the worst data breaches, with 1.5 billion user accounts compromised over 2013 and 2014. In April last year, the Philippines Commission on the Elections database was attacked. Personal information belonging to 55 million voters was hacked. Hacked personal information has been used to facilitate crimes like theft and cheating.

On the dark web, hacked credit card information or passwords, as well as hacking tools, can be purchased easily and cheaply. The 2016 Underground Hacker Marketplace Report by Dell SecureWorks reported that stolen Visa or Mastercard details can cost as little as US$7 on the dark web. Hacking tools, such as Remote Access Trojans, cost less than US$10. Even hacking services are available. Hackers charge a daily rate of around US$30 to US$55 for DDoS attack services.

Cybercrime imposes significant costs on individual victims and the society at large. In 2016, victims in Singapore lost about S$10 million through parcel or impersonation scams involving unauthorised access to the victims' Internet-banking accounts. The culprits would usually empty the victims' bank accounts. One victim lost almost S$380,000 to scammers. These financial losses are devastating to the victims because, to many of them, these monies are their life savings intended to finance the education of their children or meant for their retirement.

With our high Internet penetration rate, it is even more important that we safeguard ourselves against cybercrime and enable ourselves to take firm enforcement action against criminals who make use of the anonymity and borderless nature of the Internet to commit cybercrimes.

This Bill, therefore, seeks to strengthen the operational effectiveness of the Police in dealing with cybercrime. In developing this Bill, we have taken reference from legislation in the United Kingdom (UK) and Canada. We have also consulted the cybersecurity industry to ensure that the provisions are practical and appropriately scoped.

Allow me now to take Members through the key provisions of the Bill. Broadly, the key amendments seek to address the evolving tactics of cybercriminals and the transnational nature of cybercrime.

Clause 3 of the Bill introduces new sections 8A and 8B to address the evolving tactics of cybercriminals. Cybercriminals may deal in personal information, such as the National Registration Identity Card (NRIC) and Foreign Identification Number (FIN) numbers, credit card numbers and residential addresses, which have been illegally obtained from a computer system. Currently, our law allows us to deal with the culprit who illegally obtained personal information from a computer system, or the culprit who misused the information to commit crimes, such as impersonation and cheating. However, there may be other "middlemen" individuals who may trade in such personal information but are not directly involved in the hacking or cheating offences.

For example, criminals may run a website buying and selling hacked credit card information online. These individuals are currently not liable for an offence under the Act.

The new section 8A, therefore, closes the gap by making it an offence to obtain or deal in such personal information. The new section 8A criminalises acts done in relation to personal information of individuals that the perpetrator knows or has reason to believe had been obtained by committing a computer crime. The act of obtaining or retaining such personal information will be an offence, as will be supplying, offering to supply, transmitting or making available that information.

It is not the Government's intent to criminalise legitimate cybersecurity industry practices. We understand that cybersecurity professionals may deal with hacked personal information in the course of their work. For instance, they may transmit such information for the purpose of analysing a data breach or for the purpose of highlighting vulnerabilities in a system.

We have, therefore, introduced exceptions in section 8A. It is not an offence if the individual obtained or retained the personal information for a legitimate purpose. It is also not an offence if the individual supplied, offered to supply, transmitted or made available the personal information for a legitimate purpose and they did not know or have reason to believe that the information will be or is likely to be used to commit an offence.

Ultimately, we need to strike a balance between protecting the public interest and ensuring that legitimate practices of the cybersecurity industry can continue. It would not be difficult for bona fide cybersecurity professionals to explain why they have hacked personal information in their possession. It is also not the Police's intention to demand that every cybersecurity professional provide such explanations. Rather, in the course of investigations into a CMCA offence, the Police need to have the powers to deal with individuals who are found to have such personal information belonging to others.

Fundamentally, care should be exercised when dealing with personal information, especially information that has been hacked and may be subsequently used in the commission of an offence. This applies also to cybersecurity professionals.

Madam, the new section 8B criminalises acts in relation to an item that is designed primarily for committing a computer crime or is capable of being used for such purposes. Such items are commonly known as "hacking tools" and will include physical devices, software, passwords and access codes. The prohibited acts include obtaining or retaining the hacking tool, and making, supplying or making available the hacking tool.

To ensure that the provision does not inadvertently prohibit legitimate access by cybersecurity professionals to such tools, this is an offence only if the act is carried out with the intention of committing or facilitating the commission of a computer crime. Other jurisdictions, like the UK, have similarly made it an offence to make, supply or obtain hacking tools, where there is intent to commit or assist in committing of a computer offence.

Madam, clause 5 of the Bill introduces a new section 11A, which allows the Prosecution to amalgamate, as a single charge of one offence, two or more acts that are the same computer offence, and which have been committed over a 12-month or shorter period in relation to the same computer.

Cybercriminals may conduct multiple unauthorised acts against a computer over a period of time in preparation for or as part of an actual attack. This amendment allows for multiple acts of a similar nature to be amalgamated as a single charge. This allows the attack to be appropriately described as a whole, rather than artificially segmented as a series of separate acts. Enhanced penalties may be appropriately meted out when the combined acts result in high aggregate damage.

Madam, the second area of amendments addresses the transnational nature of cybercrime. The Internet is borderless, and cybercrimes are often perpetrated across geographical borders. Clause 4 amends section 11 to give Singapore jurisdiction over computer offences, where the act causes or creates a significant risk of serious harm in Singapore.

Currently, offences in the Act apply extraterritorially only if the perpetrator or the computer, programme or data was in Singapore at the material time. This prevents enforcement action from being taken against the person who was overseas at the material time and who had targeted an overseas computer.

The amendment will give extraterritorial effect to these offences, if the act resulted in serious harm or created a significant risk of such harm in Singapore. The Police will then be able to initiate investigations against cybercriminals located overseas. The Police will collaborate with their foreign counterparts to provide and share evidence of such cases, with a view to extraditing these offenders to Singapore where possible and prosecuting them before Singapore Courts.

As extending the jurisdiction of the Act extraterritorially is not something that we do lightly, we have scoped the definition of the phrase "serious harm in Singapore" carefully, so as to ensure that Police resources will only be used to investigate cases with significant impact in Singapore. We also ensure that we establish extraterritorial jurisdiction in accordance with international norms and standards.

The phrase "serious harm in Singapore" has been defined to include, among other things: illness, injury or death of individuals in Singapore; disruption of essential services in Singapore; and disruption of the carrying out of governmental duties and functions. These would include acts, such as unauthorised access of bank account details belonging to customers of a bank in Singapore, and publication of the medical records of patients of a local hospital.

Madam, in conclusion, this Bill will allow the Police to handle the increasing scale and complexity of cybercrime, as well as the evolving tactics of cybercriminals. Mdm Speaker, I beg to move.

Question proposed.

Mdm Speaker: Mr Murali Pillai.

1.46 pm

Mr Murali Pillai (Bukit Batok): Mdm Speaker, I rise in support of this amendment Bill.

