Cybersecurity Bill

Order for Second Reading read.

1.25 pm

The Minister for Communications and Information (Assoc Prof Dr Yaacob Ibrahim): Mr Speaker, Sir, I beg to move, “That the Bill be now read a Second time.”

Digitalisation has opened up new possibilities to enhance our modern lives, but they have also exposed us to cybersecurity threats. In recent years, we have not only seen an increasing number of cyberattacks worldwide, but also a wider range of targets, including individuals, large organisations like Equifax, and Government agencies.

Singapore remains an attractive target to attackers because of our high dependence on Internet-based transactions. In 2017 alone, we saw attacks against our Government agencies, universities, financial institutions, both large and small enterprises, and individuals who had their computers locked by ransomware.

Protection against cyberattacks needs to start with organisations and individuals taking responsibility for the cybersecurity of their own computer systems. However, it is also important for us to work collectively, especially in protecting our essential services, against cyberattacks. As we have seen in other countries, such cyberattacks can have a debilitating impact on the economy and society: (a) last year, the United Kingdom's (UK’s) National Health Service (NHS) had to cancel at least 6,900 appointments due to the WannaCry ransomware attack; (b) in the Ukrainian capital of Kiev, the power grids were hacked twice by cyberattackers in 2015 and 2016, leading to power disruptions that affected over 200,000 citizens during winter; and (c) in 2015, a massive cyberattack that reportedly intended to destroy important national communication channels took the French television (TV) network, TV5Monde, off the air for several hours.

Computer systems directly involved in the provision of essential services are termed Critical Information Infrastructure (CII). There is an urgent need for the Government to be more actively involved with the CII owners in defending against cyberattacks.

We have identified CII in 11 sectors: Energy; Water; Banking and Finance; Healthcare; Transport which includes Land, Maritime, and Aviation; Infocomm, Media and Security and Emergency Services, and Government.

Even with efforts to protect CII, we cannot expect to detect and foil every cyberattack. This is why it is also necessary to investigate cybersecurity threats and incidents, and to mitigate the consequences of successful attacks.

Currently, section 15A of the Computer Misuse and Cybersecurity Act (CMCA) empowers the Minister for Home Affairs to issue a certificate to authorise or direct a person or an entity to take measures to comply with requirements necessary to prevent, detect or counter a threat to any class of computers or computer services, if the Minister is satisfied that it is necessary to do so for the purpose of preventing, detecting or countering any threat to the national security, essential services, defence or foreign relations of Singapore. However, CMCA, which mainly deals with cybercrimes, such as the unauthorised access of computer material, does not provide a regulatory framework for the routine and proactive protection of CII.

Therefore, the Cybersecurity Bill seeks to establish a legal framework for the oversight and maintenance of national cybersecurity in Singapore, with an emphasis on the proactive protection of CII against cyberattacks. The Bill has three key objectives: (a) to strengthen the protection of CII against cyberattacks; (b) to authorise the Cyber Security Agency of Singapore (CSA) to prevent and respond to cybersecurity threats and incidents; and (c) to establish a licensing framework for cybersecurity service providers.

Parts 3 and 4 of the Bill set out a framework for CSA to request for cybersecurity information on CII and during investigations of cybersecurity threats and incidents. The Bill protects such information by requiring specified persons who obtain it when performing their functions or discharging their duties to keep it confidential, and by specifying the circumstances where it can be disclosed.

The Cybersecurity Bill does not provide powers to prosecute cybercriminals. CMCA and other relevant legislation will continue to govern the investigation and the prosecution of cybercrime perpetrators and the detection and apprehension of such offenders.

The Bill is intended to apply concurrently with other laws and regulations enacted in Singapore, including existing sectoral laws. In formulating this Bill, the Ministry of Communications and Information (MCI) and CSA studied cybersecurity legislation which other countries, such as Germany, Estonia, the United States (US), Thailand and Vietnam, have implemented or are considering. These laws cover areas, such as imposing obligations on CII owners to protect their CII, requiring cybersecurity audits to be conducted, making the reporting of cybersecurity incidents mandatory, encouraging companies to share cybersecurity information with the Government, prevention of cybersecurity attacks and, finally, industry regulations. Our Bill is in line with these international developments.

We also consulted industry associations, cybersecurity professionals, sector regulators, potential key CII stakeholders and the general public. In response to requests for more time to provide feedback, we extended our public consultation to six weeks. Respondents were generally supportive of the Bill. They shared the Government’s concerns on cybersecurity threats and the impact of cyberattacks on Singapore. Respondents also provided useful feedback that allowed us to identify aspects of the Bill that could be refined when drafting the Bill, including simplifying the licensing framework. I would like to thank all respondents for their feedback and suggestions.

Sir, allow me now to go through the key proposals of the Bill.

Clause 4 of the Bill allows the Minister-in-charge of Cybersecurity to appoint a Commissioner of Cybersecurity to administer the Bill. This appointment will be held by the Chief Executive of CSA. Today, CSA works with sector regulators to coordinate cybersecurity efforts to protect CII within their respective sectors. The sectors have varying levels of cybersecurity readiness, and sector regulators have varying legislative powers to regulate CII within their sectors on cybersecurity matters. The Cybersecurity Bill will provide CSA with the necessary powers to proactively protect our CII and respond to cybersecurity threats and incidents.

Clause 4 allows the Minister to appoint Assistant Commissioners (ACs) to assist the Commissioner to oversee and enforce cybersecurity requirements on the CII owners. The intention is to appoint senior officers from sector regulators as ACs to perform this role in respect of CII in their respective sectors. This is because such officers understand the unique contexts and complexities of their sectors and will be best placed to advise the Commissioner on the necessary requirements so as to strike a balance between their sectors’ operational needs and national cybersecurity considerations.

Clause 7 allows the Commissioner to designate as a CII, any computer or computer system that is necessary for the continuous delivery of an essential service set out in the First Schedule, and the loss or compromise of the computer or computer systems will have a debilitating effect on the availability of the essential service. This clause also requires the Commissioner to inform the CII owner how he can submit representations against the designation.

CSA has worked closely with sector regulators to identify the list of essential services as set out in the First Schedule. An essential service is defined in clause 2 as any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. New essential services may be added from time to time to the First Schedule by the Minister exercising powers under the Bill if necessary.

The Bill will require CII owners to comply with statutory obligations to ensure the cybersecurity of their CII. All owners of CII, whether from the public or private sector, will be subjected to the same statutory obligations under the Bill. These obligations include furnishing primarily technical information relating to CII (clause 10); complying with codes of practice and standards of performance (clause 11); complying with written directions (clause 12); informing the Commissioner of the change in the ownership of CII (clause 13); reporting cybersecurity incidents in respect of CII (clause 14); conducting cybersecurity audits and risk assessments of CII (clause 15); and finally, participating in cybersecurity exercises (clause 16).

No action under the Bill will be taken against CII owners for cybersecurity breaches so long as they comply with their obligations thereunder. Non-compliance with CII-related obligations under Part 3 of the Bill will be an offence. The maximum penalty is $100,000, or two years’ imprisonment, or both.

CII owners who disagree with particular decisions of the Commissioner, such as the CII designation, may appeal to the Minister. This is provided for in clause 17.

To strengthen CSA’s ability to prevent and respond effectively to cybersecurity threats and incidents, Part 4 of the Bill empowers the Commissioner to investigate cybersecurity threats and incidents. These powers in clauses 19 and 20 are calibrated according to the severity of the cybersecurity threat or incident and measures required for response. The Commissioner may authorise incident response officers to exercise these investigation powers. In addition, the Minister has powers to require cybersecurity measures under clause 23 for the purpose of countering serious and imminent threats.

The key intent is to provide for powers to respond to cybersecurity threats or incidents affecting CII. But because of the interconnected nature of computer systems, the powers will also be used for investigating major cybersecurity threats and incidents on computer systems that are not CII, for example, large-scale cyberattacks affecting multiple sectors. It is not our intent to use these powers to respond to each and every cybersecurity threat or incident in Singapore, as computer owners are ultimately responsible for the cybersecurity of their own computers.

Clause 19 allows the Commissioner to request persons to furnish specified information that is necessary for the investigation of cybersecurity threats or incidents, for the purpose of: (a) assessing their impact or potential impact; (b) preventing any or further harm arising from the same cybersecurity incident; and (c) preventing a further cybersecurity incident.

The maximum penalty under clause 19 is $5,000 or six months’ imprisonment or both, for offences, such as willfully misstating information or refusing to provide required information without reasonable excuse.

Clause 20 allows the Commissioner to authorise incident response officers to exercise more intrusive investigative powers as are necessary to investigate and prevent serious cybersecurity threats or incidents. For example, the Commissioner may require the owner of a computer to scan the computer for cybersecurity vulnerabilities. Clause 20(3) prescribes a set of criteria for determining what constitutes a "serious" cybersecurity threat or incident, such as when it creates a risk of significant harm being caused to a CII.

The Commissioner may, under clause 20(5), take possession of any computer or equipment without the owner’s consent for the purpose of further examination and analysis, if the Commissioner is satisfied that: (a) this is necessary for the purpose of the investigation; (b) there is no less disruptive method of achieving the purpose of the investigation; and (c) after consultation with the owner, and after considering his business and operational needs, the benefit from doing so outweighs the detriment caused to him.

Such powers are necessary given the potential impact from serious cybersecurity threats and incidents, which can disrupt our essential services, potentially cause physical damage and harm, and affect our economy and our way of life. The Bill clearly spells out how these powers may be exercised. These powers are calibrated and there are safeguards built into the Bill, such as what I have just described.

The maximum penalty under clause 20(7) is $25,000 fine or two years’ imprisonment or both, for offences, such as failure without reasonable excuse to comply with a direction or requirement of an incident response officer, under clause 20(2)(b) or (c).

Clause 23 allows the Minister to authorise or direct any person or organisation to take measures for the purpose of countering serious and imminent threats. Clause 23 is a re-enactment with slight modifications of section 15A of CMCA. This section will be repealed. CMCA will correspondingly be renamed as the Computer Misuse Act, or CMA in short, at the same time that the Cybersecurity Bill is passed. The offences and penalties under clause 23 are the same as those under section 15A of CMCA.

The Bill recognises that information disclosed to CSA under the Bill is often confidential. Information disclosed to CSA may be used to determine if a computer system is a CII (clause 8), technical information relating to a CII (clause 10), or information given pursuant to an investigation into a cybersecurity threat or incident (clause 19 or 20).

Therefore, under clause 43, the Commissioner and other specified persons must preserve the secrecy of information that may come to their knowledge as a result of performing their functions or discharging their duties under the Bill. Such information includes matters relating to a computer system, as well as the identity of persons who furnished the information. It will be a criminal offence under clause 43(4) if specified persons fail to preserve the secrecy of such information or unlawfully discloses such information. The maximum penalty is $10,000, or one year’s imprisonment, or both.

However, clause 43 provides for the sharing of information in certain circumstances, such as for the purposes of prosecution under the Bill, or to disclose to the Police any information which discloses the commission of an offence under CMA.

We recognise other persons may have information on whether CII owners are complying with their obligations specified in Part 3 of the Bill, and we want to encourage the disclosure of such information to the Commissioner. Clause 45 provides for the protection of these informers in relation to proceedings for an offence under Part 3 of the Bill.

As cybersecurity risks become more widespread, the demand for credible cybersecurity services will grow. Some cybersecurity services can be sensitive because the service providers performing them can have significant access into their clients’ computer systems and networks and gain a deep understanding of the cybersecurity vulnerabilities. Such services, if abused, can compromise and disrupt the clients’ operations even after the service provider’s job has been completed. Furthermore, there is asymmetry of information; many organisations, especially smaller ones, may not know which cybersecurity service providers are ethical or offer reliable services.

Part 5 of the Bill provides for a licensing framework for cybersecurity service providers that service the Singapore market. For a start, the licensing framework will be a light touch in view that this is a new initiative and there is a need to strike a good balance between industry development and cybersecurity needs. Only providers of two types of cybersecurity services will be licensed, namely, penetration testing and managed security operations centre (SOC) monitoring. These providers have access to sensitive information from their clients, and the services are also relatively mainstream in our market and, hence, have a significant impact on the overall cybersecurity landscape.

Clause 24 requires providers of licensable cybersecurity services that are specified in the Second Schedule to apply for a licence. It will be an offence to provide such services without a licence. The maximum penalty is a $50,000 fine, or two years’ imprisonment, or both.

We do not intend to require companies to be licensed for providing licensable cybersecurity services to their related companies. In addition, the term "cybersecurity service", as defined in clause 2, only covers a service provided by a person for a reward to another person, and excludes a service provided in-house to an employer.

Financial penalties may be imposed under clause 32 for non-compliance with licensing conditions or for other regulatory breaches that are not an offence, such as the failure to keep and retain proper records. The maximum penalty is $10,000 for each non-compliance but not exceeding, in the aggregate, $50,000.

The licensing officer is required under clause 33 to give licensees an opportunity to submit representations before the imposition of financial penalties. Under clause 35, cybersecurity service providers may appeal to the Minister against specific decisions of the licensing officer, such as the refusal to grant a licence and licensing conditions.

Sir, the Government cannot achieve a more secure cyberspace alone. We will partner public and private sector stakeholders in the journey to strengthen the protection of CII. CSA will adopt a deliberate process for the designation of CII across the different sectors, in consultation with their owners and the relevant sector regulators where possible. CSA will also implement programmes to help the sector regulators assist CII owners in getting ready to fulfil their obligations under the Bill.

We will also engage the industry further on the licensing conditions for licensed cybersecurity service providers under clause 27 of the Bill. The licensing framework will be operationalised at a later stage, after the rest of the Bill.

Sir, the Cybersecurity Bill is one part of Singapore's Cybersecurity Strategy to strengthen the nation's cybersecurity posture. With cyber threats growing globally, this Bill is timely to empower CSA to safeguard essential services from disruptions by cyberattacks, prevent and respond to cybersecurity threats and incidents, and to establish a licensing framework to improve the credibility of cybersecurity services in Singapore. Sir, I beg to move.

Question proposed.

Mr Speaker: Mr Zaqy Mohamad.

1.46 pm

Mr Zaqy Mohamad (Chua Chu Kang): Thank you, Mr Speaker, for allowing me to speak on this important Bill. I first have to declare my interest. I work for a firm that provides cybersecurity and risk services.

Mr Speaker, the Cybersecurity Bill is timely, given its focus to strengthen the defences of our essential services and CII from cybersecurity threats from both private and state players.

We have seen growing evidence of how countries are being threatened by digital sabotage which targets essential services to cause disruption to the economy, as well as to confuse and demoralise citizens.

The Ukraine experience, as the Minister has shared earlier on, was one that is almost becoming a cyber-hacking "testbed" for other foreign state actors. On 23 December 2015, the control centres of three Ukrainian electricity distribution companies were taken control of, where malicious hackers opened breakers which caused more than 200,000 households to lose power. Nearly a year later, on 17 December 2016, a single transmission substation in northern Kiev lost power. These instances of sabotage took place on the tail of a political revolution in Kiev and the annexation of Crimea.

While similar attacks have not shown to be highly-motivated acts of sabotage in Singapore, in September last year, CSA had reported that several critical sectors were subjected to cyberattacks, and that the Singapore Government had been subjected to a malware attack by state-sponsored hackers. We have been fortunate that the recent Wannacry, Meltdown and Spectre malware attacks have not disrupted our essential services.

Nonetheless, these attacks are a clear and present danger to a compact nation like Singapore, where a politically or militarily motivated actor can use cyber warfare to sabotage our critical infrastructure and economy. Current international laws have not been effective to address cross-border hacking and state-sponsored attacks. In most cases, agencies have had difficulty to pin down hacking incidents to individuals or governments.

I believe the Cybersecurity Bill is a good start for Singapore to ensure that our essential services and sectors are well-protected and defended to prevent criminals or state players from threatening our economy and our way of life.

I welcome that this Bill looks into proactive measures to have owners of CIIs to be more accountable for reporting and the security readiness of their CIIs. It is important that relevant stake players provide timely reports of attacks and I fully support that the CSA drive industry-wide knowledge sharing and push for effective cyber defence measures.

