Cybercrime and cybersecurity have increasingly become a concern to both the public and government. The number and severity of incidents has increased tremendously and it almost seems that, on a weekly basis, there are reported incidences of cybercrime and cybersecurity breaches. These incidences have come from many different angles; criminals exploiting computer systems for financial gain, leaks of personal and sensitive data to be used for nefarious purposes and sometimes even for political objectives. The total bill of damages arising from these incidences continues to rise and the situation is further complicated by the presence of entities like WikiLeaks and Anonymous that leak and expose cyber breaches by governmental actors.
In Singapore, we are not spared from these developments. We have had a number of cases involving data breaches and now, hacking and tempering of government servers. All these have led to call for further regulation and the building up of resources to counter these threats in the future. Therefore it's worth while to review the cybercrime and cybersecurity scene in Singapore and to prepare for the upcoming changes.
Singapore cybercrime and cybersecurity laws are currently encompassed largely in a single piece of legislation called the Computer Misuse and Cybersecurity Act ("CMCA"). the CMCA is unique that in its short history, it has become one of the most frequently amended legislation. When the CMCA was first enacted in 1993, it was enacted as the Computer Misuse Act. During that time, the key worries were hacking of computers, unauthorised use and access to computers. In 1998, amendments were made to the Act to cover unauthorised modification and interception and to introduce the concept of protected computers. Early offenders of the Act were typically youthful persons working alone or members or employees of organisations whose computers were misused. Most of the offences were carried out for relatively small commercial benefit. In 2013, the Act acquired its current name to take into account the cybersecurity aspect. The concept of national security and the powers given to the Minister to order certain acts taken into protect computer service in the name of national security resulted in Section 15A of the current CMCA. In April 2017, further changes were made to the CMCA to provide for offences to deal with personal information obtained via cybercrime and to further extend extra territorial reach over the offences if the acts committed against overseas computers have a significant serious harm in Singapore.
At this stage it is clear that the current emphasis on the CMCA is on the cybercrime elements. However, it must not be forgotten that the Singapore government has also indicated that by the end of 2017, a new cybersecurity act will be passed. It is therefore reasonable to assume that the CMCA will continue to focus on cybercrime while the new cybersecurity act will focus on cybersecurity.
Possible coverage for the new Cybersecurity Act
Judging from developments in cybersecurity world and as well as comments made by various members of the government, we can speculate that the new cybersecurity Act will cover a few areas. First, it will relook at areas where information assets will be considered critical. This will clearly include communications system, the banking system, transportation system as well as the energy grid. In addition, we would expect that healthcare and government system including the elections departments will be designated as important information assets. The resultant of these classifications is that the owners or operators of these assets will be required to take measures to harden the security of these assets, conduct regular audit and testing of these assets and notify regulators of an in breach of this of the security of these assets. The point that then follows whether a service provider to this area will also have to comply with the regulations affecting this particular asset. So for instance will a software provider who provides outsourced services to a bank be made, by law or contract, to comply with these new regulations?
Another area that will be considered is whether there will be a general duty or at least incentive for parties affected by cybersecurity incidents to report them. At the moment, either due to ignorance or fear, a lot of cybersecurity incidents go unreported. These has resulted in further damage being created as well as an accumulation of distrust among the public of operators of assets when they fail to report these breaches in a timely manner. The issues that follow such a reporting requirement will then be whether this information will be redacted or sanitized by a central information controlling entity and whether technology and data analytics may be used to analyse the information for observable trends and patterns.
A third possible area under cybersecurity legislation would be the creation of standards and codes. For an emerging] area like cybersecurity, standards and codes are useful in order to established baseline standard where the service provider industry is not mature with few having significant track records and with customers not knowing which service providers to choose. So standards could be useful in helping the public make decisions on choosing the correct service providers for their cybersecurity needs. Codes would also be useful when it comes to parties taking part in white hat type activities meaning either hacking in the computer system for the purpose of determining lapses and loop holes. The issues around this is whether society is prepared to accept that there are hackers out there who use their skill not to exploit them or to seek personal reward but to point out flaws and products so that the assets owners may take corrective action.
It is clear that cybersecurity legislation is a ground breaking one and it would be unrealistic to expect the legislation to be perfect the first time around. As experience in the CMCA has shown, such legislation would be continuously updated and improved as we go along in order to achieve its goal of ensuring a secure environment for our citizens and corporations