As we forge ahead in becoming a Smart Nation, our increasing use of and reliance on technology and computers to solve our problems and better our lives bring about many benefits but also makes us more vulnerable to cybercriminals.

Take, for example, the breach of MINDEF's Internet access system for servicemen and employees this year. This case was referred to by the Second Minister for Defence during Question Time today. The incident led to personal data, including NRIC numbers and telephone numbers, of around 850 servicemen and employees being stolen. The work appears to be targeted and not the work of a casual hacker. If not for the Government's farsighted move last year to separate computer systems having Internet access from systems containing classified information, the impact on our country may have been worse. While this breach may have been relatively contained, we should expect increasing attempts to breach our systems. Our laws need to be able to keep pace with such attempts and the increasing sophistication of hackers and other cybercriminals.

The changes that the Bill seeks to make to CMCA, whilst not numerous, are significant in shoring up our ability to go after criminals who make use of technology to threaten our security. In particular, the new provisions to criminalise dealing with hacked data containing personal information for illegitimate purposes are a significant development in our fight against cybercrime. The expansion of the extraterritorial application of the CMCA offence would also allow us to address the transnational nature of cybercrimes by going after criminals who operate in the interstices of the law by disrupting our security through computers located overseas. I have three points to make on the proposed amendments to the Act.

First, the new section 8A of the Bill makes it an offence for a person to obtain, retain, supply or make available personal information that he or she knew or had reason to believe that it was obtained through unauthorised access to a programme or computer system. However, the section provides that it is not an offence under that section if the person obtained or retained the personal information for a purpose other than for use or supply to be used in committing any offence. The section also provides that it is not an offence under that section if the person supplied the personal information for a purpose other than to be used in committing an offence and that he did not know or have reason to believe that the information would be used to commit an offence.

When hacked personal data is made widely available, as in the case of Wikileaks and also in the Kbox incident in Singapore when personal data of over 300,000 customers were posted online, such data is often regarded as a treasure trove of information for certain categories of individuals, such as journalists for reporting purposes, and researchers, where such data may be useful for their research. My reading of section 8A is that dealing with hacked personal data is only an offence when it is obtained, retained or transmitted for the purpose of supplying and/or using it in the commission of offences. If my reading is correct, then it is open to journalists and researchers to deal with publicly available information obtained through computer hacking. Perhaps, the Senior Minister of State could please clarify the Government's position to give some assurance to journalists and researchers that their obtaining and retention of such data for the purposes of their work would not cause them to fall foul of the law.

Second, on a related point, while section 8A would go some way to deter illegitimate dealing with hacked personal data, I wonder if there may still be some unaddressed challenges in our laws. One area is the potential for sale of personal data. At a symposium I attended some years back, an enforcement officer spoke about the spiking of identity theft worldwide. One unique feature of stolen personal data, unlike chattels, such as stolen paintings, is that it can be sold again and again, therein lies the economic attraction of targeting databases containing personal data.

According to a Tech In Asia article in 2014, it was reported, worryingly in my respectful view, that there exists a grey market in Singapore for sale of data. It further states that tons of customer data can be bought for a dirt cheap price of about 1.2 Singapore cents apiece. The report also contained an account of a sales pitch given by a shady data broker who goes by the name of John Lee. Mr Lee claimed to have data from Groupon and other popular shopping sites in Singapore that could be purchased from him.

One possible reading of the proposed section 8A is that it would not apply to Mr Lee even if Mr Lee had, in fact, obtained knowingly the personal data from a hacker, for his onward sale of data to legitimate businesses. This is because the proposed new section 8A requires the commission of an offence. However, the sale or disclosure of personal data to others, while prohibited under the Personal Data Protection Act that attracts enforcement action by the Personal Data Commission, is not an offence per se. In contrast, the sale of personal data by a person who knowingly or recklessly obtained such data without the consent of the data controller has been made an offence in the UK through their Data Protection Act. If my understanding of the provision is correct, I suggest that we consider criminalising the sale of personal data obtained through unauthorised means. Without closing off this avenue, there is a danger we may be exposed to a proliferation of identity thefts.

Finally, the amendments to section 11 expands the extraterritorial effect of the Bill to allow us to prosecute offences under the Act which causes or creates a significant risk of serious harm in Singapore. The definition of "serious harm in Singapore" in the section does not appear to include situations where unauthorised access to computer material causes significant disruptions to commercial businesses in Singapore which may not be regarded as "essential services" under section 15A(12) of the Bill. For example, if there were to be a simultaneous DDoS attack on all Singapore e-commerce sites over a sustained period of time, this may have a severe impact on the businesses of these Singapore companies. Yet, we may not be able to go after the persons responsible.

Perhaps, we may consider expanding the definition of "serious harm" to include damage to the economy of Singapore, similar to what the UK has provided for in its Computer Misuse Act. Also, should this provision conferring extraterritorial jurisdiction be invoked, I would imagine that the Government would spare no efforts to bring the perpetrators located overseas to face justice in Singapore. May I please ask what steps will be taken to make these offences an extradition crime that would enable the Government to extradite these offenders to Singapore? Would the Government please consider updating the list of offences for which extradition may be made possible under the Extradition Act?

With constant new challenges posed by evolving technologies, I support our efforts to guard against those who use technology to try and exploit our vulnerabilities. I support this Bill.

Mdm Speaker: Mr Dennis Tan.

1.55 pm

Mr Dennis Tan Lip Fong (Non-Constituency Member): Madam, the threats of cyberattacks have increased in recent years. Such attacks affect Government agencies as well as companies and individuals.

Attacks on Government information technology (IT) systems may have national security implications. Recently, MINDEF's I-net system was breached and the personal details of 850 National Servicemen and staff at MINDEF were stolen in what MINDEF has described as a "targeted and carefully planned" cyberattack.

Internationally, foreign governments or elements have been accused of hacking into political party emails or servers of other countries purportedly for political gains. An example would be the alleged hackings on the email servers during the last US presidential elections campaign.

Cyberattacks also affect businesses and individuals, causing financial losses and breach of confidential information, for example, downtime, loss of confidential business information or leaking of customer data. In October 2016, Starhub's servers came under cyberattacks, preventing its customers from going online for two days.

The existing CMCA grants powers for law enforcement agencies to investigate and take actions against individuals or companies behind acts of cybercrime. As the incidence of cyberattacks increases, as culprits of cybercrimes get bolder and smarter, we have to take appropriate and proportionate actions against such crimes and their perpetrators.

The Computer Misuse and Cybersecurity (Amendment) Bill introduces four main changes.

One, creating a new offence to obtain, retain or supply personal information obtained through an earlier act of cybercrime.

Two, creating a new offence for obtaining items which can be used to commit an offence under the Bill.

Three, making it an offence certain acts which are committed overseas, and targeting overseas-based computers, but which create a significant risk of serious harm in Singapore.

Four, amalgamating charges for offences under the Bill.