Countries, such as Germany, Japan and the US, have already enacted cybersecurity legislation. In the Association of Southeast Asian Nations (ASEAN), Thailand and Vietnam are also considering similar legislation. Thus, this Bill is a timely reflection of our commitment to securing our nation and our status as a top-tier international hub and financial hub.

From the view of the industry, one of the key concerns will be whether the cost of compliance and the costs of systems upgrades will be significant. Consumers will also be concerned if these additional costs will be passed on to them, as many of these CII owners provide essential services, such as transport, water, electricity and communications.

We must strike a balance to protect our national and citizens' interests but yet be clear on what security standards and architectures that CIIs need to comply with, so that the costs incurred in upgrades and security operations will not overburden industry and consumers. The cyber arms race is not about to recede and will only intensify and hackers will continue to try to find weaknesses in systems to exploit. In this regard, I would like to make some suggestions.

One, it will be ideal if CSA can take the lead, together with the sector regulators, to set industry-wide leading practices, shared services and threat intelligence, so that CII players can achieve security readiness in a cost-efficient manner and yet be effective in deterring and responding to security threats.

Two, this Bill will drive greater accountability from the CII owners, and failure to comply with this new law will be criminal in nature. I support the need to make the owners of the CIIs accountable, but I hope that CSA be very clear on the benchmarks or, if appropriate, security architectures that CII owners need to comply with upfront. This will also help the relevant CIIs to plan their security roadmap effectively and better understand the investments they need to make. Otherwise, the industry risks putting in piecemeal measures that could be costly. It would also not be good if CII owners take a reactive approach to only wait for audit results and taking action only when told that they need to comply to them from time to time. Under the law, they will only be criminally penalised when they have not complied with a directive from the Commissioner. This may be too late if an incident happens. So, will the Ministry be providing the CIIs with specific benchmarks they need to achieve or a checklist of cybersecurity measures that need to be in place?

Three, I would like also to suggest that the Ministry and the sector regulators consider funding R&D for cybersecurity technology and operations centrally or within sectors. The involvement of CSA and sector regulators can catalyse CII operators to share findings and insights to accelerate cybersecurity enhancements. There are many common insights that could be derived from research and leading practices within specific sectors. This will help CII operators develop quicker and more effectively.

Mr Speaker, since 2015, the Ministry has been doing public and closed door consultations. I would like to ask the Minister, through the consultation exercises, whether the Ministry has performed an assessment of the readiness of the current CIIs in the various essential services sectors to comply with CSA's security requirements. Has the Ministry estimated how much it will cost for the CIIs to comply with the Cybersecurity Bill's requirements? What is the timeline that CIIs have come back that they need to get fully ready and compliant?

Under the Cybersecurity Bill, the Minister, the Commissioner and his deputies are given the authority to investigate and get CIIs to disclose information to assist with investigations. Citizens will be concerned that, as part of investigations, the authorities may need to access data residing within the CIIs and this may breach the privacy of individuals. What are the safeguards put in place to ensure that the broad investigation powers under this Bill do not invade the privacy of individuals and consumers?

Mr Speaker, under this regime, the Cybersecurity Bill will complement CMCA, which will be renamed CMA. What is the rationale of keeping the Acts separate as they both deal with essentially cybercrime? How would enforcement operations be divided across the two pieces of legislation to deal with cybercriminals involved in attacks, such as Ransomware, Malware or Distributed Denial of Services (DDOS) attacks? The same crime can technically be applied across both critical infrastructure and non-critical, and common information technology (IT) systems. So, is there a duplication of effort or duplication of resources? What features under the new Bill will enable our agencies to better address as well crimes arising from overseas actors?

Currently, the CIIs are defined based on systems located here in Singapore. Given that some CII operators may use technologies, such as cloud services or outsourced managed services based overseas, how does the regulator plan to designate these systems as CII, as the data and application may not reside, wholly or in part, in Singapore?

Mr Speaker, the Bill will put in place a licensing regime to providers of penetration testing and managed SOC monitoring services. I support this initiative as it will put in place a credible ecosystem to support our CIIs. This will also promote our service providers to be better trained and specialised to meet the standards required by the regulators. However, I would like to seek clarity from the Minister why does CSA only register companies and not allow for the licensing or registration of individuals. In this emerging field of cybersecurity, there are many global experts, or even white-hat hackers, whose expertise may be useful as freelancers to advise CII owners. Why does the Ministry not consider allowing individuals to be contracted by the CII owners?

From a manpower perspective, Mr Speaker, cybersecurity resources are in demand today. How is the Ministry planning to uplift the capabilities that we have to fulfil demand once the Bill comes into force? Do we have a significant capability gap today and how long does the Ministry estimate for us to fulfil this gap?

I would like to suggest that the Ministry put in more resources to build up cybersecurity capability that will help CIIs fund training and international exposure for their personnel for security training. The Ministry may also wish to facilitate manpower exchanges with leading technology research labs or CIIs overseas with leading practices. Some of the CIIs named are in sectors that are facing slowdown and may find it difficult to prioritise funds for this in the short term. Such a capability fund can help adoption, especially within the immediate future.

Mr Speaker, the defence of our nation, our people and its economy needs a new approach in this digital age. Countries have the ability to combine conventional and cyber tactics to weaken an opponent's defence by disrupting its essential services and its economy, and also to maximise confusion and uncertainty using both simple and sophisticated technologies in innovative ways.

This Bill is timely to stress the importance of strengthening our CIIs in the interest of national security. We have been developing our Total Defence capabilities across five pillars – military, civil, economic, social and psychological defence. It has worked for us for several decades. In this digital era and considering the emerging threat of hybrid warfare, it may be time for the Government to update our approach. Perhaps, it may be time to add a sixth pillar to our Total Defence framework in the area of cybersecurity or digital defence to counter the new threats in this digital era. Mr Speaker, I support this Bill.

Mr Speaker: Mr Pritam Singh.

1.56 pm

Mr Pritam Singh (Aljunied): Mr Speaker, this is a significant Bill which establishes a framework for the oversight and maintenance of cybersecurity in Singapore. Its ambit and reach are understandably wide in view of the reliance both the public and private sectors, including individuals, place on computer programmes, systems and services, and the devastating prospect of debilitating cyberattacks on critical sectors of the economy.

More specifically, the loss or exposure of private information may also erode trust in the Government, statutory agencies and private companies as the release of such information in the public realm can seldom ever be completely reversed.

I understand the Bill has received significant feedback from industry with an excess of 60 companies, many of them large corporates, and separately, a healthy number of industry associations – not forgetting civic-conscious and interested individuals – providing feedback to the Ministry on this Bill. For that reason, my clarifications will be limited to the Bill's broad principles and impulse, centring on queries that pertain to the operation of the envisaged Cybersecurity Act in practice.

The first clarification pertains to clause 7 of the Bill covering companies and entities that host CII that are partly located overseas for business reasons or simply logistical convenience. As a part of a Singaporean entity's CII ecosystem may be located overseas, how does the Bill ensure that this bifurcation does not render a particular CII susceptible to compromise or cyberattacks since CII computers and computer systems based overseas are not covered by this Bill?

Separately, in light of the feedback received, how common are such hybrid arrangements amongst public and private sector CII owners and is the Ministry concerned that some entities may seek to locate some elements of their CII overseas to hedge against the reach of the Act and, as a consequence, compromise its regulatory reach?

I have a similar clarification with regard to ownership of a CII, particularly if the owner is an offshore entity or individual. What regulatory oversight will the Bill realistically have over CII owners who operate outside our jurisdiction, and would this not represent a loophole?

Secondly, I seek some clarity on the compliance costs that are likely to result for both public and private sector entities as a result of this Bill. Feedback on such costs were received by the Ministry and there was a suggestion that grants should be extended to help organisations offset these costs. Can the Minister give us some sense or an estimate of the dollar value of the compliance costs of the Cybersecurity Bill with regard to, for example, CIIs in sectors referred to in Schedule 1 of the Bill – perhaps those covering the Civil Aviation Authority of Singapore (CAAS), the Public Utilities Board (PUB) and some public hospitals? Finally, how much would be set aside in the Budget for grants arising out of an increase in such compliance costs?

Thirdly, I understand from feedback to the Ministry that there was some concern about what constituted a significant security incident. The language of the Bill in clause 14 focuses on prescribed incidents suggesting that subsidiary legislation will clarify such words and terms. As the Bill imposes a duty on owners of CII to report incidents, can the Minister give the House a general sense, with examples of the specific thresholds of hypothetical incidents which may require reporting under the Bill.

With this as a backdrop, can the Minister also share with Parliament what punishment would be effected by this Bill against a company like Uber – assuming it is a CII – which caused the compromise of personal information, such as names, email addresses and personal contact numbers, of close to 380,000 Singaporeans and tried to conceal the same, as reported in November last year? How far does this Bill go to take a CII owner to task for non-reporting should a similar Uber-like episode occur after this Bill becomes law?

What other actions would the Government consider against entities that are negligent in securing their computer systems, particularly if such an incident is aggravated through willful concealment?

Fourthly, clause 19 of the Bill gives extraordinarily broad powers to the Commissioner of Cybersecurity and his officers to investigate cybersecurity threats and incidents against companies, entities and even individuals with respect to any computer or computer system in Singapore, not just CIIs. The ambit of these powers is best exemplified by clause 19(1)(a) of the Bill, which gives the Commissioner and any authorised officer the power to remove or make copies of a hard disk, for example, even if it is only to assess the impact or potential impact of a cybersecurity threat. Non-compliance carries with it a fine of up to $5,000 and/or an imprisonment term of up to six months.

For avoidance of any doubt, notwithstanding the remarks in the Report on Public Consultation on the draft Cybersecurity Bill where it was stated that such powers are to be applied in a calibrated manner and, more importantly, in response to major cybersecurity incidents against non-CIIs, can the Minister confirm the envisaged threshold of what qualifies as a major incident, so that the House is reassured that the Commissioner's powers will be used very judiciously and not against Government critics and individuals?

Coming back to the Uber example, does the Government foresee using such powers against foreign companies that operate in Singapore?

To conclude, Mr Speaker, I am concerned about how much Singaporeans are actually aware of their online signature and the importance of cybersecurity. While we seek to protect key infrastructure against cyberattacks, every Singaporean, who uses his or her smartphone to pay for goods and services or uses it as a social engagement tool, is susceptible to cyberattack or hacking. This prospect is likely to increase as Singapore undertakes its Smart Nation drive with more focus and coordination.

The CSA is in a privileged position to educate Singaporeans on security tips as we transition to a more cashless economy and live online, as many of us already do. What measures can Singaporeans look forward from the Government to protect them from cybersecurity threats in our Smart Nation journey? Mr Speaker, notwithstanding the clarifications sought, I support this Bill.

Mr Speaker: Mr Christopher de Souza.

2.02 pm

Mr Christopher de Souza (Holland-Bukit Timah): Mr Speaker, Sir, the Cybersecurity Bill is a forward-looking piece of legislation that ensures that our laws keep pace with the threats that we face as a nation.

The year 2017 has been called the Year of the Data Breach. Even within the first six months of 2017, the number of records stolen in breaches numbered almost two billion – even more than the whole of 2016, which was 1.4 billion. New malware samples reached an all-time high of 57.6 million in the third quarter of 2017, according to McAfee Labs Threat Report December 2017.

This is not just a matter of privacy or lost personal data – there are financial, security, proprietary interests at stake. A class action suit was initiated in the US last year against Equifax for data breach. They alleged that criminals used the stolen data to "apply for mortgages, credit cards, student loans, tap into bank debit accounts, file insurance claims and rack up substantial debts." Stolen identity also poses an international problem, a terrorist problem. Last month, Thai police arrested a man who allegedly forged passports, including Singapore passports, for groups, including a terrorist group.

Furthermore, breaches in cybersecurity can have debilitating effects on essential services. WannaCry, the first ransomware worm, crippled the healthcare system in England. It "shut down computers in more than 80 NHS organisations in England alone", cancelling almost 20,000 appointments in an appointment-based healthcare system, five hospitals resorted to diverting ambulances, unable to handle any more emergency cases. So, what we are debating today is serious.

Wannacry was a ransomeware worm and, by "worm", we are talking about a malware programme that is able to self-replicate to infect other computers and infiltrate through the connections in a computer network. The NotPetya in Ukraine, which utilised a hacked version of a major accounting programme widely used in Ukraine, affected companies in many different sectors, from shipping to pharmaceuticals and to outside Ukraine through multinational companies. Worse still, NotPetya encrypts files with no chance of recovery, that is, it was not a ransomeware.

Stuxnet, a different computer worm, caused a proportion of machinery in Iran’s nuclear facility to spin out of control in 2010. This cyberattack was executed through infected Universal Serial Buses (USBs), overcoming the "air gap". Since then, new methods to jump over an air gap has emerged. No sector has been spared cyberattacks, with commercial and healthcare sectors targeted the most.

This threat is not something remote to Singapore. The threat is real and palpable. Although Singapore’s critical infrastructure was not hit by Wannacry, Singapore malls were among the victims of that ransomware.

Within the past five years, there were notable occasions of security breaches. In 2014, Singapore’s Ministry of Foreign Affairs' IT system was breached. One thousand and five hundred SingPass users' IDs and passwords were reported to be potentially compromised and illegally accessed. In 2017, 850 Ministry of Defence (MINDEF) personnel’s National Registration Identity Card (NRIC) numbers, birth dates and telephone numbers were stolen following a cyberattack. Additionally, the National University of Singapore (NUS) and the Nanyang Technological University (NTU) reported an attack by "advanced persistent threat" (APT) actors that sought to "steal research and Government-related information."

These and many other instances are like red, flashing lights warning us to be vigilant. So, I concur with Minister Yaacob Ibrahim's point that we need to act and we need to act now.

Cybersecurity threats are nearer than we think. They could hit us faster than we can react and they could hit us harder than we can imagine. Therefore, this forward-looking Bill goes upstream to secure our information infrastructure through preventive and reactive compliance, so as to give us the upper hand and arsenal we can deploy against those who seek to do us harm.

Some key features of this Bill’s regulatory framework include: (a) reporting and investigating of breaches to facilitate damage control and prevent future occurrences under clauses 14, 19 and 20; (b) licensing of cybersecurity service providers in Part 5; and (c) regular auditing under clause 15 to ensure compliance and accountability. To facilitate accountability and promote compliance, clause 45 protects informers’ identities.

In today's age of technology, more infrastructure is being built, not from concrete and steel but, rather, in the realm of intangible cyberspace. This trajectory is bound to continue as Singapore moves toward being a "Smart Nation". Some of the future initiatives announced recently include digitalising of healthcare records even at the level of a private general practitioner (GP) through the National Electronic Health Record (NEHR) and the promoting of cashless payments.

As we seek to increase leveraging the conveniences and prowess of modern technology, it is critical that we protect and prevent attacks and crises from threatening our cyber infrastructure. The important place they have in the running of our country is reflected in this Bill’s designation of CII. This designation spans 11 broad areas of essential services set out in its First Schedule.

Cybersecurity in a computer network would only be as strong as the weakest link. A single vulnerability may be exploited to infect other areas and other computers in the network. Since computer networks extend beyond territorial boundaries and cyberattacks know no physical boundaries, clause 3 of this Bill extends regulation to computer networks that are wholly or partly in Singapore.

This Bill has been carefully calibrated for a consistent framework over the different sectors yet providing space for flexibility for purpose-oriented, sector-suited rules and practices. For example, the Commissioner’s written directions may be issued to a class of CII owners under clause 12(1); the Commissioner to direct more frequent audit above the two years "in any particular case" under clause 15(1)(a).

The Bill also provides for flexible codes of practice under clause 11 to be promulgated to promote best practices in cybersecurity. It is important that this regulatory skeleton provides sufficient flexibility to accommodate for changes in the realm of cyberspace and allow for careful calibration of regulation in the future. If there are too many regulations, the higher threshold to entry may perhaps shrink our well of cybersecurity expertise to draw from, harming our cybersecurity resilience, for example, through an over-reliance on a single provider which may multiply knock-on effects of a breach. Hence, the regulatory framework, in my view, needs to remain flexible for future refinement of regulatory controls.

