Regulating Big Tech Companies to Ensure Adherence to Service Standards in Light of Data Centre Outage on 14 October 2023
Ministry of Home AffairsSpeakers
Summary
This question concerns Mr Saktiandi Supaat's inquiry into regulating big technology companies and minimizing data center concentration risks following the October 2023 service outages. Minister Mrs Josephine Teo stated that while Critical Information Infrastructure is already regulated, the Government is studying new risk-calibrated regulations for data centers. She noted that most operators currently follow international standards, but the growing reliance on digital infrastructure necessitates further interventions. Minister Mrs Josephine Teo emphasized that regulation alone cannot eliminate outages, and businesses must also proactively mitigate risks to ensure service continuity. The Ministry aims to strengthen digital infrastructure resilience to safeguard economic activity and maintain consumer confidence across the public and private sectors.
Transcript
89 Mr Saktiandi Supaat asked the Minister for Communications and Information in light of the data centre outage on 14 October 2023 affecting banks, telcos and social media platforms (a) whether there are plans to regulate big technology companies to ensure adherence to service standards, given that such outages affect many people and may have a real economic impact; and (b) what are the Ministry’s efforts for Singapore’s overall national security to minimise a concentration of risks from the usage of a few data centres by the public and private sectors.
Mrs Josephine Teo: The specifics of the recent outage affecting banking services have been, or will be, addressed in response to related Parliamentary Questions. I will focus on the broader digital infrastructure landscape and the Government’s approach to enhancing its security and resilience.
Where a data centre supports the delivery of essential services or other nationally important systems, we have regulation in place to ensure its security and resilience. For example, the Cyber Security Agency identifies and regulates Critical Information Infrastructure (CII), which can include computer systems situated in a data centre, that are necessary for the provision of essential services in sectors, such as the Government, infocomm, and banking and finance. In addition, sector regulators impose requirements on the service providers in their sectors. Major telcos and banks, for instance, are regulated by the Infocomm Media Development Authority and Monetary Authority of Singapore respectively, for security and resilience. Exercises and audits are conducted to identify potential vulnerabilities and ensure the robustness of service providers’ security and resilience measures.
With more of our economic activity moving online and the growing interconnectedness of our systems, the Government recognises the need to further study our reliance on different components of digital infrastructure, the risks and impact of disruptions, and the need for more interventions. For example, data centres may not all host CII systems but collectively provide foundational services for the proper functioning of our economy. Today, most data centre operators already adopt a risk management approach in line with international standards, including the implementation of measures to ensure resilience. The Government is studying whether and how best to strengthen the security and resilience of data centres as a category of digital infrastructure with significant impact. This may include risk-calibrated regulation for data centres, taking reference from international standards and best practices.
However, we must recognise that regulation alone will not fully eliminate the possibility of outages and disruptions. Industries and enterprises must also play their part. To ensure consumer confidence, entities, such as banks, telcos and digital service providers should take steps to mitigate risks and ensure the continued delivery of important digital services even when outages or disruptions occur.