Madam, in the explanatory note to this Bill, we read that this Bill seeks to amend the Act "primarily to deal with the changing modus operandi with which computer offences are carried out". While I support this Bill, I have two grave concerns.

Clause 3 provides for a new section 8A(6), and I quote: "For the purpose of proving under subsection (1) that a person knows or has reason to believe that any personal information was obtained by an act done in contravention of sections 3, 4, 5 or 6, it is not necessary for the prosecution to prove the particulars of contravention, such as who carried out the contravention and when it took place."

This section is doing away with the need for the prosecution to prove the particulars of contravention, such as who carried out the contravention and when it took place. Madam, I am somewhat uncomfortable with the prosecution being relieved of this burden to prove the particulars of the contravention in question. I think these are fundamental issues which the prosecution should prove before another person can be charged and convicted of obtaining, retaining or making use of the information in question. While I agree that we need to enhance our efforts to tackle and prosecute cybercrimes, I still believe that we should really try to limit easing the burden of proof in this way.

Madam, I refer next to the amendments contained in clause 4 which pertains to the amendment of section 11 of the Act. This broadens the Courts' jurisdiction to offences that cause "serious harm" to Singapore, and "harm" is defined, inter alia, as "serious diminution of public confidence in the provision of any essential service or exercise of any power" in subsection (4)(b) and "a disruption of, or a serious diminution of public confidence in, the performance of any duty or function of, or the exercise of any power by the Government, an Organ of State, a Statutory Board…” and so on. This term "serious diminution of public confidence" seems somewhat unnecessarily broad. How does one define this term and how do we expect the Courts to decide what constitutes "serious diminution of public confidence"? I look forward to the Senior Minister of State's clarification.

Finally, in closing, at the 2016 Budget Debate, Minister Yaacob Ibrahim said that there will be a new standalone Cybersecurity Bill that will be tabled in Parliament in 2017 which will, I quote "ensure that operators take proactive steps to secure our critical information infrastructure, and report incidents" and also "empower CSA to manage cyber incidents and raise the standards of cybersecurity providers in Singapore". In light of the recent incidents, may I take the opportunity to ask the Government to update the House on the Government's plans for this, even though I realise it may be of a different Ministry? Madam, I support the Bill.

Mdm Speaker: Mr Thomas Chua.

2.01 pm

Mr Thomas Chua Kee Seng (Nominated Member): Madam, in Mandarin.

(In Mandarin): [Please refer to Vernacular Speech.] Mdm Speaker, computers and websites bring us much convenience as well as elements of risk. The Government's amendment of CMCA would increase cybersecurity and is a very timely action.

In May this year, the newly set up Smart Nation and Digital Government Office would strengthen cross-agency coordination and collaboration. The National University of Singapore will also provide data science training for 10,000 public servants, helping them to apply technology with ease and use data and digital tools more effectively.

In the area of cyber usage and security, Government agencies have already accumulated a wealth of experience. In comparison, businesses' risk awareness and digital capability are obviously lacking. But in the cyberworld, enterprises can also become the target of cyberattacks. Hence, I hope that the Government could transfer their wealth of experience to companies and enable the professional digital training courses offered to public servants to be promoted and made available in the business community. We would urge companies to send their top management and core technical personnel to receive training and enable the public and private sectors to build a safety net of cybersecurity at the same time.

At the same time, businesses which make use of digital technology must strengthen their cybersecurity awareness. For example, the National Trade Platform (NTP), which is being set up and will be operational in 2018, would allow enterprises and the Government to exchange information, help enterprises to lower their costs and simplify trade processes. In using this platform, companies' key digital data is also open to cyber risks. Hence, I hope that in designing the platform, the Government would place the priority on cybersecurity.

Amendments to the Act involve sensitive information which needs protection, such as essential services like energy, water supply, banking and finance and transportation. NTP is one of Singapore's most important trade infrastructures in the cyberworld and ought to be in the scope of cyber protection.

I would also urge businesses to pay heed to the newly amended Bill, especially in the newly inserted section 8B on criminal offences: anyone who obtains, retains, sells, creates, supplies or uses whichever method to commit computer-related offences, or deliberately allows these products to be used, would be committing an offence. Hence, moving forward, businesses must be much more vigilant when they are buying or selling products, to avoid being made use of unwittingly. I would like to recommend more clarity during implementation. For instance, how can businesses prove that their actions are legal and aboveboard? Will there be a relevant agency to provide guidance to businesses and will we set up an enforcement agency to monitor the implementation of this clause?

As the amended Bill would strengthen the protection of national and individual interests, then digitalisation entails a large injection of capital, manpower and resources. The Government may feel that businesses should be responsible for their own cybersecurity. However, when cyberattacks cause a certain degree of harm to "enterprises engaged in non-essential services", it would also involve public interests and deserve legal protection. Hence, businesses hope that the Government can expand the protection scope and protect companies in the "non-essential service" areas as well, so that they do not become the target or victim of cyberattacks or transboundary crimes. In this way, these amendments could benefit a broader base of the business community and the interests of industry groups and economic entities.

New technologies produce new conveniences, as well as new risks and new loopholes. I support the Government's move to regularly amend related security regulations to ensure that national, individual and business interests are not compromised. Moving forward, safeguarding cybersecurity is everyone's responsibility and is a topic everyone should be concerned about.

Mdm Speaker: Assoc Prof Mahdev Mohan.

2.06 pm

Asst Prof Mahdev Mohan (Nominated Member): Madam, cybersecurity − combating small- or large-scale cyberattacks − must be of paramount importance to a smart, resilient nation, such as Singapore.

The recent cyberattack against the Singapore Armed Forces (SAF) and MINDEF that led to the leak of data belonging to almost 800 or more personnel, is a sobering reminder that Singaporeans are not immune from such attacks. As cybercriminals become more sophisticated, so, too, must our law enforcement agencies and professionals. It is this House's solemn duty, I would say, Madam, to ensure that our laws, such as CMCA, keep apace of the developments and are refined periodically to deal with new disruptive threats.

I thus welcome the amendment Bill which seeks to finetune CMCA. In particular, I commend clause 4, Madam, that amends section 11 to give the statute extraterritorial effect to ensure that even if computer misuse or a cyberattack is committed by a person who is overseas at the time of the misuse or attack, or targeted at an overseas computer, the law will not be confounded by technicalities. It will look at what the misuse leads to. In particular, it will ask whether there is significant harm or serious risk of such harm in Singapore. It is well known to international lawyers as such objective territoriality is a recognised base of jurisdiction and it has been used successfully in other pieces of legislation and is contemplated by the Securities and Futures Act and the Transboundary Haze Pollution Law as well.

I would ask the Senior Minister of State respectfully though, how enforcement will be ensured. I will add my voice to what was raised earlier by the hon Member Mr Murali Pillai, who asked whether there should be additional crank that is included into the extradition list and other forms of enforcement that the enforcement agencies or the Government would consider.