This flexibility is especially crucial because technology is an ever-evolving landscape. Cybersecurity depends on innovation to keep up, keep ahead and remain effective. Recently, MINDEF invited white hat hackers to hack into MINDEF’s Internet-facing domains. This method of exposing vulnerabilities maximised the talent pool available locally and overseas. The non-prohibitive cost estimated at $100,000, compared to up to a million dollars for hiring a dedicated vulnerability assessment team. This is attractive fiscally. Would the Minister clarify how this Bill would affect non-mainstream methods of strengthening cybersecurity, such as white hats?

In this fast-changing technology-connected world, this Bill provides the preventive complement to the deterrent CMCA. It is a complement to that Act. It places our country to better respond to, prevent and secure the integrity of our computer systems through a strong, yet flexible, regulatory framework. For these reasons, Mr Speaker, I strongly support the Bill.

Mr Speaker: Ms Thanaletchimi.

2.12 pm

Ms K Thanaletchimi (Nominated Member): Mr Speaker, Sir, I stand in support of the Bill. It is, indeed, a step in the right direction in light of more and more sophisticated cyber threats which have crippled a country's CII, such as that which happened to NHS in the UK, as the Minister has alluded to. The terrible impact of the cyberattack devastated hospitals and GP clinics in the UK. Its Cyber Security Centre was working round the clock to bring its systems back online when this attack resulted in surgeries being cancelled, ambulances being diverted and patient records missing after it became the highest-profile victim of a global ransomware attack and was faced with renewed concern about the strength of its infrastructure. This malware blocks access to any files on PC until a ransom is paid.

This could have been a situation in Singapore if we are not better prepared. The concern over cybersecurity becomes more imminent with the Ministry of Health’s (MOH's) direction to move into NEHR for patients, which is an excellent initiative. With access to one patient record across public and private healthcare sectors, framework, structure, audits, cybersecurity governance and oversight, including educating the stakeholders and providing relevant continuous training, becomes paramount.

Our country’s information infrastructure has to be protected and well-preserved from infiltration and attack in the name of cyber-terrorism. The special focus of the 11 key sectors, such as Government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime, demonstrates the critical nature of the sector that could cripple the entire Singapore in terms of economy and threaten our lives to its devastation.

With this as backdrop, I am, indeed, heartened to see the Government’s inclusive effort to garner stakeholder’s feedback and support on the Cybersecurity Bill. It is, indeed, notable that the public consultation on the Bill, which was originally scheduled from 10 July to 3 August 2017, was extended to allow respondents more time to provide feedback on such an important Bill that is pertinent to safeguard the people of Singapore in all aspects.

The importance of working with the various stakeholders cannot be over-emphasised and it is equally pertinent to ensure the relevant sectors work closely with one another to implement the intricacies of the Bill and to ensure the proposed requirements are adhered to. I believe implementing it would be more challenging than enforcing the Bill.

Licensing cybersecurity service providers may not be a popular move but a necessary one to ensure that they meet the security needs. In this regard, I would like to propose the following suggestions for consideration.

There needs to be a structured means of briefing the companies, especially small and medium enterprises (SMEs), on guidelines to encourage them to adhere to the cybersecurity measures. SMEs may not have the resources and capabilities to adhere to the measures, unless they are given the impetus and financial support to put in place the necessary requirements. They may also need borrowed expertise to put in place the secured means of protecting information as they serve as a third-party vendor to some clients. It would be good for the Government to grow and provide a pipeline of those talents to assist these companies which will need them.

In the areas of training, the Government may consider grants to encourage individual personnel to take up cybersecurity courses or programmes to refresh their knowledge and to be updated on the latest advancements, as the industry transforms rapidly. This can be tied to SkillsFuture cybersecurity upskilling grants.

To enhance governance and oversight, it would be worthy to introduce an accredited framework for auditors to perform checks and provide guidance or advice on what companies can do to have a more secured portal. Establishing a national cybersecurity audit to check on the stakeholders of the 11 sectors will provide a high level of assurance for those who engage in services in the specific sector.

Effective communication mechanism or efficient connectivity to promptly inform stakeholders and companies of the specific sector or sectors that could be potential target and how to take timely precaution will serve to act as preventive means.

Companies or individuals who proved to have unintentionally violated the requirements in the Bill, should be made to go through relevant cybersecurity programmes and this should be made compulsory. In fact, it would be useful to ensure that all staff of the industry be made to attend awareness programmes in this field, so as to better protect the critical information.

Sir, I fully support the Bill that raises the level of resilience in our efforts to prevent and combat global cybersecurity attacks that periodically threatens us, especially when we least expect.

Mr Speaker: Assoc Prof Daniel Goh.

2.17 pm

Assoc Prof Daniel Goh Pei Siong (Non-Constituency Member): Mr Speaker, Sir, this is an important Bill that sets up the regulatory framework to protect Singapore from the increasing threat of cyberattacks. The extensive commentary and feedback received during the public consultation for the Bill show that the public recognises the importance of cybersecurity. In the responses to the feedback, we can also see the Government trying to balance the compliance burden on business with the necessary measures to protect the economy from cyberattacks.

Singapore’s cybersecurity strategy is a correct approach taken for a global city that depends on openness and connectedness to the world for its proper functioning. This approach can be described as a whole-of-Government approach that places public-private collaboration at the heart of the strategy with a strong future-oriented plan for capacity development and for value addition to the economy. This Bill is an integral part of the strategy and expresses the strategy’s approach.

I have three sets of clarifications for the Minister. The first set is more general and has to do with the strategy and its implementation; the second, on the scope of the Bill; and the third, on the specific provisions of the Bill.

The Paper setting out Singapore’s Cybersecurity Strategy was published more than a year ago in October 2016. The strategy has four pillars: building a resilient infrastructure, creating a safer cyberspace, developing a vibrant cybersecurity ecosystem and strengthening international partnerships.

I was rather surprised that there is very little mention of MINDEF in the Paper. It was mentioned once in the Paper when it was noted that MINDEF formed part of the National Cyber Incident Response Teams with CSA, the Government Technology Agency (GovTech) and the Ministry of Home Affairs (MHA). These teams are part of the plan to respond to Tier 1 cyber campaigns threatening national security and Tier 2 cyberattacks on a sector.

MINDEF is a 4G military force reliant on secure communications and information networks. It should already have well-developed cybersecurity infrastructure and capabilities. It would be a terrible waste if the military applications are not adapted for civilian use. Could the Minister share whether there are plans to synergise and share military cybersecurity knowledge and technology to develop and deepen our civilian cybersecurity infrastructure?

Afterall, as it is stated in the strategy Paper, cybersecurity is a way of putting Total Defence into action and everyone has a role in creating a safer cyberspace for everyone, and this must include the military. There are two other specific ways that the military could play a key role to realise our cybersecurity strategy objectives. These are already observed in public commentary on the strategy and many have pointed to the Israeli military as a successful example.

First, our military has a peculiar asset: the commitment of tens of thousands of full-time and operationally-ready National Servicemen. This represents a potentially significant investment of time, not only of manpower, but of brainpower, by our highly educated workforce. The time invested could be harnessed to serve both military and civilian cybersecurity needs.

A cybersecurity corps could be formed to train budding IT professionals when they are serving full-time National Service. Deferment could also be considered for these young men to obtain degrees in cybersecurity first, so that they would hone their classroom skills in the military. They could then enter the cybersecurity industry when they become operationally-ready and return to the military with enhanced knowledge and skills during their NSmen call-ups. This is a win-win method to develop a vibrant cybersecurity system for Singapore.

Second, our unique military institution could also be used to foster startups to develop Singapore’s cybersecurity industry. Israel is already ahead of everyone in this game and there are an estimated 420 cybersecurity companies in Israel today, many of which are at the forefront of innovation and exporting their technology. It is now well-known that the Israeli Defence Force acted as the incubator for the startups. We have similar institutional features here, so there is no reason why the Singapore Armed Forces (SAF) cannot also serve as such an incubator. It would be a win for the military and a win for our entrepreneurship sector and economy, too.

I move on now to the second set of clarifications on the scope of the Cybersecurity Bill. The Bill defines "critical information infrastructure" in section 7 as the computer system "necessary for the continuous delivery of an essential service", the compromise of which would lead to a serious effect on the availability of the essential service. Essential service is defined in section 2 as "any service essential to national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule". I am surprised that higher education and research institutions are not listed as essential service in the First Schedule and would like the Minister to clarify why this is so.

There are three reasons why I am surprised. First, it was reported that the NUS and NTU both suffered separate cyberattacks in April last year. It appeared to be the work not of casual hackers but of carefully planned, sophisticated cyberattacks that might be aimed at stealing information related to the Government and research. This is an extreme cyberattack scenario which this Bill is aimed at defending against. If our top public universities are being targeted by organised hackers, who could not be named by CSA for operational security reasons, and they were going after some precious information which, again, CSA could not reveal for security reasons, then there must be critical information residing in our universities and research institutions.

Second, of course, a sophisticated, targeted cyberattack on our universities does not mean that the service provided by the universities is essential, as defined in the Bill. I am, however, inclined to argue that there is a lot of research that is going on in our universities and other associated research institutions that have to do with the continuous delivery of essential services. The theft of information related to these research projects could lead to cyberattacks or other forms of attack that could seriously affect the availability of essential services. I would like to ask the Government, therefore, to review whether the computer networks for research-related to essential services, especially Government-linked research projects, should also be considered as CIIs.

Third, our universities are central to cybersecurity innovation and training. In the Paper outlining Singapore’s Cybersecurity Strategy, four of our six autonomous universities are named as playing key roles in fostering cutting-edge research and development (R&D) and talent development. It is in the vision that each of the six universities would become a "cybersecurity centre of excellence" developing its own area of specialisation. The training of our cybersecurity workforce is also entrusted to the universities. The Singapore Institute of Technology (SIT) and the Singapore University of Technology and Design (SUTD) offer Bachelor and Master's programmes in cybersecurity. What this means is that there is a lot of meta-information on cybersecurity residing in our universities. The theft of this meta-information could compromise the general resilience of our cybersecurity infrastructure or that of specific CIIs.

I move on finally to the third and last set of clarifications that have to do with the duty to report cybersecurity incidents, as specified in section 14. I have two points of clarifications for this. The first is specific to section 14, and the second has to do with cybersecurity incident reporting in general. First, section 14(1)(b) specifies that the owner of a CII must notify the Commissioner of a cybersecurity incident in any computer or computer system under the owner’s control that is interconnected with or that communicates with the CII. This seems onerous, and yet, limiting.

It is onerous because it enlarges the scope of regulation beyond the CII into a far larger field of secondary computer systems. For the owner of a CII, this would mean the requirement of detection mechanisms in secondary computer systems. Yet, section 14(2) is not clear whether it is a legal requirement.

Would the Minister clarify whether it is a requirement for the owner of a CII to install detection mechanisms in secondary computer systems interconnected with the CII? Would the Minister also clarify whether this reporting requirement is, indeed, onerous, especially since MCI and CSA’s response to feedback during the consultation on the draft Bill stated that "computer systems in the supply chain supporting the operation of a CII will not be designated as CIIs", implying that the regulation would be more narrowly scoped.

Yet, section 14(1)(b) is limiting, if the intention is to protect the CII from cyberattacks in adjacent interconnected computer systems, as the clause is now worded to limit regulation to only secondary computer systems under the owner’s control.

I would like to ask the Minister to clarify what does "owner’s control" mean in real operational terms? What if the secondary computer system interconnected to the CII is not under the control of the CII owner? Does it mean that such a computer system would not pose a risk to the CII? If a secondary computer system not under the control of the CII would still pose a risk to the CII, then why limit reporting to secondary computer systems under the CII owner’s control? If the risk is the same regardless, then why not remove the need to report cybersecurity incidents in secondary computer systems altogether?

My final point has to do with the reporting of cybersecurity incidents beyond the CIIs. Threat reports issued by cybersecurity firms often point to the problem of under-reporting, as many companies and organisations often choose not to report or to reveal the full extent of cyberattacks and data thefts. This is understandable, as sensational news reports of major data breaches would undermine trust in these organisations and affect the bottom line of businesses.

At the same time, it is not viable for these organisations to hide such incidents from view, as it would erode the general resilience of cybersecurity infrastructure in the long run. Afterall, large-scale organised cyberattacks would likely begin with trial runs of mini attacks on non-critical computer systems. The only way forward might be to legislate mandatory reporting of all cybersecurity incidents to CSA with the assurance of confidentiality and indemnity.

Mr Speaker, Sir, the Cybersecurity Bill is a significant step forward in putting Singapore’s Cybersecurity Strategy into action. I support the Bill. It is an expression of our Total Defence culture. As such, I believe there is a greater role to be played by MINDEF to develop our cybersecurity capabilities and enhance our cybersecurity enterprises.

I also believe that the Government should look more closely at our Institutions of Higher Learning (IHLs) as they have already come under a severe cyberattack and their computer systems contain crucial information related to our essential services and meta-information related to our cybersecurity infrastructure.

Finally, I believe that we need to get the reporting of cybersecurity incidents right and there are kinks in this area in this Bill that the Minister could do well to straighten out.

Mr Speaker: Ms Joan Pereira.

2.28 pm

Ms Joan Pereira (Tanjong Pagar): Mr Speaker, Sir, the Cybersecurity Bill is an important one. It will enhance the oversight and protection of cybersecurity for our CII sectors.

I am heartened to note that we are building up our cybersecurity capabilities on a solid foundation and that the Government has been investing in developing a robust system. Last year, we ranked third globally in terms of cybersecurity spend as a percentage of gross domestic product (GDP) with 0.22%, behind Israel (0.35%) and the UK (0.26%).

However, we can do better to raise our cybersecurity standard. Just last month, the Public Accounts Committee (PAC) reported IT control problems in our public sector due to "agencies not complying with the controls put in place". I agree with the Committee’s assessment that these lapses, which cut across agencies, are significant in view of the IT security threats today.

PAC noted that the Ministry of Finance (MOF) has taken steps to deal with this problem on a whole-of-Government level, including the establishment of an interagency work group. At least one of the lapses originated from an IT vendor, which had been warned.

CSA had clarified in its report on the public consultation on the draft Cybersecurity Bill that "computer systems in the supply chain supporting the operation of a CII will not be designated as CII". However, CSA noted that CII owners have the option to impose cybersecurity requirements contractually on their vendors.

On one hand, I am concerned that this option may result in vulnerabilities. If CII owners choose not to impose cybersecurity requirements on their vendors, how robust will our systems be? Even if they do, will there be checks or audits to ensure our cybersecurity requirements are being met by the engaged vendors?

On the other hand, vendors, some of which are SMEs, may find it difficult to cope with added costs, for example, third-party costs, should they be bound by contractual cybersecurity obligations. Although reporting is compulsory, vendors, especially small ones, may not want to report as that means taking staff away from work to attend to investigations. Small companies are most vulnerable and their vulnerability may impact the CIIs which engaged them due to the sharing of data.

I would like to suggest that the Ministry assist such small companies upstream by providing a pool of trained personnel to look at how their systems can be strengthened. We have to be absolutely thorough to ensure that our systems are not being compromised through such weak links.

I now move on to the point on licensing of individual cybersecurity professionals. Due to concerns that this will pose practical difficulties for global cybersecurity service providers since they deploy employees from different parts of the world to deliver urgent services at short notice, CSA has decided to work with industry and professional association partners to establish voluntary accreditation regimes instead. But I am worried that, without licensing, we may be exposing ourselves to greater risks in the future. How do we minimise such exposures and ensure accountability and traceability?

Similarly, for personnel responsible for cybersecurity, especially senior staff, do we have checks in place to ensure that we recruit suitable persons to make sure that they are of good character with adequate proper training and who upgrade their knowledge continuously?

The cybersecurity sector is evolving rapidly and we must be careful not to compromise Internet and system hygiene in our enthusiasm to support developments and innovations in this area. While interconnectivity provides greater efficiency and productivity, in a way, we have also become more vulnerable and greater care must be taken across all networks. I conclude with my support for the Bill.

