Singapore lawmakers updated the country's cybersecurity regulations on May 7, strengthening the powers of government agencies responsible for enforcing the rules and adopting definitions of computer systems, including cloud infrastructure, and critical information infrastructure. (CII) operators are required to report any cybersecurity incidents to the government. government.
The proposed changes to the Cybersecurity Act take into account the impact of running critical infrastructure management systems on cloud infrastructure, the use of third-party providers by critical infrastructure operators, and the increasingly dangerous cyber threat landscape. Indeed, so many critical information infrastructure operators have outsourced some of their operations to third parties and cloud providers that new rules are needed to hold these service providers accountable. said Janil Puthuchary, Senior Minister of Communications and Information Singapore. , said in a speech In front of the country's parliament.
“While the 2018 Act was enacted to regulate CII, which is a physical system, new technologies and business models have emerged since then,” he said. “Therefore, laws need to be updated to better regulate CIIs so that they remain secure and resilient to cyber threats, no matter what technology or business model they operate on. there is.”
Singapore's cybersecurity law changes are the latest update to rules among Asia-Pacific countries. Early April, Malaysian parliament passes its own cybersecurity bill, which aims to establish a strong cybersecurity framework in the country, including requiring licensing for some companies and consultants.In the same month, Japan, the Philippines, and the United States Develop information sharing arrangements between the three parties The aim is to blunt attacks on the country from China, North Korea and other rival countries.
of Cyber Security Agency (CSA) Donnie Chong, product director at denial-of-service defense firm Nexus Guard, said the additional regulations had wide support in Singapore after extensive outreach to critical infrastructure providers, the public, businesses and legal experts.
“The rise in cyber threats is worrying many people, and regional and global incidents have highlighted the vulnerabilities of our digital infrastructure,” he says. “More and more businesses are realizing that cyber-attacks can have a significant impact on critical services and national security, increasing the urgency for stronger regulation.”
Cyber security that responds to changing times
The original Cybersecurity Act was aimed at strengthening protections around CIIs, empowering the Singapore CSA to manage the country's cybersecurity prevention and response program, and creating a licensing framework to regulate cybersecurity service providers. was founded.
But authorities quickly recognized that stronger powers were needed to protect the nation's infrastructure, and that cloud computing and cloud services were changing the regulatory landscape over time. For example, the CSA could not regulate critical infrastructure providers or CII service providers that were based entirely overseas.
“When this law was first written, the standard was for CI to be a physical system kept on-premises and fully owned or managed by the CI owner,” Puthuchary said. “However, the advent of cloud services has called this model into question.”
Mr Lim Chong said the proposed amendments would allow enterprises and infrastructure operators to provide provider-owned CII, non-provider CII, underlying digital infrastructure (FDI) services, entities with special interest in cybersecurity, temporary There are five categories of system owners who have cybersecurity concerns. Mr. Kin is Managing Director and Co-Head of the Data Protection, Privacy and Cybersecurity Group at Singapore-based law firm Drew & Napier.
of Requirements for such organizations include auditing, risk assessment, reporting of cybersecurity incidents, and required contract language for third parties, Lim said. CSA will work to “operationalize new incident reporting requirements,” he said, as individual companies may have difficulty setting requirements with large multinational cloud providers.
“With increased regulatory obligations, it is likely that some increase in compliance costs will be inevitable for businesses,” Lim said. “The exact scope of the impact on affected organizations will become clearer as the new reporting requirements become operational.”
Geopolitics and AI pose major challenges
Because Singapore is highly dependent on global trade and maintains an open digital economy, the country continues to be a popular target among threat actors, with both nation-states and cybercrime groups targeting Singapore-based organizations. and targets individuals.According to the country's Cybersecurity Health Report released earlier this year, more than 80% of those surveyed Singapore organization hit by cyber incident Almost all victims (99%) had their business impacted in the past year.
Uncertainty remains in the future as artificial intelligence and quantum computing are both disruptive technologies that appear to be changing the threat landscape, Lim said. For these reasons, he says the latest regulations are just the beginning of the road to improved cybersecurity.
“While regulation remains important, effectively protecting Singapore's cyberspace also requires developing a cyberliterate population and ensuring buy-in from all stakeholder groups within society. “It's going to be essential on a broader level,” he says.
The country is already one of the most cyberliterate in the world. More than 90% of Singapore residents communicate online, with technology adoption rising from 74% in 2018 to 94% in 2022, according to Singapore's Puthuchary.
“The business model may be changing, but the basic principles remain the same,” he told parliament. “Providers of critical services must continue to take responsibility for the cybersecurity and cyber resilience of the computer systems they rely on to deliver the critical services they provide.”