Whether there is serious harm caused in Singapore is a high threshold, Madam. It is not too broad. It looks at whether there was illness, injury, death, disruption of essential services in Singapore. We can, therefore, hope to count on regulators and investigators and others in our criminal justice system who tirelessly work to uphold criminal justice in Singapore. Having said this, Madam, I would like to ask the Ministry four questions.

First, does the Ministry intend to propose perhaps further cybersecurity legislation beyond the current amendment in the near future that will aim to give the authorities powers to audit the business sectors and organisations to ensure that they have cyber defence systems in place?

Two, will the new laws impose perhaps extensive incident reporting, audits, risk assessments and facilitate the sharing of cybersecurity information, and perhaps even mandate the participation of critical information infrastructure operators in cybersecurity exercises? If so, while this may be welcomed, information and communications technology (ICT) companies and service providers should also be included in the consultation exercises, which will lead to such Bills.

Madam, third, how will the new cybersecurity legislation that might be proposed, seen together with the current amendments proposed in this Bill, impact on Singaporeans' and residents' personal data protection rights under the law?

Mr Murali Pillai raised a concern that is close to my heart about whether researchers will also be restrained in some way. Beyond researchers, Madam, there is a further question. Will other news agencies that report on Singapore or whose Internet service providing capacities would be misused? I am thinking about in my mind Yahoo News, Microsoft Network (MSN) news and so on. Will they also be constrained in some way?

Finally, cybersecurity safety requires a close collaboration between public agencies, private sector and universities. I am happy to report that the Secure Mobile Centre at Singapore Management University, funded by the National Research Foundation's National Cybersecurity and research and development programme, is one such example. This centre aims to create a novel ICT solution to secure different layers of mobile computing systems and to assess the scalability and usability of such new technologies and solutions to conduct experiments in real-world settings, so as to guard against such attacks in the future.

Thus, Madam, my question to the Ministry would be, apart from prosecution and investigation leading to prosecution, will the Ministry be enhancing its efforts aimed at detection and prevention, in tandem with centres, such as the Secure Mobile Centre? I support the Bill, Madam.

Mdm Speaker: Ms Thanaletchimi.

2.12 pm

Ms K Thanaletchimi (Nominated Member): Mdm Speaker, I rise in support of the Bill. This Bill aims to address the increasing scale and transnational nature of cybercrime, as well as the evolving tactics of cybercriminals' punishable offences.

As the cyber workspace expands, it is important to secure individuals, organisations and Singapore from being victims of cyber intrusions and cyberattacks which could hurt the very heart of Singapore's cyber connectivity and economic vibrancy. For our Smart Nation Programme to realise its objectives, a safer cybersecurity ecosystem is required, and it needs to be strengthened as new developments and tactics evolve and are exploited by cybercriminals.

Madam, at this point, I wish to seek the following clarifications.

Will the key information infrastructure operators, such as energy, finance and transport operators, be required to report on incidences of breaches or attempted breaches of cybersecurity as and when they occur rather than when directed by the Minister? Will such reporting be extended to the other business sectors, too?

Second, what is the awareness level of cybersecurity and its importance to all companies in Singapore, especially small and medium enterprises? How well are these companies protected? Do these companies see the importance of it and invest adequately in cybersecurity to protect both their individual workers' and clients' data? Will there be support and assistance for companies in instituting a holistic approach to protecting their cybersecurity system from cybercrime?

Madam, for better security, we require companies' cooperation, effort as well as commitment to build cybersecurity capabilities and invest in employees' education for awareness and implementation of best practices in their usual work processes.

Third, how many organisations or companies have cyber insurances to minimise their losses or liabilities which often comes with greater awareness of cybercrimes and means to secure and tighten their cybersecurity?

Lastly, Madam, Singapore's CSA's concern on the lack of awareness of cybersecurity amongst Singaporeans is real. And the challenges are here to stay as our cyber transactions, cyberspace communication and cyber connectivity have increasingly become a vital part of our lives with social media use being highly pervasive.

On this note, have we done enough and taken all possible measures to educate and increase the awareness of cybersecurity amongst students, employees, employers, social agencies as well as members of the public? I believe there is still room for improvement. With that, thank you, Madam.

Mdm Speaker: Mr Melvin Yong.

2.15 pm

Mr Melvin Yong Yik Chye (Tanjong Pagar): Mdm Speaker, I rise in support of the Bill. We are living in a world today where many of our daily activities involve and depend on online transactions. Many Singaporeans bank online, and many more do their shopping online. This brings about greater convenience but also opens us up to new security threats.

There are many examples of hacking cases. Last year, hackers reportedly sent out repeated phishing emails to various US institutions, and John Podesta, Chairman of Hillary Clinton's presidential campaign, allegedly clicked on one such malicious email, allowing access to over 60,000 private correspondences, some of which were subsequently leaked to the public.

Closer to home, we have heard personal data of 850 Singaporean National Servicemen were stolen after a targeted cyberattack on MINDEF's Internet system. Fortunately, the compromised system did not contain classified or sensitive information.

This Bill will further strengthen our cybersecurity framework and I support the amendments. However, I would like to seek some clarifications from the Minister.

First, clause 4 seeks to give extraterritorial application to computer offences. Investigating extraterritorial offences is never easy and cooperation from our foreign counterparts is crucial. Given the complexities of computer crimes and the different interpretations across jurisdictions, what is the possibility that a suspect may escape liability due to technical defects or mistakes?

With an inevitable rising cyber threat, there is a need for better qualified and highly competent cybersecurity professionals to support our cybersecurity infrastructure across both the public and private sectors. Many companies have highlighted the shortage of such professionals locally. Last month, the Minister for Communications and Information announced the launch of a Cybersecurity Professional Scheme to double the existing pool of cybersecurity professionals in the public sector over the next few years. What about the manpower needs for the private sector? Are there any plans to build a similar technical pool of expertise for the private sector?

Today, IoT, a vast network of smart devices connecting and interacting with one another, is gaining momentum. Personal devices and common appliances may be the weak links in our cyber defence. As in many cases, it simply takes one unknowing or unguarded individual to click on a malicious email or hyperlink and that will endanger the whole system. How can we enhance our public awareness, particularly for small businesses, which do not invest as much in cybersecurity?

Mdm Speaker, as Singapore continues to develop digitally, we also face increased risk of cyberattacks. We need to strengthen our cybersecurity infrastructure, enhance our legislation and, most importantly, establish a pool of cyber warriors to protect our computer systems. Mdm Speaker, I support the Bill.

Mdm Speaker: Mr Desmond Choo.

2.19 pm

Mr Desmond Choo (Tampines): Mdm Speaker, the cyberspace has become the new frontier for security. The borderless and anonymous nature of cyberspace is an ideal hive for criminals. Singapore is not alone. Our overall crime rate decreased slightly last year but online crimes are on the rise. The fast-evolving nature of cybercrimes and our increasingly heavy digital reliance makes it imperative that we strengthen our cybersecurity laws to protect our citizens from harm.