Mr Speaker: Mr Ganesh Rajaram.

2.33 pm

Mr Ganesh Rajaram (Nominated Member): Mr Speaker, Sir, I speak in support of this Bill.

Singapore has had its fair share of cybersecurity breaches these past few years. We have heard in this House about the attacks on MINDEF, as well as our two major universities, NUS and NTU. While any cyberattack is of concern, to me, what is most worrying is that the attacks, the likes of those on the Singapore universities last year, were, as the authorities have depicted, carefully orchestrated and specifically targeted. It was not the work of casual hackers.

Mr Speaker, Sir, so far, Singapore has been spared from, at least from what we know publicly, serious breaches that could undermine trust and confidence in our financial systems and national security. But for how long? "We were just lucky", said Mr David Koh, Chief Executive Officer (CEO) of CSA, to explain why Singapore escaped the brunt of global malware attacks like the WannaCry ransomware attack. According to Mr Koh, had these attackers targeted Singapore specifically, the consequences could have been quite disastrous.

This is why this Bill is so important. In a world where nation-state actors are becoming bolder in their cross-border activities, we must ensure that our national security, including cyber defence, can withstand these cyberattacks by enemies we cannot see. Cyber defence has to be a whole-of-country approach. It is not just the Government’s responsibility. It is the responsibility of every single person in this community, from the home owner to the business leader.

Singapore is one of Asia’s major technology hubs. We are very highly connected and, as a result, very vulnerable to cybercrime. Our Smart Nation aspirations will bring many benefits but also many vulnerabilities if we are not vigilant and prepared.

In a recent newsletter, cyber technology company Apvera put Singapore at the top of the list of countries from which cyberattacks could be launched. Just to clarify, this does not mean that Singaporeans are becoming hackers, but rather, we have become the No 1 potential launchpad for cybersecurity attacks because of our location, digitalisation, IT savviness as a people, and the increasing number of cloud-based and virtual servers.

Beyond the provisions of this Bill, Mr Speaker, public education has to be enhanced and ramped up. Last year, CSA commissioned a survey to find out about Singaporean attitudes to cybersecurity and cyber hygiene. Here are some findings.

One in three respondents did not manage their passwords securely. They store them on our computers and they write them down. They also use the same passwords for multiple accounts, for work and personal accounts. One in three respondents did not enable their two-factor authentication. Despite widespread use of cloud storage, mobile and other storage devices, almost half the respondents did not conduct virus scans on their devices and files. More than six in 10 respondents connected to open, non-password protected wi-fi networks in public places. Practices, such as these, pose a substantial risk to the security of their personal information and, ultimately, the cyber communities they are part of.

Mr Speaker, Sir, I would like to commend CSA for launching the "Live Savvy with Cybersecurity" campaign last year, where people from all walks of life learned about cybersecurity threats and cybersecurity hygiene. I would strongly encourage the Government to make these roadshows and campaigns a part of school curriculums right from the first time children use computers in schools. Grassroots clubs and community centres should use this campaign to reach out to the elderly, too.

Businesses should also play their part in bolstering their cybersecurity defence. Too often, CEOs are happy to invest in IT systems only when it adds to their bottom line. Few realise, until it is too late, that IT security will actually protect this bottom line. According to a commentary on channelnewsasia.com last December, the cost of security failure because of cybercrime is projected to grow to over US$2 trillion globally in 2018.

Mr Speaker, Sir, the Government can also do more. Last month, in its review of the Auditor-General’s (AG's) Report for financial year (FY) 2016/2017, PAC cited recurring weaknesses in IT controls as a major weakness. Some of the lapses pointed out by PAC included: user accounts not being properly removed when required, and staff given access to accounts and data that they should not have access to.

What is alarming is that these weaknesses and lapses were pointed out in the past by the AG, and they were still recurring. Though the Ministries concerned have made arrangements to ensure that such lapses do not happen again, this is yet another timely reminder that cybersecurity should not be taken lightly. All we need is just one lapse to bring down the entire system.

Mr Speaker, Sir, let me conclude my speech by reaffirming my strong support for the Bill. We cannot take our security for granted and, in today’s digital world, cybersecurity is as important, if not more important, than military security, as the enemy is invisible and can strike anytime and anywhere.

Mr Speaker: Mr Darryl David.

2.39 pm

Mr Darryl David (Ang Mo Kio): Mr Speaker, Sir, advancements in information and communications technology (ICT) have transformed our society and the way we live, work and play. We are living in an increasingly interconnected world enabled by digital technology, and the inadvertent rise of Internet of Things (IoT) will accelerate our dependency on technology to an unprecedented level in the near future.

Singapore remains one of the most connected country in the world. Internet penetration rate in Singapore is at 82.2%, much higher than the global average, and 70% of Singaporeans are active on a social media platform, more than double the global average of 34%.

The explosive growth of ICT has ushered in a golden age of digitalisation and has been instrumental in enabling research, applied science, healthcare, transportation and urban development, just to name a few areas. Building upon a robust ICT infrastructure is also the vision of transforming Singapore into a Smart Nation.

Yet, the exponential growth of ICT and our increasing dependency on digital systems have heightened our vulnerability to cyber incidents. These cyber incidents can take the form of cybercrime aimed at siphoning money from corporations and individuals; cyber terrorism and espionage aimed at crippling Government systems and pilfering sensitive information; or even seemingly innocuous cyber pranks that could lead to widespread havoc and social disruption.

In Singapore, our Government systems were also not spared from such incidents. We have heard various Members in the House already referring to the incidents and the attacks carried out against MINDEF and also our IHLs. What is more foreboding is the CSA warning that there has been a consistent and concerted effort to penetrate our Government’s IT system. Thus, the introduction of the Cybersecurity Bill is not only much needed, it is also timely. I do, however, have some points that I would like to raise for discussion and consideration.

Clause 4 of the Bill has vested the Minister with the authority to appoint a Cybersecurity Commissioner and a team of high-ranking cybersecurity officials who have a wide range of duties pertaining to the cybersecurity efforts in Singapore. Although the appointment of the team will help ensure that efforts across Ministries and Statutory Boards are coordinated and policies are implemented consistently, greater clarity perhaps needs to be given on how this jurisdiction will be established.

With the recently established GovTech taking on the role of the Chief Information Officer (CIO) of the Government, and CSA already monitoring cybersecurity, how will the newly established centralised cybersecurity office work alongside these agencies? How can we ensure that there is no duplication of duties and, more importantly, what is the unique value-add that the centralised cybersecurity office will bring to our cybersecurity ecosystem that GovTech and CSA are not already doing?

Part 3 of the Bill has vested the Cybersecurity Commissioner with the authority to designate computers and computer systems as CIIs and empower the cybersecurity office with greater oversight over these systems.

While the Bill has set out some guidelines regarding the criteria of designating CIIs, perhaps more consideration needs to be given also on how the status of a CII is designated and what constitutes the phrase, "essential services". For example, clause 1 in Part 3 of the Bill suggests that a CII can be defined as a computer or computer system that is necessary for the continuous delivery of essential services in Singapore.

Although some services might not be regarded as "essential", they could be considered significant, and any disruption of these entities could have a serious socio-economic impact. Moreover, there could also be private organisations that would require the appropriate assistance, advice and, more critically, protection in this area, too.

On a related note, if an organisation’s computer system, especially a commercial or private one, is designated as a CII, how much access to its database would the cybersecurity office have? For example, if the computer system contains sensitive personal data like health records from insurance companies or investment portfolios from private banks and private organisations, how would cybersecurity be balanced with the intrusion into the privacy of the individual?

I noted that the Minister earlier mentioned that cybersecurity officers are going to be bound by certain very clear guidelines and perhaps even legislation or laws with regard to ensuring confidentiality when they access such information. But I think we cannot deny that there are some potential ethical dilemmas that could arise when cybersecurity officers, in the course of their work, gain access to personal data that contains identifiers when the providers of that information did not give explicit consent for the information to be used or accessed.

While it might not fall strictly under the rubrics of the proposed Bill, how can we provisionally use the Bill to manage the issue of "fake news"? I am aware that the Parliamentary Select Committee will, no doubt, present its views on how the issue of fake news can be tackled in due time but, until then, can we utilise the provisions in this Bill to take action against the perpetrators of fake news?

If someone were to hack into a Government agency’s system and issue falsehoods via the agency’s website or automated broadcast system, then can the Government take issue with the perpetrators for committing a cybercrime and also prosecute them for what their hacking resulted in? For example, if someone hacks into the Singapore Police Force (SPF) website or creates a fake SPF site to spread fake news of terror acts, how would the Government deal with the perpetrators and the ensuing chaos that possibly could result from this cybercrime?

Fake news, as we all know, can lead to widespread panic that erodes the trust in public institutions. So, can the cybersecurity office hold the perpetrators of such cybercrimes responsible for the consequences of their crimes? Or will the crimes fall under other legislation, such as the CMA? And, if so, how can the Cybersecurity Bill complement the legislation under CMA?

Mr Speaker, Sir, advancements in science and technology have always benefited humanity by enhancing conveniences in our daily lives and enabling us to do things that once existed only in our imagination.

At the same time, there will always be deviant individuals who will use science and technology for criminal activities or subversive purposes. Consider how nuclear power has allowed humanity to make significant progress, yet that same nuclear power and capability, in the hands of the wrong individual, can have catastrophic consequences for humanity.

Digitisation and Internet technological advancement are no different. As much as they have tremendous benefits for humanity, there is a dark side to this as well. At best, cyber pranksters can cause widespread inconvenience. At worst, cyber terrorists can cause the deaths of hundreds of thousands, if not, millions of innocents.

I thus believe that it is timely that the Government is taking steps to address the critical issue of cybersecurity and I stand in firm support of this Bill.

Mr Speaker: Mr Azmoon Ahmad.

2.46 pm

Mr Azmoon Ahmad (Nominated Member): Mr Speaker, good afternoon. The Internet has undoubtedly been part of our life, be it at home, at work, or while we play. We use the Internet directly or indirectly, so much so it is almost impossible to live without it – doing research for education, dynamic navigation while driving, exploring new recipes for the next party meal, or even searching for that box office movie. The Internet is now becoming an indispensable part of our daily lives. Our high dependency on the Internet has made it a part of us.

Like many things which are a part of us, it can also be deemed to be private, until when it is violated. Violation of privacy leads to dire consequences. This could mean loss of business, loss of self-esteem for an individual or even loss of life. While we want to believe that the Internet is safe and secure, however, a dark side of it exists and must be managed and controlled.

Mr Speaker, please allow me to share my own personal experience as a victim who was held ransom by a ransomware called "Locky". It happened in April 2016, where my work computer was attacked by a software virus which eventually encrypted and locked all my data files. This resulted in me not being able to open or run any of my files. It was a complete disaster as all my work was stored in the computer. It was also unfortunate that the virus attacked the backup files, both in my computer and the main server.

This eventually rendered me helpless as I could neither provide all the required information, nor could I prepare any information for my potential business acquisition. I felt intruded and my personal space had been violated. Mentally, I felt no difference than a person who had been physically violated.

At this juncture, I wished the authorities could have acted and the culprit be apprehended and be dealt with according to the rule of law. However, this never happened. Eventually, I managed to recover all the attacked files through a third-party overseas service provider, but with a fee for a few thousand US dollars. I felt that I was held ransom and the only way to recover all my files was to pay that ransom fee. This is not right and should never happen at all. However, the truth is: it did not stop. Not only did it not stop, in fact, more and bigger cyberattacks occurred in the preceding years.

Just to give Members some examples. I believe that some of my colleagues had already shared this. In October to December 2013, a cyberattack called "The Messiah" created havoc as several systems and portals were compromised. Users were redirected to suspicious and unknown websites and this undermined the confidence of Internet users. However, fortunately, the culprit was eventually apprehended.

We always thought that our military should be the last place and institution for a cyberattack to occur. Unfortunately, our MINDEF was hacked on 1 February 2017 where details of some of our Servicemen and personnel, including their Singapore NRIC numbers, telephone numbers, and birth dates were leaked.

On 14 May 2017, ransomware "WannaCry" crippled the world for three consecutive days and compromised more than 3,000 systems globally. This was considered as one of the major cyberattacks of the decade.

On 28 June 2017, "Petya", which was considered more dangerous than previously known ransomwares, created havoc as it encrypted the Master File Tree Tables for New Technology File System (NTFS), overwriting the Master Boot Record. It spread through malicious emails with booby-trapped Microsoft (MS) Office document. From there, it downloaded and ran the installer and released the software virus and spread unknowingly. This had a devastating effect as it attacked the purported highly secured Master Files which are the basis of the file structure system.

Mr Speaker, in all the cases highlighted, the cyber intrusion and cyberattack were uninvited and unlawful. It was made with malicious intent with the objective to create havoc and misery to all parties, including individuals, agencies and institutions. It undermined the confidence of everyone. Such acts must never be condoned as it will only lead to unhappiness, anger and loss of faith.

I regard such acts as similar to any physical attack on a person, as the consequence from such attack is dire, if not even more. From mental anxieties for having felt violated in their personal space to loss of valuable data and information on one’s Internet-linked devices, such as a computer, mobile phone and others, becoming a victim of a cyberattack can lead to serious consequences. It could even be far-reaching as the outreach from a cyberattack can be wide and endless.

Mr Speaker, it is always hoped and wished that the relevant authorities would be able to act appropriately and accordingly when such things happen. Thus, the Cybersecurity Bill, which is aimed at establishing a working framework in the management of and in response to cybersecurity threats, is very much welcome. In addition, a regulatory framework over the owners of CIIs and cybersecurity service providers will provide an added boost in ensuring that Singapore has a robust cybersecurity framework overall. It is my hope that the regulatory framework be regularly reviewed with higher frequency and in tandem with the fast-changing Internet landscape. With that, Mr Speaker, I wholeheartedly support the Bill.

Mr Speaker: Mr Henry Kwek.

2.54 pm

Mr Kwek Hian Chuan Henry (Nee Soon): Mr Speaker, I stand in support of the Bill. Members of this House have talked about the possibilities, as well as the dangers, offered by the Internet and we talk a lot about cybersecurity threats. So, I would not repeat those other than to point out the fact that Singapore is no less exposed to such threats.

On the contrary, as the financial services hub and a regional hub to many global corporations, we are among some of the most exposed countries in the world, making us an attractive proposition to hackers from around the world. It is key to see how vulnerable we are.

In a survey done last year by security services provider Quann of 150 senior IT professionals from Singapore, Hong Kong and Malaysia, it showed that 40% do not have an incident response plan when they are facing cyberattacks and 67% of those who had those plans admitted to not practising their incident response plans.

This stands to impact our reputation, credibility and position as a global corporate hub and a regional e-commerce platform. As Chair of ASEAN this year, Singapore has identified our aspirations to push for an ASEAN-wide e-commerce platform. For such an ambitious project, and to protect our business hub status, we need to make sure we have a strong cybersecurity framework and regime. In this regard, I am very supportive of this Bill. However, I would like to ask our Government to share more on an important issue which is: how do we keep watch on the guards?

First, how about the companies we are entrusting to protect the cyber world here? While we have certification regimes to manage such companies and ensure that they meet desirable quality standards, do we know enough about the people who are working in these companies? Do these professionals, who are certified, have a vested interest in Singapore? And what if they have interests that are contradictory to Singapore's? It is certainly not a stretch of imagination that we have foreign interests among our cybersecurity professionals here who may leverage their positions in having access to secret and confidential platforms. As such, I call for three things.

One, more thorough due diligence checks by our cybersecurity agencies on professionals. Two, re-examine the penalties for misuse of access to data, especially if the perpetrators are members of the cybersecurity industry who are supposed to guard the industry. Three, create a certification system that favours cyber professionals who have a vested interest in Singapore, people who have some real roots and deep roots in Singapore, rather than fly-by-night experts who drop by for ad hoc projects whom our laws have difficulty to reach and deter.

In addition, cybersecurity could be promoted as an engine of growth. Singapore has emerged as a trusted business hub because of our trusted regulations, our strict regulations and because of our people's trusted reputation. Properly executed, Singapore could naturally become a premier trusted business hub for Asia and for the region with regard to cybersecurity.