I support strengthening our laws on computer misuse and cybersecurity but I would like to seek clarification on several new provisions contained in this Bill. The new section 8A deals with personal information of individuals that have been obtained through hacking or other computer crimes and further using it for non-legitimate purposes. May I know what constitutes "personal information"? The types of personal information that is available online or on computers can vary from having one's photos on a "private" or "friends only" access on Facebook, to having more personal information, such as addresses and contact or credit card numbers. Furthermore, does the provision in section 8A mean that website owners will have an added legal responsibility in watching out for unlawful information being posted as comments on their site?

The issue of online identity fraud is becoming more common and can lead to severe outcomes if not properly dealt with. Just recently, a community leader has had his photos used not only on Facebook, but on various other online platforms. His photo was found to have been scanned onto a digital image of a foreign passport, which was circulated online. Even without hacking or obtaining personal information through crime, cybercriminals can disrupt an individual's life by merely taking a photograph obtained online and using it for nefarious ends.

While acts of this sort are covered under provisions in the Penal Code, such as sections 415 and 416 which deal with cheating in general, or under the Protection from Harassment Act, the conditions in cyberspace could create new dimensions of committing crime that may require them to be treated separately. With the rise of such incidences in cyberspace and the convenience with which they can be committed, would the Minister consider having such incidences covered under this Bill for added deterrence?

Having new provisions in this Bill means that more manpower and expertise might be needed to investigate these cybercrimes. As the field of cybersecurity is a relatively new one, do we have adequate numbers of officers trained in cybersecurity to tackle these crimes? MINDEF recently announced that it will have a new cyber command and will rope in NSmen in cyber defence. I encourage the Home Team to take similar steps to ensure that it has enough expertise in handling an increase in cybercrimes.

As cybercrimes are often transboundary in nature, I support the move to include an extraterritorial application of CMCA offences which cause serious harm to Singapore. However, investigations for such cases are usually complex as it will involve dealing with the laws of other jurisdictions. This might hinder investigations. In addition to that, how would distributed databases and cloud services affect investigation and enforcement? Could the Minister elaborate on how this can be overcome?

Finally, as many Singaporeans are users of cyberspace, how will the Ministry educate the public on these provisions? What public communication plans are there to increase awareness of these issues? How will the Ministry galvanise the support of netizens as they can play a role in combatting cybercrimes by being more vigilant when they are in cyberspace?

Establishing and evolving our cybersecurity blanket is critical to support Singapore's growth in the digital economy. This Bill provides greater assurances that our cyberspace can be a safer one. Mdm Speaker, I support the Bill.

Mdm Speaker: Mr Ang Wei Neng.

2.23 pm

Mr Ang Wei Neng (Jurong): Mdm Speaker, when it comes to cybersecurity, many of us think in terms of our personal laptops and mobile phones. In fact, it would be catastrophic if the computers running our national infrastructure is compromised. In Ukraine, cyberattacks caused a power blackout in Ukraine in December 2016. In the UK, a newly set up cyber protection agency fended off 188 serious attacks in the first three months of 2017. In Germany, its military system was attacked 284,000 times in the first nine weeks of 2017 alone. Thus, Germany has just formed a new Cyber and Information Space Command (CIR) on 1 April 2017. The new command will be on par with the army, navy and air force. Besides disrupting our lives, what is deeply worrying is that a successful large-scale cyberattack would result in the loss of trust and faith in Singapore's systems, from businesses and investors.

Cybersecurity is, therefore, critical to Singaporeans. I had asked about the issue of how the Police are tackling cybercrimes previously and am glad that the Police have set up a Cybercrime Command within the Criminal Investigation Department in 2015.

In this latest set of amendments, the toughening of legal clout against the act of dealing and trading in personal information, the buying and selling of hacking tools, and offences that are committed abroad which may cause serious harm to Singapore, will certainly build on what has already been done to strengthen Singapore's cybersecurity and resilience.

However, technology is constantly evolving and I am certain new situations will arise which may require further strengthening of our laws in future. For instance, is it an offence to set up a fake Facebook account? Under the current laws, it is not. But several of my Parliamentary colleagues and I have had fake Facebook accounts set up in our names, and once the perpetrators successfully befriend our friends, they proceed to ask for donations through private messages. Fortunately, no money was transacted as my friends were rightly suspicious, but in such situations should the Police be given powers to investigate fake Facebook accounts?

Being strong in cybersecurity also presents an economic opportunity which Singapore can leverage on. Israel is a world leader in cybersecurity solutions and its cybersecurity exports totaled $6 billion in 2014. Interestingly, it was a top-down initiative which started with a directive by Israel's Prime Minister Benjamin Netanyahu. With Singapore's interest, investment and emphasis on the digital economy, we are well-placed to become the cybersecurity equivalent of Israel in Asia if we can get our act together. Mdm Speaker, in Mandarin, please.

(In Mandarin): [Please refer to Vernacular Speech.] Although it is important to toughen the laws to deter the hackers and mete out harsher penalties to them, prevention is even more critical.

I believe that the Singapore Cybercrime Command and the soon-to-be established DCO under MINDEF will help us map out national and defence cybersecurity strategies.

However, the key is whether we have enough computer specialists, in particular, cybersecurity professionals. In this respect, I hope that the Government can adopt a multi-pronged approach. First, we should train more cyber specialists, with a focus on cybersecurity professionals. We all know that most of our top performing students choose medicine or law, because lawyers and doctors tend to earn big money. We need to encourage some of these top students to study computer science instead. Offering attractive scholarships is one way, formulating an IT professional development roadmap is equally important to prevent a brain drain in the IT sector.

To attract more top students to choose scholarships in computer science and better tap on computer specialists who are serving National Service, I suggest that MINDEF allow Singaporeans serving full-time National Service who have been awarded scholarships to study IT to be disrupted from NS to complete their tertiary education first before returning to serve in DCO. This is similar to allowing medical students to return to serve in the army after they have obtained their medical degrees. Returning army doctors can treat our soldiers. In the same vein, returning computer specialists can help guard against computer viruses and cyberattacks. This is "killing two birds with one stone".

(In English): Mdm Speaker, we also need to boost the general knowledge of IT and cybersecurity at the base level. In this respect, I am glad that the National University of Singapore (NUS) and the Government Technology Agency of Singapore (GovTech) have committed to train 10,000 civil servants in data science in the next five years. However, it is not clear from the newspaper report which group of civil servants will be trained by NUS. I would like to suggest that such IT training should be extended to all Government scholars and top civil servants, which is particularly important as the appreciation of IT application for our future economy and cybersecurity needs should start at the very top. With this, I support the Bill.

Mdm Speaker: Ms Joan Pereira.

2.30 pm

Ms Joan Pereira (Tanjong Pagar): Mdm Speaker, as a Smart Nation dependent on the power of ICT, we must have a robust infrastructure and legislative framework to protect the integrity of our cyber networks and digital systems. Our laws must keep up with the fast-evolving nature of cyber activities.

This is a timely Bill which will empower the Ministry to deal with the increasing number of cybercrimes, including the unauthorised use of personal information and the trade and tools to facilitate such illegal usage.

The amendment to criminalise offences under the Bill if they are committed in foreign jurisdictions using computers overseas is overdue and closes a loophole in the current Act.

I would like to take this opportunity to express my concern about how well-prepared our small and medium enterprises (SMEs) are to deal with cyber threats. I note that for the "SMEs Go Digital" programme which was announced at this year's Budget, areas, such as cybersecurity and data protection, are included. I urge the Government to also use this programme as a one-stop platform for SMEs to keep their companies abreast of new developments in cyber defences and to share their experiences in countering cyberattacks, the protection of digital properties and recovery processes. Such mutual support and even collaborations will be helpful for the prevention of future attacks.

I would like to ask the Minister what plans the Ministry has to encourage more companies and organisations to step forward and report on cybercrimes on their networks and systems. Ideally, all offences should be reported so that the Ministry will have a better overview of criminal activities in this landscape, which will inform current and future policies to protect our systems as a whole.

Would the Ministry also share the progress of its various cyber awareness programmes targeting different segments of our community, from our students to the elderly? How does the Ministry gauge the effectiveness of these programmes in reducing the number of cybercrime victims?

Finally, I would like to ask how we can step up the numbers and training of cybersecurity personnel for both our Government and private sectors. Our legislative framework cannot be enforced without these talents to protect our systems and track down the perpetrators of cyber offences. How are we going to overcome the problem of these IT specialist shortages, particularly in the middle and senior ranks? I would like to conclude with my support for the Bill.

Mdm Speaker: Mr Louis Ng.

2.32 pm

Mr Louis Ng Kok Kwang (Nee Soon): Madam, I stand in support of the Bill.

We live in an increasingly connected world, but the Internet has also created a multitude of opportunities for criminals to thrive. Quite a few Members of this House have recently had their Facebook identities stolen and used to send phishing messages. I am sure that came as a rude shock, but at least my colleagues had the capacity to deal with the matter quickly. I fear, however, that many Singaporeans do not.

The Bill amends CMCA in three ways. First, it recognises that sophisticated software, in the hands of wrong persons, can be as dangerous as giving them physical weapons. Second, it criminalises acts of cybersecurity that originate physically outside our borders but passed through or target computers within. Third, it criminalises the use of personal data that have been obtained through hacks. All three changes are necessary steps to build a society that is more resilient to cybercrime.

Madam, clause 3 of the Bill introduces the new section 8A which provides increased powers to the authorities. While this could be a needed move in light of the increased cyberattacks and misuse of information, I am concerned with the drafting of section 8A(6) that fellow Member Mr Dennis Tan had raised previously.

By way of background, section 8A(1) penalises people who use personal information that arises from the contravention of certain sections of the Act. The new section 8A(6) removes the need for the prosecution to prove that any of those sections of the Act was contravened in order to prove that an offence was committed under section 8A(1). The prosecution is only required to prove that the perpetrator knows or has reason to believe that the relevant sections were contravened.

However, could a perpetrator truly and accurately know that one of the relevant sections was contravened at the time of the offence? What is the burden of proof required under this section?

Further, can the Minister clarify why a safe conviction could not be achieved when the prosecution does not need to prove that a relevant section was contravened when section 8A(1) is premised on the contravention of these sections?

Next, I am concerned that there is a growing digital divide that is leaving our Pioneer Generation behind. I have many elderly residents who do not know how to use a computer properly. Hence, I am concerned that our elderly are vulnerable to cybercrime. Anecdotes of the elderly falling victim to scams are plenty. In this regard, can there be a collaboration with the Pioneer Generation Office with regard to IT resilience for our Pioneer Generation?

Further, may I also suggest coordinated grassroots campaigns in relation to cybersecurity be launched? Under these campaigns, grassroots leaders (GRLs) can reach out to the elderly on topics, such as how to spot phishing emails or messages and how to protect themselves against cybercrime.

Madam, I stand in support of this Bill. I believe that as we continue to push towards being a smart and connected nation, we should also not leave behind anyone and ensure that all of us are protected against cybercrimes.

Mdm Speaker: Senior Minister of State Desmond Lee.

Mr Desmond Lee: Mdm Speaker, I thank Members for speaking about the threats in cyberspace and for supporting the Bill.

Indeed, cyberspace presents new opportunities for criminals to operate. Hacking tools are readily available and criminals can misuse these tools to carry out attacks on computer systems. Many criminals commit computer offences to illegally obtain personal information which can then be used, in turn, to carry out offences like theft and fraud. Cybercriminals are emboldened by the fact that computer offences can be carried out from overseas. I will use two previous examples of cybercrime cases to illustrate the need for this Bill.

Members may recall the case of hacker James Raj. James Raj, who adopted the pseudonym "The Messiah", was convicted of numerous charges under the Act for committing a series of hacks in 2013. He was responsible for hacking the server of Fuji Xerox, the Straits Times' blog, as well as the websites of certain Government agencies. The statements of 647 private banking clients of Standard Chartered Bank, which had been stored on the hacked Fuji Xerox's server, were found on James Raj's laptop. This was hacked personal information. Various hacking tools were also found on the system.

The second example, just last year, a former administrative assistant James Sim, he was charged for cracking the passwords of about 300 SingPass account holders in 2011 and selling the account holders' personal details to a China-based syndicate involved in sham Singapore visa applications. The syndicate successfully applied for 23 visas, with 20 Chinese nationals entering Singapore using these visas. Three of the Chinese nationals were later found to have committed criminal offences while in Singapore. They were charged and repatriated. James Sim's actions enabled criminals to breach Singapore's immigration and border protection system.

These two cases show that the amendments in this Bill are necessary to deal with the unique law enforcement challenges posed by cybercrime. The amendments to the Act will enable the Police to effectively deal with the evolving tactics of cybercriminals and the transnational nature of cybercrime.

Several Members spoke about the new sections 8A and 8B of the Bill. We need to strike a balance between protecting the public interest and ensuring that legitimate cybersecurity industry practices can continue because they contribute to the overall atmosphere of cybersecurity in Singapore and elsewhere.

We have, therefore, introduced exceptions in these provisions. These were drafted in consultation with stakeholders from the cybersecurity industry, telecommunications companies (telcos) and Internet Service Providers. With these exceptions, legitimate practices will not be criminalised.

Mr Desmond Choo asked what "personal information" in section 8A would cover. "Personal information" is defined in the Bill. It includes information about an individual, whether true or not, which is commonly used alone or in combination with other information to identify an individual. This is a broad definition and can include addresses, dates of birth and credit card numbers. These information types are sold online often for criminal gain. Personal photographs may, depending on the circumstances, be considered personal information. Depending on the facts of the case on how the photographs are obtained and used, there may be other Penal Code offences, such as cheating by personation or harassment under the Protection from Harassment Act (POHA). Section 8A will only apply if the personal information in question was obtained through a computer crime.