Can the Government share our plans to grow and internationalise the industry? Can the Government also share more about our manpower plans to prepare Singapore to take part in this exciting development?

In conclusion, while this Bill helps to create a strong cybersecurity regime for Singapore, we must also ensure that we are not caught blind-sided by any unforeseen circumstances, for doing so would be a risk that could prove very costly for Singaporeans in many ways. But if we get this right, it can also create many opportunities for Singapore. Mr Speaker, I fully support the Bill.

Mr Speaker: Order. I propose to take a 20-minute break now. I suspend the Sitting and will take the Chair at 3.20 pm.

Sitting accordingly suspended

at 3.00 pm until 3.20 pm.

Sitting resumed at 3.20 pm

[Mr Speaker in the Chair]

Debate resumed.

3.20 pm

Asst Prof Mahdev Mohan (Nominated Member): Mr Speaker, Sir, I rise in support of this Bill.

In Singapore, there has been a reported increase in the proportion of cybercrimes to overall crimes from 7.9% in 2014 to 14% in 2016. Cases reported under the Computer Misuse and Cybersecurity Act (CMCA) more than doubled from 280 in 2015 to almost 700 in 2016, with ransomware, hacking and the compromise of online accounts, such as Facebook, SingPass and Internet banking accounts, figuring most prominently amongst these. In 2016, the National Cyber Security Command (NCSC) saw cyberattacks of varying impacts across many sectors, including the defence, Government, banking and finance, and healthcare sectors. I, therefore, welcome this Bill.

The omnibus Cybersecurity Bill allows the Minister to appoint a Commissioner of Cybersecurity. The Commissioner is, in turn, empowered to designate a CII.

There have been tweaks, Mr Speaker, since an early draft of this Bill was first released in July last year for consultation. Conducted between 10 July 2017 and 24 August 2017, the public consultation exercise garnered close to a hundred submissions from a diverse range of stakeholders. I must disclose at this point that I was together with other scholars and students of the Singapore Management University, one of the respondents of this consultation exercise. I am, therefore, pleased, Mr Speaker, with what has followed, with the refinements that have been made to this draft Bill and now the Bill before us. In particular, I am pleased in relation to the regime that now governs cybersecurity licensees.

Beyond this, clause 19(6) also suggests and clarifies that a person is no longer obliged to produce to the incident response officer an email infected by a malicious programme or malware if that email contains information that is subject to legal professional privilege. A distinction is made between a non-disclosure agreement which would be a contractual document of privilege, but there is a distinction now being made with legal professional privilege.

Importantly, Mr Speaker, the Bill acknowledges that a compliance-driven approach to cybersecurity should not only be focused on a box-ticking exercise, of getting all the boxes ticked, but one that solves cybersecurity problems creatively and proactively, thereby instilling a risk-management culture. Behind laws, Mr Speaker, it is this creative approach that will be our shield against cybersecurity threats and incidents; it is this risk-management culture that will see CII owners taking swift and appropriate measures to prevent, manage and respond to cybersecurity threats and incidents. In this vein, permit me to pose a few further questions to the Minister.

Most importantly, or chief amongst them, I would say, are businesses that are involved in this sector. What perhaps is the Ministry and CSA's plan to minimise additional compliance costs? I know that compliance costs for audits, reporting and risk assessments can be exorbitant, and these costs are, unfortunately, likely to be passed down to the consumers, not to the owners themselves.

Data disclosed during a recent proposal to amend the Homeland Security Acquisition Regulation in the US had revealed that costs per company associated with implementing its cybersecurity rules went up to US$150,000 for independent assessments, and equipment costs ranging, in turn, for up to US$350,000 to perform continuous monitoring for this purpose. If these processes are not properly managed in Singapore, considerable sums could be unproductively spent.

In relation to Part IV of the Bill which deals with responses to threats and incidents, can we have some examples of what might variously qualify as a “cybersecurity threat or incident of a severe nature” on the one hand, a “serious threat” on the other, and still on the third hand, which we do not have, an emergency level “serious and imminent threat”? They are terms apart which I would say judges and lawyers would be very keenly looking at. Can we have some guidance as to what this would be?

Third, will cloud services be impacted by this new regulatory framework? The Bill’s explanatory statement admits that the Commissioner’s wide-ranging powers of access to data in clause 20 is “intrusive”. Will this be seen as going against perhaps established data privacy and protection principles and potentially expose the data of the cloud service provider’s clients? This is particularly so in a public cloud environment.

Could the Bill have a chilling effect on the adoption of cloud services in Singapore, as cloud customers in both Singapore and elsewhere become increasingly concerned about the level of Government access to private data and perhaps may withdraw from such cloud services in time to come, even though these cloud services arguably claim to provide better cybersecurity than what we have beyond the cloud services? This would be a pity as the cloud could enable new innovations, such as artificial intelligence (AI) and big data analytics, which will likely become the basis of future developments in technology and that, by all accounts, the Smart Nation and Digital Government Office wishes to support.

I understand that codes of practice and standards of performance will provide more guidance to the relevant businesses on the actions that they must take to comply with the Bill. Are there plans to adopt the best practices, specifically from the US and the UK in this regard? I note that the US has a Cybersecurity Disclosure Act of 2015, which adopts a "comply or explain" procedure in certain circumstances. Will we be following that route or studying it at least? Or the UK’s Cybersecurity Information Sharing Partnership, a structure for incident disclosure and collection which, among other things, allows business organisations to work in collaboration with the regulators to collaboratively and voluntarily report incidents to the UK national computer emergency response team?

In conclusion, Mr Speaker, the breadth of machines and systems that are or could become potential CIIs is staggering and will only expand in a smart city, such as Singapore, in time to come. I fear when I read that MINDEF, quite rightly, is looking at how even fitness trackers could become a portal for CII threat or incident.

Allow me to end by noting that the Economist Intelligence Unit's most recent report notes that cybercriminals are seeking out points of least resistance in the Asia Pacific region. So, now we are going to have cybercrime legislation in addition to CMCA. But jurisdictions, perhaps as in our neighbouring jurisdictions, without this cybercrime legislation or with weak enforcement, are attracting cybercriminals as vantage points from which to conduct attacks into the networks of more advanced countries. So, if I can end by just asking if the Minister could share anything that is going to be done regionally and perhaps internationally to prevent this. Mr Speaker, I support the Bill.

Mr Speaker: Mr Melvin Yong.

3.28 pm

Mr Melvin Yong Yik Chye (Tanjong Pagar): Mr Speaker, I stand in support of the Bill, which regulates cybersecurity service providers and enhances the online resilience of our country’s CIIs across all key sectors. With the proliferation of Internet devices and the growing scale of worldwide cyberattacks, such as the widespread WannaCry ransomware attack in 2017, the proposed provisions in this Bill are a much-needed step towards safeguarding our cyberspace and everyday security. Considering the multifaceted cybersecurity threats that we face today, the Bill is encouraging in both breadth and depth.

Let me begin by expressing my support for the Ministry’s intentions behind the licensing of key cybersecurity services. There is no doubt that cybersecurity is important for Singapore. Our highly interconnected businesses and community depend very much on the integrity and round-the-clock availability of technology to function smoothly.

Just last Friday, thousands of Singaporeans were affected when the e-payment system Network for Electronic Transfers (NETS) was down for more than an hour. Our Smart Nation needs to be secured all the time, every time. However, I would like to ask if the proposed licensing framework would impact the development of a vibrant cybersecurity ecosystem in Singapore.

Would third-party startups and vendors be required to obtain a licence just to offer their services as part of a turnkey solution to organisations?

Mr Speaker, even the best cybersecurity defence systems and the most onerous cybersecurity legislation would be for naught if the end-users of these systems end up being the weakest link in our cybersecurity chain. With the proliferation of smart devices, flash drives and devices connected to the Internet, these can all be points of entry for a hacker to cause damage if the user does not have a good basic understanding of digital security. I would like to urge the Ministry to design and roll out awareness programmes to educate our citizens, both young and old, on digital security to ensure that the weakest link in our cybersecurity chain is secured.

Another possible weak link in the chain is the outsourcing of cybersecurity services to companies that are based overseas. How does the Ministry intend to ensure the compliance of such companies?

A third possible weak link is the use of third-party vendors. As seen from overseas hacking incidents and data breaches, such as the data breach suffered by Netflix in 2017, poor cybersecurity by third-party vendors has been a consistent problem for years. In 2013, hackers gained access to the network of retail giant Target by first stealing passwords from a third-party vendor dealing with their heating and ventilation systems. Often, these vendors, also known as network-connected outsiders, are small-sized companies which do not invest much in proper cybersecurity practices, even less so investing in best practices. This has been a problem plaguing many industries. How does the Ministry plan to ensure that such third-party vendors, beyond the 11 identified critical sectors, are also well-regulated?

Mr Speaker, the demand for cybersecurity solutions is set to swell as technology advances. There is, therefore, a need for us to ensure that Singapore has a core talent pool of cybersecurity professionals that can be deployed across the various sectors. Can the Minister provide some insights on the number of cybersecurity professionals needed for the next five to 10 years? How far are we currently from these target numbers? What are the plans to ensure that we have a strong sustained pipeline of local talents to service this growing industry?

Perhaps, a short-term solution in ensuring that our cybersecurity defences are working as intended, while current batches of cybersecurity professionals are still being trained in schools, would be through the use of “white hat” hackers. I have read with interest that MINDEF has recently invited 300 international and local hackers to hunt for vulnerabilities in its Internet-connected systems. Harnessing the enthusiasm of the “white hat” hacker community is a step in the right direction and I would like to propose for the Ministry to consider grooming a local community of “white hat” hackers in Singapore. However, clear boundaries and protocols would need to be drawn and the Ministry would need to think about how to best support and manage the group. With that, Mr Speaker, I support the Bill.

Mr Speaker: Ms Jessica Tan.

3.34 pm

Ms Jessica Tan Soon Neo (East Coast): Mr Speaker, thank you for allowing me to speak on this Bill. With the extent, speed, increasing sophistication and trend of high-profile cyberattacks, this Bill is timely. We are seeing an increasing trend of ransomware. Ransomware, like Wannacry, that everyone has cited, as well as Samsam, have targeted high profiles like multinational corporations (MNCs), critical infrastructure providers, even hospitals and education institutions. This shows us the extent of disruption that ransomware can inflict.

Malware affects files, computers and mobile devices by encrypting and locking data, rendering them inaccessible and, in most cases, leading to a loss of data and impacting operations. Once inside the network, it gives control of the management inside the network. As more businesses digitalise and technology progressively influences the way we live, work and play, such attacks will have wide-reaching impact.

In the physical world, customers place their trust in businesses to provide quality services and to handle their information appropriately. The measures outlined in this Bill are no different, requiring owners of CIIs to proactively put in place the right procedures to protect customer data and ensure quality and continuity of service.

This Bill spells out the code of practice and standards of performance, the duty of owners of CIIs to report cybersecurity incidents; to perform cybersecurity audits and risk assessment of CIIs and also to participate in cybersecurity exercises; and put in place measures to prevent, manage and respond to threats and incidents; investigation and prevention of serious cybersecurity incidents. It sounds extremely onerous.

To meet these requirements for cybersecurity, one constraint that we all must recognise is that of the availability of skills and knowledgeable cybersecurity specialists. There has been a lot of discussion on costs. The reason for that high cost that everyone is envisaging is because of this lack of skills or the need to build this base of deep skills. With the growing demand for cybersecurity skills, building this talent base, we all have to recognise, will take time.

Clause 5(l) of the Bill outlines the duties and functions of the Commissioner to promote, develop, maintain and improve competencies and professional standards of persons working in the field of cybersecurity. Can the Minister share the plans to build this talent base and what is being done to ensure that we have sufficient cybersecurity skills and capabilities in Singapore to meet the current and, more importantly, future demands?

The Bill also recognises that for cybersecurity to be effective, it must start at the top, with owners or leaders of CIIs. Building cybersecurity awareness and culture across an organisation requires a strong tone from the top. So, it is interesting to see Part 3 of the Bill clearly outlining the accountability of owners of CIIs. Failure of owners to comply with the regulations carries with it heavy penalties, including imprisonment for a term not exceeding two years. Clause 7(8) puts the same emphasis on CIIs owned by the Government, stating that when the CII is owned and operated by the Government, the Permanent Secretary allocated to the Ministry who has the responsibility for the CII is treated as the owner. This sends a strong message that leaders own and are accountable for cybersecurity in the organisation. This will keep cybersecurity top of mind in the organisation.

Compliance is necessary but not sufficient. Building resilience is at the core and spirit of this Bill. To achieve cybersecurity, we must not only ensure compliance but, more importantly, an understanding of a mindset change of all stakeholders of Singapore’s CIIs. While measures are put in place for compliance, people are one of our weakest links. Employees must understand the impact of their actions on cybersecurity. With the increasing sophistication and social engineering, targeted phishing emails are not as easily detected. It is becoming more difficult to tell a malicious email from a legitimate email. Hence, cybersecurity awareness and keeping cybersecurity top of mind are key. Apart from cybersecurity professionals, training and building resilience of all employees and users of CII is as essential. This is not a trivial task, and organisations will need support to achieve this. Can the Minister share what will be done to support organisations in this aspect?

We must also recognise that it is not a matter of “if” but “when” there will be a breach. In fact, statistics and information tell us that many oganisations that have been breached take about 12 months, on average, to actually discover that they are breached. Organisations must have processes and tools to detect cyber threats or incidences. Most importantly, organisations must have in place processes to take action to recover and minimise the potential impact of the breach.

As Singapore strives to be a Smart Nation, cybersecurity is critical. Ensuring cybersecurity and resilience of our CII will require a strong partnership amongst stakeholders in the ecosystem. To effectively fight cyber threats, organisations and the Government must work together as no one has all the knowledge or resources to do it alone.

For a start, there must be two-way information sharing and feedback. By sharing plans on how data collected or submitted to the Commissioner will be used and how it will be used, will enable owners of CIIs to better understand how the data they submit are used. This will help build trust amongst stakeholders to share and, more importantly, work together to combat cyber threats. The cybersecurity journey has started and is one that we have to continually work on to protect our essential services. Mr Speaker, Sir, I support the Bill.

Mr Speaker: Mr Saktiandi Supaat.

3.41 pm

Mr Saktiandi Supaat (Bishan-Toa Payoh): Mr Speaker, Sir, in this era of digitalisation and connectedness, cutting back on cyber solutions is not the answer for institutions and companies. With our dependence on the digital world, we can only expect the exposure to cyber threats to increase. It is crucial that our Smart Nation aspirations must go hand in hand with resilient cybersecurity systems. This makes the Cybersecurity Bill an essential move forward.

Certainly, investments in cybersecurity could lead to rising business costs. For small and medium enterprises (SMEs) already struggling to stay afloat, this will create additional financial stress. With more cross-company collaboration and outsourcing occurring these days, it is crucial that this becomes a nationwide effort. It would be just like how suppliers for the banking industry would have to adhere to the Banking Secrecy Act. Data sharing and exchange will be compromised if even just one organisation is careless with their approach on data security. Resultantly, some companies may then pass down the cost of cybersecurity measures to the consumers.

Cybersecurity is often likened to insurance and similarly scorned for the same reasons. Its necessity is often overlooked until a crisis happens. Yet, according to the Cost of Data Breach Study 2017 by the Ponemon Institute, a US-based organisation that conducts independent research on privacy, data protection and information security policy, the average cost for each lost or stolen record containing sensitive and confidential information for 419 companies which took part in the survey was approximately US$3.62 million. This would be largely attributed to loss of reputation and potential business, remedial measures, as well as lawsuits.

Ultimately, having a sound cybersecurity system in place would be more cost-effective in the long run. But some businesses may not realise this. Moreover, as cybersecurity is still unfamiliar territory, some companies may under-invest or over-invest in the wrong systems. I have heard from business operators who think they are adequately covered with an anti-virus software, for example. I hope the Government can look into the estimated costs that will be incurred in cybersecurity investments and consider financial incentives to alleviate the financial burden of implementing enhanced cybersecurity measures. Awareness and education would also go a long way in helping organisations make informed decisions.