Mr Ang Wei Neng referred to the recent cases of Members of this House having been impersonated via fake Facebook accounts. Hacking an existing Facebook account is already an offence under CMCA. Creating a fake Facebook account is not a CMCA offence in itself. But depending on the facts of the case, for instance, if cheating is involved, other Penal Code offences, such as cheating by personation, may have been committed.

Mr Murali Pillai asked whether a journalist or a researcher dealing with hacked personal information in the course of their work would have committed an offence under the new section 8A. There is nothing wrong with the journalist reporting on the hacking incident or the researcher who works with the hacked personal information for research purposes. But it is doubtful if they would ever need to disclose the hacked personal information itself, as part of the report or research findings. For example, there is no need for them to publish details, such as hacked credit card numbers, as part of the report on the hacking incident or the research findings. Depending on the circumstances, indiscriminately making available hacked personal information may amount to an offence.

Care should always be exercised where hacked personal information is transmitted, even if for a legitimate purpose. This could be done by ensuring that the information is only transmitted to trusted persons who have a legitimate reason to receive the information. Where possible, the personal information should be redacted or anonymised.

Mr Desmond Choo asked if website owners have an added responsibility to watch out for unlawful information posted on their sites. Website owners who are aware of hacked personal information hosted on their servers are encouraged to report this to the authorities. This is no different for anyone who comes across hacked personal information.

Mr Louis Ng and Mr Dennis Tan spoke about the prosecution not having to prove the particulars of the computer offence through which the personal information was obtained, that is, no need to prove the predicate offence when prosecuting the case of a person under section 8A.

The prosecution, first, has to prove that the person involved knew or had reason to believe that the personal information was obtained by an act of hacking, in contravention of CMCA. There will be cases where it will be clear from the circumstances that the information in question could only have been obtained by hacking. For instance, if there is evidence to show that credit card numbers were purchased from a website that trades in hacked credit card information, or if there is an entire file of bank account passwords that the person downloaded from such a site. But it can be practically difficult for the prosecution to also prove the particulars of the actual hacking offence for each of the pieces of information found on the site containing information that had been obtained through hacking.

In the earlier example where the credit card numbers were purchased from an illegal website, the identity of the hacker and the exact time when the hack took place may not be known, or easily verifiable. The law, therefore, needs to allow the prosecution to go after the criminal who has committed the offence of dealing in the hacked personal information, without having to also prove the particulars of the actual hacking offence, which may be impossible to fully investigate.

Mr Murali Pillai made several points about data protection, including how the provisions in CMCA and the Personal Data Protection Act (PDPA) would apply.

PDPA establishes various rules governing the collection, use and disclosure of personal data by organisations. It recognises both the needs of organisations to collect, use and disclose personal data for legitimate and reasonable purposes and the rights of individuals to have their personal data adequately protected from intentional misuse and unauthorised disclosure.

Section 8A criminalises acts done in relation to personal information of individuals that the perpetrator knows or has reason to believe has been obtained through a computer crime. MHA's intent is to prevent the misuse of such hacked personal information for criminal purposes.

For example, in a scenario where a report was received regarding the online posting of hacked personal information belonging, say, to customers of a company, the Police would investigate whether a criminal offence under section 8A had been committed by the person who posted the information. The Personal Data Protection Commission (PDPC) would look into whether the company had made reasonable security arrangements to prevent the unauthorised access of this personal information.

The Police and the Commission will work closely together in dealing with such cases and ensure that there is no overlap in investigation responsibilities, while protecting the public's interest.

As for Mr Murali Pillai's question on whether we should criminalise the sale of personal information obtained through unauthorised means, regardless of whether the information is hacked, this is beyond the scope of the current Bill. But depending on the circumstances, this may be covered under other laws. We will consider the Member's suggestion in the review of these other pieces of legislation.

Several Members highlighted the need for the private sector to level up cybersecurity by strengthening cybersecurity awareness among businesses, like growing cybersecurity expertise in the private sector. These are both focus areas in Singapore's cybersecurity strategy and are led by CSA.

Cybersecurity is a collective responsibility and everyone, whether individuals or businesses, has a role to play in making cyberspace a safer place. To promote cybersecurity awareness, the Government has been running the Cybersecurity Awareness Campaign since 2011.

The Cybersecurity Awareness Alliance, started in 2008, brings together Government agencies, private enterprises and professional associations to promote the adoption of essential cybersecurity practices. The Singapore Computer Emergency Response Team (SingCERT) under CSA provides advisories to help businesses pre-empt and prevent cyberattacks. Businesses are also encouraged to read cybersecurity tips and resources on CSA's GoSafeOnline website.

Ms Joan Pereira and Ms Thanaletchimi spoke about keeping SMEs informed of the latest developments in cybersecurity. By the third quarter of 2017, businesses will be able to get in-person help at the SME Digital Tech Hub set up by IMDA. The Tech Hub will provide technical advice to SMEs with more advanced digital needs, such as cybersecurity and data analytics. The Hub will help to connect SMEs to ICT vendors and consultants, as well as conduct workshops and seminars to help SMEs build their digital capabilities. On their part, businesses must also recognise and treat cyber risks as important business risks.

The Government is also collaborating with industry to grow the cybersecurity workforce for Singapore. For example, under the Cyber Security Associates and Technologists (CSAT) programme, CSA and IMDA work with the industry and IHLs to attract new graduates and convert existing professionals from related fields.

Our universities and polytechnics are also offering cybersecurity programmes for those keen to pursue cybersecurity education. These efforts will go a long way towards creating a vibrant cybersecurity ecosystem for Singapore. Asst Prof Mahdev Mohan and Mr Dennis Tan asked if there would be other cybersecurity legislation and what its shape would be like.

Members may be aware that the Ministry of Communications and Information (MCI) is planning to table a Cybersecurity Bill later this year. CMCA will complement this new Bill. The Cybersecurity Bill will ensure that owners and operators of Critical Information Infrastructure take proactive steps to secure their systems and networks and report incidents. It will also empower CSA to respond to cyber threats, facilitate the sharing of cybersecurity information and raise the standards of cybersecurity providers in Singapore.

We will also convey various Members' suggestions and feedback to CSA and MCI for their consideration as they work on the Cybersecurity Act.

But cybersecurity and cybercrime are closely related. The perpetrators of cyber incidents, which CSA would manage, might have committed an offence under CMCA in the process of carrying out the attack.

Mr Thomas Chua, Mr Murali Pillai and Mr Dennis Tan spoke about widening the extraterritorial jurisdiction of the Bill beyond acts that result in serious harm. As mentioned, offences in CMCA currently have extraterritorial effect if the perpetrator or the computer, programme or data was in Singapore at the material time. For example, the act of hacking a computer which was located in Singapore would already be covered by the Act, even if the perpetrator were located overseas at the material time.

Mr Desmond Choo asked how cloud services and distributed databases affect enforcement and investigation of cybercrimes. Today, an increasing amount of data that is hosted on the cloud may actually be physically stored in servers located overseas. This makes cybercrime investigations more challenging. This is a challenge faced by law enforcement agencies worldwide.