I wish to also express my concern that the incident reporting and investigation requirements on CII owners under the Bill could be too onerous, especially when they are potential victims of cyberattacks. This could mean plenty of administrative work back and forth, when the time, effort and other resources may be better spent on constantly shoring up cybersecurity defences instead. Perhaps, for high-risk CIIs, the Commission could work more closely with the owners to improve prevention measures.

I also note that with the decision to simplify the licensing framework, the Bill will do away with the licensing of individual cybersecurity professionals. At this point, only penetration testing and managed security operations centre (SOC) monitoring service providers will require licensing. With the gig economy blooming, there will be no doubt cybersecurity professionals who provide their services as freelancers will increase. Cybersecurity professionals deal with sensitive information in large quantities. So, is there a need for this to be better regulated? Is it not vital to ensure that they are adequately skilled and possess the right disposition to provide services of such a delicate nature?

On the topic of handling sensitive information, some hold reservations that the authorities, while conducting their investigations, would intrude on personal privacy. Are there safeguards in place for the broad investigation powers to ensure that there is no misuse of authority, whether unintentional or not? Can the public be assured that their information is in safe hands?

Mr Speaker, this is a comprehensive Bill that adequately covers many areas concerning cybersecurity. Meanwhile, we also have the Computer Misuse Act (CMA), formerly the CMCA, as well as existing pieces of legislation, like the Banking Secrecy Act, which also address cybersecurity and data protection issues. Are there overlapping policies, and how would the new Bill interact with and complement the existing pieces of legislation that we have now? Enhancing our cybersecurity defences is the next logical move in the face of an increasingly digitalised society. I support the Bill.

Mr Speaker: Mr Desmond Choo.

3.45 pm

Mr Desmond Choo (Tampines): Mr Speaker, cyberattacks are almost commonplace in recent years. In fact, in May 2017, billionaire businessman Warren Buffett said to his investors that cybersecurity could be the number one problem for mankind.

The numbers confirm this. In the first six months of 2017, globally, there were more than 900 data breaches in the first six months of last year. Analysts say that the damage caused by cybercrimes globally could hit US$6 trillion annually by 2021. No country has been spared. Singapore has been targeted by cybercriminals. We must put in place laws to safeguard our critical cyber systems and infrastructure.

I have three points of concern, namely, on costs, processes and manpower needs.

In meeting the requirements, CII sectors will have to impose more stringent requirements on their systems or require their vendors to do so. This will inevitably lead to higher costs, as pointed out by Members of this House. In the Report on the Consultation Outcome paper released by the Ministry of Communications and Information (MCI), it was stated that MCI will not be providing grants to offset the costs of audits and risk assessments because they are regulatory requirements. However, it will work with the sectors to streamline requirements so that they can minimise compliance costs incurred because of the Bill. May I ask what is the estimated compliance costs involved for the various sectors? For sectors that face greater complications in meeting the requirements, are there existing schemes that they can tap on for this purpose? What is the timeline for the implementation of these compliance measures? Companies might not only need time to ramp up their compliance capabilities but also need technical guidance from MCI.

My next point is on processes. While we must not compromise on security, we must ensure that the reporting processes are not unnecessarily onerous. Companies and their staff already face substantial reporting requirements to other Government bodies. We must seek to rationalise compliance for ease of operations without compromising on security.

While a strong CSA is necessary for our cybersecurity, it must not also intrude upon privacy unnecessarily. The Ministry has assured that there are safeguards in place. And it will adopt a calibrated approach, depending on the severity of attacks. Can the Ministry also share more if it will adopt a tiered or classification system that would spell out the scope or limits of investigation, depending on the level of severity of the incident or attacks? For example, the security agencies have used threat-level systems to decide on the intensity of preparation and fortification that needs to be done. Could a similar system be put in place so that stakeholders and parties involved will have a clearer picture of what is required of them should a cyberattack or breach of systems happen? And more importantly, the requirements needed of them during peacetime as it affects business costs and manpower requirements.

Mr Speaker, Sir, I would also like to know if the cybersecurity manpower is sufficient to achieve the aims of this Bill. While our IHLs have been training more students and the Ministry of Manpower (MOM) has introduced Professional Conversion Programmes (PCPs) for the IT sector, and they have been in place for some time now, would the supply be sufficient? How can the Ministry work with the Ministry of Education (MOE), MOM and even the National Trades Union Congress (NTUC) to ensure that there will be sufficient manpower to meet our future needs?

On a separate but related matter, in 2017, data security firm Check Point Software Technologies ranked Singapore as the world's top spot to launch global cyberattacks from. While the attacks may originate somewhere, being a technology hub in Southeast Asia means that we have a high amount of Internet traffic from other countries going through us. We are a hub with high inter-trade and data connectivity. It is inevitable that some attacks will originate from Singapore and other similar hubs. Yet, it is also our global responsibility to stop attacks where possible. It is also an opportunity to provide a trusted gateway for countries and businesses. It establishes Singapore as a secure business node. We must not stop at exploring and developing ways for us to be used as a gateway for global cybersecurity.

In spite of the concerns, this Bill puts us in the right direction in hardening our systems for both current and future security needs. With this, I support this Bill.

Mr Speaker: Dr Intan Mokhtar.

3.50 pm

Dr Intan Azura Mokhtar (Ang Mo Kio): Thank you, Mr Speaker, Sir, for the opportunity to speak on this Bill. I support the Bill, which is an important one that will eventually help strengthen our laws on cybersecurity and related threats.

With our Smart Nation initiative and Government-wide move towards digital transformation of our processes, procedures and data management approaches, cybersecurity inadvertently becomes a concern that needs immediate address. While a lot are in this Cybersecurity Bill, there are, however, several concerns that I have in the implementation of this Bill that is to be enacted.

First, the cybersecurity services providers and licensees. How does the Government plan to ensure the integrity and reliability of these companies? Are their track records studied, and are the employees all screened? How sure can the Government be in ensuring security and privacy of matters pertaining to the Government, with these third-party cybersecurity service providers and licensees having access to such privileged information?

Second, we know that cyber hackers and attackers are always, at least, two steps ahead. While I appreciate the focus of the Bill to put in place a penetration testing service to search for vulnerabilities and compromises in the computing system of our public sector and Civil Service outfits, how do we stay ahead of the curve and stay relevant and secure? How do cybersecurity service providers and licensees ensure that the personnel who are helping them to search for these vulnerabilities and compromises are up to speed with what potential cyber hackers or attackers are or will be doing?

Third, while this Bill aims to address the various measures and countermeasures to prevent, manage and respond to cybersecurity threats and incidents that may afflict our public sector and Civil Service, it must be accompanied by non-legislative approaches as well. Sustained efforts to ensure awareness in cybersecurity training of our public and Civil Service officers, so that they are able to recognise potential and actual cybersecurity threats, need to be carried out as well. In fact, this approach has to be nationwide, even to users of public services, such as students and the general public.

Public education to increase awareness and identification of potential and actual cybersecurity threats must also be done to support the provisions of this Bill. Public and Civil Service officers, as well as students in our public education institutions, need to understand and recognise when certain emails, hyperlinks or even mobile applications could risk the integrity and compromise the safety of connected computing systems in our various public offices, institutions or schools. Our cybersecurity public awareness programmes must continue and be further enhanced. In addition, to what extent is data shared among our public sector officers currently in designing and implementing better policies or programmes for the public? And with this new cybersecurity legislation, how will that sharing of data and information be impacted? Notwithstanding my concerns above, I support this Bill, Mr Speaker.

Mr Speaker: Mr Louis Ng.

3.54 pm

Mr Louis Ng Kok Kwang (Nee Soon): Sir, I rise in support of this Bill. Singapore runs on computers. Everything from our transport system and fire departments to our hospitals and military relies on the availability of sustained access to computer systems and networks.

This also means that a successful cyberattack on our CII would not simply pose a threat to our way of life but could seriously endanger our national security. Therefore, I applaud MCI and CSA's efforts to develop the resilience needed to ensure that when we are attacked, we will stay strong.

I have seen how technology, used in the right way, has uplifted people. Ride-sharing and food delivery applications have given many people a new outlet for income, and entrepreneurs have embraced e-commerce to expand their market. Technology has helped many to climb the socio-economic ladder.

Ensuring our CIIs are resilient to a large-scale cyberattack is important. But there is more to who we are as a country than just 11 critical sectors. Small businesses must be resilient to hacks and learn how to maintain business operations, but regular Singaporeans should also be armed with tools to stay safe online. A 2015 survey published by IT Security firm ESET notes that although 76% of Singaporeans know of some precautions to take when going online, only 44% actually do anything about it.

So, how can we help our SMEs, our Instagram influencers and first-time e-retailers stay safe and be able to continue their business operations when they are hacked? How can we help the older generation, the aunties and uncles, to learn the best practices of using the Internet so that they can avoid becoming victims of cybercrimes?

The risks that regular people face online are increasing. As many have mentioned, last year, thousands were affected when WannaCry ransomware hit our shores. But the threat can come from within Singapore, too. Singapore hosts 1.6% of all the malware in the world, which is an astronomical amount considering that our island holds only a very small fraction of the world's population. The very fact that we are a connected and smart country means that we are more at risk to cyberattacks.

An idea to start with is with our young ones. The UK, for example, has set aside £20 million to fund co-curricular activity (CCA) clubs in schools that focus on cybersecurity training. This not only teaches children how to be good online citizens, but it also creates a pipeline of future cybersecurity specialists. Would MCI and CSA consider working with the Ministry of Education (MOE) on this?

Another possibility would be to provide grants to SMEs to beef up their cybersecurity awareness. Many businessmen may be unaware that being hacked could ruin their company. A recent survey conducted by QBE insurance found that only 23% of all surveyed SMEs are concerned about security of sensitive data while 35% of smaller SMEs have no cyber protection at all.

Smaller companies do not have large IT footprints but will face serious operational risks if their systems were down. Precision engineering firms would not be able to continue to manufacture if they were attacked by ransomware. Others would lose customers if customer data was to be hacked. Would MCI and CSA work with SPRING Singapore or the National Trades Union Congress (NTUC) to help SMEs and startups pay for anti-virus software or hire consultants for cybersecurity reviews?

Next, we can explore ways to do more for our most vulnerable residents – the older generation. I have residents who are 90-year-old grandparents who check their email and WhatsApp constantly. To them, technology is no longer just a novelty, but an integral part of daily life. Unfortunately, these residents are the most vulnerable to hacking. Would CSA work with the People's Association (PA) to develop programmes to teach the fundamentals of cybersecurity?

Finally, I would like to ask MCI whether there are plans to amend the Bill to require all hacked companies to report breaches. This would give CSA greater visibility on the types of hacks that are happening in Singapore. Rather than waiting for a CII to be attacked, CSA might be able to identify trends and take preventative measures.

This will also prevent incidents from going unreported, for example, like the Equifax breach in the US, which resulted in the sensitive data of 145 million citizens being stolen, or Uber paying off hackers who had stolen customer information. After all, every day that a breach goes unreported is another day that people are at risk of identity theft or credit theft.

Sir, in conclusion, I stand in support of the Bill. Anything we can do to improve our national resilience to outside threats is a positive step. But let us not forget that thousands of SMEs and millions of Singaporeans still do not know how to stay safe in cyberspace. We will never be truly resilient unless all of us, collectively as Singaporeans, can effectively mitigate the risks of being online.

Mr Speaker: Mr Patrick Tay.

3.59 pm

Mr Patrick Tay Teck Guan (West Coast): Mr Speaker, in 2017, Singapore came in as the top launchpad for global cyberattacks in cyber security firm Check Point's Threat Map, ahead of China, Russia and the US. According to the Check Point report, Singapore was likely used as a gateway for attacks based elsewhere.

In another study by CyberInt, a cybersecurity threat monitor, Singapore ranked as the fifth biggest global target for phishing attacks, after the US, Britain, the Philippines and Russia. In recent years, we have also witnessed a surge in spates of cyber incidents on a global scale, some of which have hit home.

As Singapore develops into a highly-interconnected Smart Nation, we will become an increasingly attractive target for cybercriminals. As more aspects of our lives go digital, fallout from such attacks will become even more extensive and breakdowns in provision of essential services could result in loss of property, sensitive data and even lives not only on a national scale but on a global scale. It is, therefore, timely that we put in place robust regulatory infrastructure to govern cybersecurity matters in Singapore and maintain high cybersecurity standards to protect critical systems and data.

While I am supportive of the Bill, I do have some questions and suggestions which I would like to raise. I classify them into what I call the 5Cs: (a) Classification, (b) Compliance Costs, (c) Compromises and Concerns, (d) Continuing Education and (e) Contingency Planning.

First, is there a mechanism in place to allow organisations to check with CSA if they are classified to be an owner of a CII? Having such a mechanism would allow organisations to definitively determine if they are a CII so that they can better plan for their operational costs and resource requirements in order to comply with the requirements of CIIs under the Bill.

Second, for organisations which have been notified that they are a CII, are there any support programmes in place which they can tap on to tide them through the implementation of processes and infrastructure to enable compliance with the requirements of CIIs under the Bill? By the same token, are there any measures in place to ensure that the cost of compliance as CIIs do not trickle down extensively to the consumer?

Third, CSA is given broad investigative powers under the Bill. These powers should be exercised with care to ensure that innovation is not curtailed. As part of its educational outreach in the NTUC's U Associate’s network, The Internet Society, Singapore Chapter (ISOC.SG) collected feedback from stakeholders on this Bill. ISOC.SG found that the general thrust of the Bill was widely accepted although there was concern that overly broad investigative powers would curtail innovation and the technology industry. A balance, without compromising cybersecurity, must be found.

An example is allowing investigation and removal of anything, servers and data included, at any time. Although powers are used to combat security threats, too much data could be taken or disruptive actions could result if powers are poorly exercised. With possible implications on our status/efforts to become a data hub, the reasonable use of powers, perhaps with a chance to challenge a decision, makes sense. As a general point, overly broad powers usually affect innovation because of fear and less risk-taking.

Fourth, with this Bill and our Industry Transformation efforts across several sectors, I look forward to more job opportunities for those with cybersecurity skills. This will avail new entrants as well as those already within the profession to upgrade and keep abreast with the latest developments. Although there were reservations by practitioners during the public consultation to license practitioners in this field, I submit that it is still good to align and benchmark the skills and competencies of cybersecurity professionals locally and with global accreditations and provide more platforms for continuing education and professional development to ensure they stay relevant and current within the practice of cybersecurity. To this end, the Labour Movement hopes to partner the various associations in this sector and the cybersecurity professionals in this journey to provide continuous learning, growth and career progression opportunities.

Fifth, recognising that cybersecurity is everyone’s responsibility, are there plans to ensure that the wider community, our enterprises and individuals, are prepared for cyber contingencies and know what to do to prevent one, or, when faced with one, what to do to mitigate its impact?

NTUC and ISOC.SG are supportive of continuing efforts, as every Singaporean is online to some degree and a stakeholder in the security of the Internet, to avail users to tools and resources and building cybersecurity awareness to help enhance cybersecurity and build trust online. By inculcating that cybersecurity DNA or genetic code into all Singaporeans, we will also create a world-class future-ready workforce that can differentiate itself to employers.

For example, enterprises. In the recent Petya ransomware attack in mid-2017, a number of companies under the global marketing services group WPP were affected by Petya. Singapore employees of a company under WPP were reported to be scrambling to follow instructions on how to deal with Petya after the attack. They were told to log off from the office wi-fi network or servers, and made arrangements to work remotely. Some worked from home using their personal computers, while other teams met in public spaces, such as cafes. Are our enterprises equipped to take steps to prevent cyber incidents from occurring? Are there response and business continuity plans in place which they can implement if they are subject to a cyberattack?

Next, individuals. To raise our people’s awareness of cybersecurity, will there be a pervasive rollout of cybersecurity messaging and e-learning to individuals so that they are equipped with the requisite knowledge and skills to prevent cyber incidents and know what to do when faced with one, as has been done for SG Secure? Are there plans to develop cybersecurity tools that all individuals can use to safeguard their devices against cyberattacks? There could be publicly available online quizzes to understand cybersecurity and prevention tips.

These tools could perhaps be developed by trainees undergoing training to be cybersecurity professionals who are placed with cybersecurity enterprises or startups in the business of developing these tools. We can even provide free-to-use anti-virus software available for all households to utilise, especially since we are moving towards a Smart Nation and we are all so virtually connected. Mr Speaker, just a short one in Chinese.

(In Mandarin): [Please refer to Vernacular Speech.] I support this Bill but I would like to raise three points here.

First, I am worried about the additional compliance cost. Are there any grants to help SMEs cope with this extra cost? I am also concerned that the cost will be passed on to the consumers.

Second, will the new Act curtail innovation from the companies?

Third, as the cybersecurity scene changes every day, individuals and companies must upgrade and keep abreast with the latest developments. Hence, I hope that the industry can develop a continuing education framework.

Cybersecurity is the responsibility of every individual. Therefore, I urge the Government, companies and our citizens to stay alert and be prepared.

(In English): With that, I support the Bill.

Mr Speaker: Ms Sun Xueling.

4.07 pm

Ms Sun Xueling (Pasir Ris-Punggol): Mr Speaker, the Cybersecurity Bill sets out a comprehensive framework to protect our CIIs and points out the areas where Government agencies can work with CII owners to fortify our systems.

Given the pivotal role that CII owners play, I would like to understand how the essential services and CIIs are identified, together with their owners. In instances where business operations are international and computer systems are housed outside Singapore, how would CII owners be identified and held accountable for their cybersecurity responsibilities?

The Bill sets out requirements for CII owners to establish mechanisms and processes to detect any cybersecurity threats. It is heartening to note that MCI and CSA have been forthcoming and open to suggestions. I would like to enquire, given the range of cyber threats, to what extent would it be possible to expect CII owners to guard against every imaginable threat?

The Bill would likely bring about increased compliance costs as well as organisational change to businesses. Has there been an assessment on the costs businesses would incur from the implementation of the Cybersecurity Bill? Would there be adequate time given to them for them to comply? And when there are cyberattacks, how do we balance the need for incident reporting and investigation requirements when CIIs may be putting efforts simultaneously to restore services targeted by cyberattacks?

Standards or codes of practice issued or approved under the Bill should be aligned with globally compatible policies and benchmarks to help CII owners as much as possible. Given rapid developments globally to tackle cyber threats, how would the Bill take into account global developments and evolving standards?

The Bill is bold as it covers both the public and private sectors, recognising that cybercriminals do not distinguish between such boundaries. However, concerns about the extent of powers a proposed Cybersecurity Bill would give the Government has emerged, underscoring the ever-present tension between security and protection of privacy.

For example, the Bill empowers the Commissioner of Cybersecurity to require any person to surrender pertinent information regarding a suspected cyberattack. At the same time, various laws prevent the disclosure of personal information. Banks, for example, owe their customers a duty of confidentiality under the Banking Act. Similarly, organisations cannot use or disclose personal data without individuals’ consent under the Personal Data Protection Act (PDPA). Is there scope then for the Bill to better address the intent of the Bill with existing prohibitions on disclosure? Lastly, how would the Cybersecurity Bill interact with existing legislation that may already cover cybersecurity requirements?

Digital technologies are transforming our daily lives. They offer many new and exciting opportunities but, at the same time, present several challenges, including increasing our vulnerability to cyberattacks. The Cybersecurity Bill would help fortify our systems against cyberattacks and, notwithstanding my clarifications, is definitely a step in the right direction. Mr Speaker, in Chinese, please.

(In Mandarin): [Please refer to Vernacular Speech.] Cybersecurity cannot be taken for granted. Cyberattacks are becoming more sophisticated and can cripple our CII. This can have serious repercussions for our nation’s ability to function and deliver essential services to our citizens.

The Bill sets out the responsibilities of CII owners. CII owners have to be identified correctly and their responsibilities accordingly scoped so that they face the right impetus to invest in cybersecurity for the sake of the nation.

There will be conflict between the need to uphold cybersecurity and the need to protect the privacy of information, but we should not shy away from exploring where the boundaries are and find the right balance.

(In English): With that, I support the Bill.

Mr Speaker: Minister for Communications and Information.

4.11 pm

Assoc Prof Dr Yaacob Ibrahim: Mr Speaker, the hon Members have raised valid concerns and good suggestions on the Cybersecurity Bill. Let me address each area in detail.

Some Members, Mr Zaqy Mohamad, Mr Pritam Singh and Ms Sun Xueling, asked how the Bill will apply to systems that are providing essential services but located overseas. The Bill allows the Commissioner to designate as CII, computers and computer systems necessary for the continuous delivery of essential services in Singapore. Overall, a significant majority of such systems are based wholly or partly in Singapore. Owners of CII that are partly located in Singapore will still have to comply with their obligations under the Bill.

Given Singapore’s interconnectivity, it is inevitable that some computer systems serving important functions in Singapore are connected globally and may also be located wholly outside Singapore. These computer systems could also be operated by international organisations based abroad.

While Singapore may be able to work with these international organisations to ensure the cybersecurity of the systems in question, we cannot control such systems by designating them as CII under the Bill as they are outside our jurisdiction. There may also be potential conflicts with other countries’ regulatory regimes.

To facilitate investigations of cybersecurity threats and incidents that may originate overseas, the Government has made significant efforts to develop strong international partnerships and linkages with overseas Computer Emergency Response Teams (CERTs). CSA will work closely with its foreign counterparts for such investigations.

Ms Joan Peirera and Mr Melvin Yong asked if the cybersecurity of CII would be affected if their owners choose not to impose requirements on their vendors or if such vendors were not regulated. CSA will work with the sector regulators and CII owners to define the boundaries of the systems that will be designated as CII, on a case-by-case basis. CII owners are ultimately responsible for the cybersecurity of their respective CII. Many engage third-party vendors to support their CII. In deciding which vendors to engage and what conditions to impose on their vendors, CII owners should carry out the necessary risk assessments and due diligence to ensure that their obligations under the Bill are complied with.

CII owners will be required under the Bill to conduct regular cybersecurity audits to ensure that their obligations are met. This provides an added layer of assurance that the CII would be in compliance with cybersecurity codes of practice and standards of performance, as required under the Bill.

Ms Thanaletchimi suggested establishing an accredited framework for a national cybersecurity audit for CII stakeholders. Sir, audit is an important aspect of good corporate governance. There are already multiple layers of IT audit regimes established within the 11 sectors. We are mindful that another layer of national cybersecurity audit could potentially result in CII stakeholders experiencing audit fatigue. For now, CSA plans to tap on existing sector audit regimes to ensure that the security measures are effective in protecting the CIIs. To ensure an acceptable standard of practice, CSA will provide audit guidance to auditors and track the audit outcomes.

Mr Darryl David asked how CII and essential services are determined, while Assoc Prof Daniel Goh suggested that higher education and research institutions be considered essential services. In arriving at the list of essential services in the First Schedule, we took reference from section 15A of CMCA. We also studied the definition of "essential services" in other jurisdictions before identifying a total of 11 sectors in Singapore delivering essential services. These sectors provide services that are essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.

For each sector, CSA worked closely with the relevant sector regulator to identify the essential services within the sector, as well as the computers and computer systems that would be CII. CIIs are identified as computers and computer systems that are necessary for the continuous delivery of essential services, the loss or compromise of which would have a debilitating effect on the availability of the essential services in Singapore.

Higher education and research institutions are not considered essential services at this point in time. Nonetheless, we do not preclude that new essential services may arise in the future, and the Minister may amend the list of essential services in the First Schedule if necessary.

Mr Patrick Tay asked if there is a mechanism in place whereby organisations can check with CSA on whether they are CII owners. There is no need for organisations to make self-assessments as to whether their computer or computer systems fulfil the criteria of a CII. Prior to designating a computer or computer system as a CII, CSA will consult its owner and the relevant sector regulator to identify whether it is responsible for the provision of any of the essential services listed in the First Schedule. Organisations whose computers or computer systems are designated as CII will be notified in writing.

CII owners will be given an opportunity to submit representations to the Commissioner if they disagree with the Commissioner's decision. They may also appeal to the Minister against the designation. However, the Minister's decision on an appeal will be final.

Sir, I would like to assure Members that the identification of CII is a considered and consultative process. MCI and CSA have already consulted with the sector regulators in identifying potential CIIs and engaged the potential CII owners twice since July 2016. Hence, potential CII owners would already know who they are. The process for identifying and designating new CII in the future will be similarly considered and be consultative.

Some Members – Mr Zaqy Mohamad, Assoc Prof Daniel Goh, Mr Saktiandi Supaat and Ms Sun Xueling – asked whether the incident reporting and investigation requirements under the Bill could be too onerous for CII owners, especially when they are potential victims of cyberattacks. As mentioned in my opening speech, we do not intend to take action under the Bill against CII owners for cybersecurity breaches so long as they comply with their obligations thereunder.

Given the importance of CII to Singapore, it is necessary to provide for their proactive protection. For example, clause 14 requires CII owners to establish mechanisms and processes to detect cybersecurity threats and incidents in respect of the CII. CII owners are also required to promptly report to CSA cybersecurity incidents in relation to their CII and any computer or computer systems connected with the CII that are under their control. This will enable CSA to have better oversight of incidents happening across sectors, and to take the necessary actions.

There is no obligation for a CII owner to report a cybersecurity incident in respect of other infrastructure that it owns, where such infrastructure is not connected to the CII.

Under clauses 19 and 20, CII owners are required to cooperate with CSA during the investigation of cybersecurity threats and incidents. I will elaborate on CSA's exercise of investigation powers later in my speech.

Mr Pritam Singh asked about the incident reporting threshold for CII owners. All CII owners, regardless of whether they are local or foreign companies, will need to report to CSA cybersecurity incidents that occur on or that affect their CII. As mentioned earlier, reporting cybersecurity incidents in respect of CII is a requirement under clause 14, and any non-compliance without reasonable excuse will be an offence. The maximum penalty is $100,000, or two years' imprisonment, or both.

A cybersecurity incident on a CII is defined as an act or activity carried out without lawful authority on or through the CII that jeopardises or adversely affects its cybersecurity. As Mr Pritam Singh pointed out, details of what constitutes a prescribed incident and the form and manner of reporting will be set out in subsidiary legislation.

When exercising these powers, the Commissioner will be mindful that the owners of the computer systems in question are typically also victims. CSA will be providing further details to guide CII owners in incident reporting, such as relevant forms and guidelines.

On the other hand, Assoc Prof Daniel Goh and Mr Louis Ng called for mandatory reporting of all cybersecurity incidents to CSA for more holistic protection of Singapore's cyberspace. Making the reporting of cybersecurity incidents a requirement under the Bill will be both resource-intensive for CSA as well as companies in Singapore, especially our SMEs. Today, all companies, including owners of computer systems that are not CII, can already voluntarily report cybersecurity incidents to CSA through the Singapore Cyber Emergency Response Team (SingCERT). On top of this, the Bill will provide CSA with powers to investigate cybersecurity threats and incidents pertaining to computer systems in Singapore, including computer systems that are not CII.

Ms Jessica Tan and Mr Patrick Tay asked whether there are programmes to help CII owners comply with their obligations under the Bill, while Ms Thanaletchimi suggested that staff of organisations that own CII attend cybersecurity awareness programmes. On the other hand, Ms Sun Xueling and Mr Desmond Choo asked about the time that CII owners will be given to implement cybersecurity measures.

To assist CII owners and their staff in getting ready for the implementation of the Bill, CSA has developed a Cybersecurity Legislation Initialisation Programme for Sector Leads, also termed as CLIPS, to work with the CII sector regulators to prepare CII owners for their obligations under the Bill.

CLIPS will focus on establishing clarity on the roles and responsibilities between the sector regulators and the CII owners and identifying and resolving any operational issues pertaining to the respective sectors. For example, these include harmonising policies and streamlining audits and incident reporting processes.

The need to step up protection of CII is urgent but, where necessary, CSA will also give CII owners sufficient time to undertake preparations and planning, prior to issuing the cybersecurity codes of practice or standards of performance for each sector. Assistant Commissioners, also known as ACs, are senior officers appointed from the 11 CII sectors and will be able to advise the Commissioner on the necessary requirements, taking into consideration the unique contexts and complexities of their respective sectors.

Mr Zaqy Mohamad provided many useful suggestions to help CII owners meet their obligations under the Bill, including sharing best practices and benchmarks, and providing support for their R&D efforts. He also asked if the cybersecurity readiness of the CII owners will be benchmarked. Today, CSA assesses the cybersecurity readiness of the CII sectors and shares this information with CII owners to help them improve the cybersecurity of their CII. We will consider Mr Zaqy Mohamad's other suggestions.

And I agree with Ms Thanaletchimi that we need to establish mechanisms to inform organisations if they are potential targets, and advise them on precautionary measures that they could take. CSA currently shares information on cybersecurity threats and vulnerabilities with the CII sectors so that appropriate actions can be taken promptly. The CERTs overseeing specific sectors also issue advisories to the operators in their respective sectors.

Several Members – Mr Pritam Singh, Mr Zaqy Mohamad, Mr Saktiandi Supaat, Ms Sun Xueling and Mr Desmond Choo – asked about the costs that CII owners and other businesses may have to incur in implementing cybersecurity measures, while Mr Patrick Tay asked whether there are any measures to ensure that compliance costs do not trickle down to consumers.

Cybersecurity is a collective responsibility, and we must all do our part. Much of the cost of strengthening cybersecurity protection and enhancing responses to cybersecurity threats and incidents at the national level is borne directly by the Government. This includes resourcing national-level cybersecurity infrastructure and manpower, conducting regular cybersecurity exercises to validate cybersecurity incident management processes, and deploying National Cyber Incident Response Teams (NCIRT) to respond to cybersecurity incidents.

Today, many CII owners have already put in place cybersecurity measures arising from regulations in sectors, such as banking and finance and infocomm. The Bill aims to strengthen the cybersecurity of CII in all sectors, including those that currently do not have any cybersecurity requirements. The requirements under the Bill have been carefully scoped and are considered not too onerous.

There will be cost implications for some CII owners who will have to strengthen the cybersecurity posture of their computer systems to meet the requirements of the Bill. To minimise regulatory costs, we will work with sector regulators to streamline the cybersecurity audit and incident reporting processes in order to harmonise cybersecurity requirements under the Bill and in their respective sectors, wherever possible.

It is also in the interest of CII owners and their vendors to spend adequately on cybersecurity measures. They should consider not only the upfront cost of such measures, but also the cost of potential breaches, including the intangible costs arising from any damage to their reputation. If organisations follow security-by-design practices, they will spend less overall in the long run to fix cybersecurity issues. As Mr Ganesh Rajaram mentioned, cybersecurity will actually help companies protect their bottom line.

Therefore, on balance, MCI and CSA will not provide funding to offset the costs of CII obligations which are regulatory requirements.

Ms Sun Xueling and Mr Saktiandi Supaat asked how the Cybersecurity Bill is intended to interact with existing legislation that have cybersecurity or data protection requirements. Mr Darryl David asked how the Bill will be administered in view of existing agencies with cybersecurity roles.

The Bill will apply concurrently with other laws and regulations enacted in Singapore, including existing sectoral laws. For example, in the event of a cybersecurity incident, the Telecommunications Act will continue to govern licensees under that Act for resulting telecommunications service disruptions, while the PDPA will continue to govern companies and individuals in the area of personal data breaches.

As mentioned earlier, there are already some laws and regulations in Singapore that deal with various aspects of cybersecurity, such as in the banking and finance, and infocomm sectors. In certain cases, such sectoral requirements may be more stringent or wider in scope than those in the Cybersecurity Bill. The AC from the sector will play a key role in ensuring that CII owners do not face conflicting requirements under the Cybersecurity Bill and in sectoral regulations. This will help minimise the regulatory burden on CII owners.