Where necessary, the Police will work with overseas counterparts to investigate such cases. The widening of the jurisdiction of CMCA will enable the Police to investigate cases where the criminal act resulted in serious harm or created a significant risk of serious harm in Singapore, even if the perpetrator was overseas at the material time and targeted a computer overseas. The amendment in clause 4 will allow such cases to be charged and prosecuted before our Courts.

However, we have scoped the definition of "serious harm in Singapore" carefully, so that the cases we investigate and prosecute are those that have a significant impact in Singapore. These may include cases where there is illness, injury or death caused to individuals in Singapore; a disruption of essential services, such as services directly related to public transportation, banking and finance and public utilities; a disruption of the performance of any duty or function of the Government; and where there is damage to the national security, defence or foreign relations of Singapore.

Mr Murali Pillai asked that we also include as serious harm any act that damages the economy of Singapore. The definition of essential services already takes into consideration the critical sectors that will affect the economy, should they be attacked.

Mr Dennis Tan wanted to know how the amended section 11 subsection 4 paragraph (c), in the definition of "serious harm in Singapore", will be operationalised in respect of the sub-clause on "serious diminution of public confidence" in Government services or the disruption of Government functions. What constitutes a "serious diminution of public confidence" would certainly depend on the facts of the case, but there are examples in the Bill of acts that seriously diminish or create a significant risk of seriously diminishing public confidence in the performance of any duty or function of or the exercise of the power by the Government, an Organ of State or a Statutory Board. These examples include providing to the public access to confidential documents belonging to a Ministry of the Government, as well as publication to the public of the access codes for a computer belonging to a Statutory Board.

Mr Thomas Chua asked for similar protection for essential services to be extended to NTP. I hope that is the correct interpretation or translation of what the Member said in Mandarin. NTP can be considered as supporting an "essential service" as currently defined in CMCA. It is also a function provided by the Government. So, depending on the actual situation, a disruption to this could be considered within the scope of "serious harm" in the Bill.

Mr Melvin Yong, Mr Murali Pillai and Mr Desmond Choo spoke about the challenges of investigating cybercrimes committed overseas. This is another reason why the provisions have to be scoped, so as to ensure that Police resources are not over-committed to pursue crimes that have limited or no impact on Singapore.

For the cases that are investigated, the Police will work closely with overseas counterparts to provide and share evidence of such cases, with a view to prosecuting the criminals in Singapore. Mr Murali Pillai and Asst Prof Mahdev Mohan both asked if we will make CMCA offences extraditable under the Extradition Act. MHA is working with the Ministry of Law (MinLaw) to specify offences under CMCA as extradition offences.

Mr Louis Ng, Mr Desmond Choo and Ms Joan Pereira gave various suggestions on how to deal with cybercrime, and I thank them for that. Last year, MHA launched NCAP, which I referred to in my opening statement. NCAP sets out the Government's key principles and priorities in combating cybercrime, and amending CMCA is one of the key initiatives of NCAP.

Under NCAP, we have also enhanced public education and outreach efforts. As Mr Desmond Choo said, the public can play a role in combating cybercrimes by being more vigilant in cyberspace. Mr Louis Ng and Ms Joan Pereira spoke about outreach efforts for vulnerable groups, such as young students and the elderly. The Police work closely with schools and organisations, such as the Media Literacy Council, to raise awareness of cybercrimes among these vulnerable groups.

The Police have also been using existing senior citizen engagement platforms, such as IMDA's Silver IT Fest, to raise the cybercrime awareness of senior citizens. I thank Members for their suggestions to further enhance our outreach efforts to the various vulnerable groups.

Ms Joan Pereira also asked how we would encourage companies to step forward and report cybercrimes. With greater awareness, the private sector is better able to help the Police to detect cybercrimes.

This year, Police established a public-private industry platform to foster closer collaboration with software companies, telcos and banks on cybercrime detection and prevention. The Police also regularly reach out to smaller businesses as well to share information on cybercrimes and cybercrime prevention.

Mr Desmond Choo asked how we would educate the general public on the provisions of this Bill. Our public cybercrime outreach programmes are principally focused on how to prevent members of the public from falling victim to cybercrimes, but most members of the public would not use hacking tools or transmit hacked personal information. But we agree that there is a need to reach out to the cybersecurity industry as well as to students. MHA has worked with organisations, such as the Singapore Infocomm Technology Federation (SiTF), to publicise information about the new provisions. We will continue to work with CSA on outreach efforts.

We have also stepped up enforcement actions against cybercrime. Last year, the Police conducted five island-wide enforcement operations targeting scams. More than 300 people were arrested in connection with scam cases, involving about $1.8 million in total.

Mr Desmond Choo asked what steps the Home Team will be taking to ensure that it has sufficient expertise to handle the increase in cybercrimes. We have been building up new capabilities in the fight against cybercrime. I had spoken earlier about the role of the Police Cybercrime Command in coordinating an effective response to cybercrime.

We have also set up Cybercrime Response Teams in every Police Land Divisions. The teams augment the manpower available to respond to cybercrime reports by assisting investigation officers in responding to cybercrime reports through collecting and processing digital evidence.

We have also been working closely with industry and IHLs. For example, Temasek Polytechnic and MHA are developing a TALENT Lab, which will be used to train students from IHLs in cybercrime investigations and forensic skills. The Lab will be officially opened later this year.

We have also continued to strengthen our international partnerships. Last year, MHA, the Attorney-General's Chambers and CSA organised the first Association of Southeast Asian Nations (ASEAN) Cybercrime Prosecutors' Roundtable Meeting. This event brought together ASEAN cybercrime prosecutors to share their experiences in addressing cybercrime cases and build networks among the prosecutors. These efforts to fight cybercrime have started to show encouraging results.

Notably, the number of reports of cheating cases involving e-commerce, which forms about half of all online scam cases, decreased by 6% last year, from 2,239 cases in 2015 to 2,105 cases in 2016. However, these cases, along with scams, like Internet love scams and officials impersonation scams, still remain a significant crime concern. We will continue to monitor the cybercrime situation and calibrate our outreach programme and enforcement efforts accordingly.

MHA will continue its efforts under NCAP, in partnership with industry, IHLs, the public and law enforcement agencies, so that we can, collectively, create a safe and secure online environment.

Mdm Speaker, the amendments to CMCA help strengthen our response to cybercrime. The threats have so far been under control, but it lurks in many dark corners of cyberspace. We, therefore, need to put in place a robust legislative framework with safeguards, but also with the necessary enforcement levers as part of a comprehensive cybercrime and cybersecurity strategy, to ensure that our computers, systems and data are better protected.

Question put, and agreed to.

Bill accordingly read a Second time and committed to a Committee of the whole House.

The House immediately resolved itself into a Committee on the Bill. – [Mr Desmond Lee.]

Bill considered in Committee; reported without amendment; read a Third time and passed.