I wish to clarify that we are not establishing a new agency under the Bill. The Chief Executive of CSA will be appointed as the Commissioner, and he will be supported by CSA staff and the ACs who are intended to be senior officers from the sector regulators. So, there will be no new agency. In many instances, the CII owners will interact with the ACs appointed from their sectors. For example, CII owners in the banking and finance sector will interact with an AC, who will be a senior officer appointed from MAS, for requirements under the Bill.

I want to highlight that information shared with CSA under the Cybersecurity Bill cannot be used for enforcement action against the CII owners under sectoral regulations.

Mr Zaqy Mohamad and Mr Saktiandi Supaat asked about the relationship between the Cybersecurity Bill and CMA. Mr Darryl David asked how the Government would deal with individuals who hack into a website to spread falsehoods, while Mr Henry Kwek asked for a re-examination of the penalties for misuse of access to data, especially if the perpetrators are cybersecurity professionals.

The Cybersecurity Bill and CMA are complementary, given that cybersecurity and cybercrimes are closely related. The Cybersecurity Bill provides for investigation powers in clauses 19 and 20. These investigation powers apply only to the assessment of the impact of cybersecurity threats and incidents, and to the prevention of further harm and further incidents from arising. The investigation of cybercrimes and the prosecution of their perpetrators are different issues covered by CMA. Hence, it is important that the Cybersecurity Bill and CMA are kept separate.

The Bill provides for the protection of the CII in Singapore and ensures that CII owners maintain a necessary level of cyber safety awareness, protection and vigilance against cybersecurity threats and incidents. This will also make them less vulnerable to cybercrime.

The unauthorised use of or modification of computer material and the unauthorised use of computer service are cybercrimes which are offences under CMA. CMA is under the purview of the Ministry of Home Affairs (MHA) and the Police. Depending on the facts of the case, cybersecurity professionals who misuse their access to data may be prosecuted under CMA. CSA, with the investigation powers under the Cybersecurity Bill, will work with MHA and the Police to better protect computer systems in Singapore, especially CII, against cybersecurity incidents.

However, neither CMA nor this Bill is intended to address the threat of fake news.

Several Members − Mr Zaqy Mohamad, Mr Patrick Tay, Mr Desmond Choo, Ms Sun Xueling, Mr Darryl David, Mr Pritam Singh and Mr Saktiandi Supaat − asked about the broad investigation powers provided to the Commissioner by the Bill, including whether such powers would curtail innovation or intrude into personal privacy and how such powers would be used judiciously.

Sir, as mentioned in my opening speech, the investigation powers under Part 4 of the Bill are calibrated and there are limits to the investigation powers that can be exercised depending on the severity of the threat or incident. How an incident will be classified depends on the facts of the case at hand. To be clear, all organisations, regardless of whether they are local or foreign, are required to cooperate with CSA during the investigation of cybersecurity threats and incidents pertaining to computers or computer systems in Singapore.

We recognise the need to balance operational expediency with the proportionate and judicious exercise of power. Investigation officers cannot investigate and remove equipment "at any time". For example, the Commissioner’s authorisation is required before cybersecurity officers and authorised officers can exercise more intrusive investigation powers under clause 20. There will be a governance process within CSA to ensure that the investigation powers are exercised responsibly and in accordance with the Bill. CSA will also consider providing guidelines to the public, to advise the owners of computer systems on what they should do during investigations of cybersecurity threats or incidents.

The Commissioner will determine the appropriate measures to take during investigations of cybersecurity threats and incidents, in consultation with the owner of the computer or computer system whenever possible. To address Asst Prof Mahdev Mohan's point, this will be the case, regardless of the type of computer system or technology involved, including cloud services.

For example, the Commissioner may take possession of any computer or equipment to carry out further examination or analysis with the consent of the owner. However, if there is no consent from the owner, clause 20(5) clearly sets out the conditions that must be met before the Commissioner can authorise the exercise of this power. The conditions are as follows: first, this is necessary for the purposes of the investigation; second, there is no less disruptive method of achieving the purpose of the investigation; and third, this can only be done after consultation with the owner, and having considered the importance of the computer to the business and operational needs of the owner, that the benefit of the action outweighs the detriment caused to the owner.

Prior to deploying more intrusive investigation tools, such as network-scanning software, which are necessary when responding to cybersecurity incidents, CSA will, wherever possible, notify the computer system owners and follow appropriate protocols.

Let me assure the House that the powers under the Bill are not intended to intrude into privacy. The measures and requirements are mainly technical, operational and procedural in nature. For example, CII owners may be required to implement network perimeter defence devices, such as firewalls, or to perform regular vulnerability scanning of their systems, to identify potential loopholes. These measures are non-intrusive with respect to personal privacy.

Sir, I would like to assure Members that any information required under the Bill to deal with cybersecurity threats or incidents will be primarily technical and not personal in nature. For example, to aid in the detection of cybersecurity threats, information, such as network logs, indicators of compromise as well as systems event and audit logs, may be requested.

Furthermore, the Commissioner’s requests for information from CII owners are carefully scoped for specific purposes, such as information pertaining to the technical design and configuration of a CII. The Commissioner does not have direct or continuous access to the data of any CII owner.

As mentioned in my opening speech, the Bill protects information disclosed to CSA under the Bill by requiring persons who obtain it in the course of performing their functions or discharging their duties under the Bill to keep it confidential, and by specifying the circumstances under which it can be disclosed. Misuse of the information by the Commissioner or other specified officers will be a criminal offence.

With the exception of clause 23, the Bill does not require persons to disclose any information that is prohibited by any other law. The powers under clause 23, which are for emergency cybersecurity measures, are not new and were taken from section 15A of CMCA.

We have also further scoped clause 23 to be tighter than the existing section 15A of CMCA, to make clear that action can only be taken against serious and imminent threats and not just any cyber threat to the national security, essential services, defence or the foreign relations of Singapore. The Minister is constrained by the language of clause 23 when exercising his powers. His discretion is not unfettered.

Mr Christopher de Souza asked whether the Bill would cover less mainstream cybersecurity services, such as white hat or ethical hackers, while Mr Melvin Yong asked if the Ministry could consider encouraging a local community of white hats.

On the other hand, Mr Saktiandi Supaat asked whether cybersecurity freelancers need to be regulated, while some Members − Mr Zaqy Mohamad and Ms Joan Peirera − spoke about the missed opportunity and risks of not regulating individual cybersecurity professionals.

Sir, it is clear from the debate that there are diverse views on the issue of licensing cybersecurity service providers and growing the cybersecurity ecosystem. On the one hand, there is a call for even individual professionals to be regulated while, on the other hand, some expressed concerns over potential cost implications for businesses.

As I had mentioned in my opening speech, for a start, the licensing framework is deliberately light touch in view of the need to strike a good balance between industry development and cybersecurity needs.

Furthermore, given the global nature of the cybersecurity industry, we recognise there are currently practical challenges to require individual cybersecurity professionals to be licensed, especially for service providers who deploy employees from overseas to serve clients in Singapore.

Our focus is on more mainstream or mature cybersecurity services with the potential to cause significant impact on the overall cybersecurity landscape. We have identified two categories of services, penetration testing and managed SOC monitoring, as licensable cybersecurity services, which are set out in the Second Schedule. Nonetheless, other cybersecurity services will still need to comply with other laws in Singapore, such as CMA.

All providers of licensable cybersecurity services, regardless of whether they are companies or individuals directly engaged for such services or third-party vendors that support these companies, will need to be licensed. However, we do not intend to require companies to be licensed for providing such services to their related companies.

Under the Bill, no person may engage in the business of providing any licensable cybersecurity service to other persons, except under and in accordance with a licence granted or renewed under clause 26. CSA will encourage consumers of such cybersecurity services to only procure services from licensed cybersecurity service providers by publishing a list of licensees online. Companies can also inform CSA of any unlicensed service providers.

The proposed licensing framework is intended to reduce the safety and security risks that cybersecurity service providers can pose. The service providers are required to ensure that their key executive officers are fit and proper persons when applying for a licence. Any applicant who is not fit and proper may be refused a licence under clause 26.

Similarly, a cybersecurity service provider’s licence may be revoked or suspended, if the service provider is no longer fit and proper, among other factors under clause 30. In addition, the service provider will be required to keep records on the cybersecurity services it has provided to its clients, including details of the employee providing the service, for not less than three years for accountability and traceability in the event of foul play.

Mr Henry Kwek also asked whether the Government could create a certification system that favours cybersecurity professionals who have a vested interest in Singapore. CSA intends to work with the industry and professional association partners to establish voluntary accreditation and certification regimes for cybersecurity service providers and professionals to raise the quality of cybersecurity services and further improve their standing. For example, in partnership with CSA and the Association of Information Security Professionals (AISP), the Council for Registered Ethical Security Testers (CREST), a non-profit international organisation, established a Singapore chapter to introduce penetration testing certifications and accreditation in Singapore.

Given the nascent nature of our industry, we should remain open and take reference from internationally recognised standards where possible. It would not be in our interest to favour only those professionals who have a vested interest in Singapore. Likewise, we would want our local cybersecurity professionals to be recognised in other markets, based on their professional expertise and experience. The regulatory regime needs to strike a balance between security needs and the development of a vibrant cybersecurity ecosystem. This is the best balance that we can find at this point in time.

MCI and CSA will be engaging the industry in working out the implementation details for licensing, including licensing conditions for licensable cybersecurity service providers. We will also continue to take in feedback from the industry on the licensing regime as the cybersecurity ecosystem evolves.

Several Members, Mr Zaqy Mohamad, Ms Jessica Tan, Mr Henry Kwek, Mr Melvin Yong and Mr Desmond Choo, asked about the Government’s plans to grow and develop the pool of cybersecurity professionals. I would like to assure Members that Singaporeans will continue to be an important part of our cybersecurity workforce. The Government is collaborating with the industry to grow the cybersecurity workforce in Singapore. For example, under the Cyber Security Associates and Technologists (CSAT) programme, CSA and the Infocomm Media Development Authority (IMDA) partner the industry and Institutes of Higher Learning (IHLs) to attract new graduates and convert existing professionals from related fields to a career in cybersecurity.

Under CSA’s Cybersecurity Professional Scheme (CSPS), officers will be recruited and trained in areas, such as cyber forensics and vulnerability assessment, before being deployed to public agencies overseeing CII sectors to assist companies in these sectors with their cybersecurity capabilities.

Assoc Prof Daniel Goh asked about the potential to build greater synergy in civilian and military cybersecurity capabilities. Today, CSA already works closely with MINDEF on cybersecurity matters. For example, CSA can call on MINDEF for support when responding to cybersecurity incidents, as MINDEF is part of NCIRT. CSA and MINDEF also collaborate in areas, such as the sharing of operational lessons and threat information, technology cooperation and participation in joint exercises, such as Exercise CYBER KNIGHTS 2017.

Last year, MINDEF announced the establishment of a new Cyber Defence vocation. I understand that they are looking into better harnessing the cybersecurity skills of National Servicemen (NSmen) to defend our military networks and contribute to the national cybersecurity effort. CSA and MINDEF will continue to find more ways to cooperate in these areas.

I also agree with Mr Patrick Tay that we need to bring together various partners to assist cybersecurity professionals in areas, such as continual learning and career development. We need to continually upgrade our cybersecurity defences and training as cyberattacks are getting more sophisticated. CSA, through its Academy, is leading efforts to boost the skills of cybersecurity professionals working in the Government and CII sectors, such as energy and healthcare. On this, Sir, I look forward to the Labour Movement’s support.

Ms Sun Xueling asked how the Bill would take into account global developments and evolving standards to tackle cybersecurity threats, while Mr Azmoon Ahmad spoke about the need to regularly review the regulatory framework, given the fast-changing Internet landscape. In formulating this Bill, we studied cybersecurity legislation which other countries have implemented or are considering. Our Bill has taken into consideration these international developments.

During the implementation of the Bill, we will take reference from internationally recognised standards when developing codes of practice and standards of performance for the different sectors. We also recognise that the environment that we operate in may change with changes in the industry and technological trends. Therefore, we will need to keep abreast of international developments, and review and adjust our laws to address new and emerging issues moving forward.

Asst Prof Mahdev Mohan asked what MCI and CSA have done with respect to cybersecurity internationally and regionally. CSA has been an active participant at international forums and discussions to develop international cyber norms, including at the United Nations. Bilaterally, we have signed Memorandums of Understanding (MOUs) with countries, such as the US, the UK, France and Australia, on cybersecurity cooperation and capability development. Regionally, we have launched the Association of Southeast Asian Nations (ASEAN) Cyber Capacity Building Programme with ASEAN member states and Dialogue Partners to build cybersecurity capacity in the region. We will continue to pursue efforts on this front.

Several Members, Mr Patrick Tay, Mr Saktiandi Supaat, Mr Louis Ng, Ms Joan Peirera, Mr Melvin Yong and Mr Darryl David, asked whether there are plans to assist businesses, including our SMEs, and to educate the public on how to prevent and respond to cybersecurity threats and incidents. Through the Cyber Security Awareness Alliance, CSA works closely with representatives from public and private sector organisations and industry associations to reach out to businesses, including SMEs, and to promote awareness and adoption of cybersecurity practices. This is done through organising cybersecurity talks and conferences and developing online cybersecurity resources, which are available on CSA’s GoSafeOnline website. CSA also publishes an annual Singapore Cyber Landscape report for public awareness.

In addition, SMEs can also tap on IMDA’s SMEs Go Digital programme to adopt cybersecurity solutions and seek technical advice on cybersecurity and other digital concerns from IMDA’s SME Digital Tech Hub.

Besides these initiatives, businesses and members of the public can also sign up for SingCERT’s advisories and alerts on cybersecurity threats and incidents. For example, when D-Link routers were found to have security vulnerabilities in September last year, SingCERT and the Info-communications Singapore Computer Emergency Response Team (ISG-CERT) under IMDA issued a joint advisory which contained information on the affected products and the steps that affected consumers should take.

CSA also collaborated with the Personal Data Protection Commission (PDPC) to develop a series of Student Activity Books to raise awareness on the importance of Cybersecurity and Personal Data Protection among our students. The Silver Infocomm Junctions, an initiative by IMDA, provides seniors with infocomm training, which includes cybersecurity. We will continue to work with partners in our efforts to raise cybersecurity awareness among the public.

Mr Zaqy Mohamad asked whether the Government could consider cybersecurity as another pillar of Total Defence. CSA has been working with MINDEF to incorporate cybersecurity messages in each of the existing five pillars of Total Defence. On this, I agree with Ms Jessica Tan that people are the weakest link, but also our strongest asset. If we each do our part to use our computer systems and devices responsibly, collectively, we can help to protect Singapore’s cyberspace.

Sir, many of the issues raised by the Members are among those that we have considered in developing a Cybersecurity Bill that takes into account the interests of the different stakeholders and Singapore’s needs. The Members also raised questions that do not relate directly to the Bill, but rather to the larger cybersecurity ecosystem that we are developing. I understand their concerns and agree that these are important issues to address.

My Ministry will continue to work with stakeholders from the public and private sectors to ensure that our laws remain robust and relevant and, beyond this Bill, to raise the level of cybersecurity awareness and develop the cybersecurity ecosystem in Singapore. As Mr Ganesh Rajaram mentioned, cybersecurity is not just the Government’s responsibility. Everyone needs to play a role, including Members in this Chamber.

Members of the House will agree that it is an important legislation to protect our CII and safeguard our essential services from disruption by cyberattacks. I hope that we can support the Bill.

Sir, lastly, I would like to take this opportunity to thank my colleagues from MCI and CSA for working on this landmark Bill. In particular, I would like to make special mention of Mr Chng Ho Kiat, Director of the Cybersecurity and Resilience Division in MCI, who passed away less than two weeks ago. In his time at MCI, Ho Kiat made significant contributions towards the strengthening of cybersecurity in Singapore. He played a pivotal role in developing the national cybersecurity strategy and this Bill. Thank you.

Question put, and agreed to.

Bill accordingly read a Second time and committed to a Committee of the whole House.

The House immediately resolved itself into a Committee on the Bill. – [Assoc Prof Dr Yaacob Ibrahim.]

Bill considered in Committee; reported without amendment; read a Third time and passed.