(Delivered in Parliament on 5 February 2018)
Mr Speaker Sir, this is an important bill that sets up the regulatory framework to protect Singapore from the increasing threat of cyberattacks. The extensive commentary and feedback received during public consultation for the bill shows that the public recognize the importance of cybersecurity. In the responses to the feedback, we can also see the Government trying to balance the compliance burden on business with the necessary measures to protect the economy from cyberattacks.
Singapore’s cybersecurity strategy is a correct approach taken for a global city that depends on openness and connectedness to the world for its proper functioning. This approach can be described as a Whole of Government approach that places Public-Private collaboration at the heart of the strategy with a strong future-oriented plan for capacity development and for value addition to the economy. This bill is integral part of the strategy and expresses the strategy’s approach.
I have three sets of clarifications for the Minister, the first set is more general and has to do with the strategy and its implementation, the second with the scope of the bill, and the third with specific provisions of the bill.
A bigger role for MINDEF in Singapore’s Cybersecurity Strategy?
The paper setting out Singapore’s Cybersecurity Strategy was published more than a year ago in October 2016. The Strategy has four pillars: building a resilient infrastructure, creating a safer cyberspace, developing a vibrant cybersecurity ecosystem and strengthening international partnerships. I was rather surprised that there is very little mention of the Ministry of Defence in the paper. It was mentioned once in the paper, when it was noted that MINDEF formed part of the National Cyber Incident Response Teams with the Cyber Security Agency, GovTech and MHA. These teams are part of the plan to respond to Tier 1 cyber campaigns threatening national security and Tier 2 cyberattacks on a sector.
MINDEF is a 4G military force reliant on secure communications and information networks. It should already have well developed cybersecurity infrastructure and capabilities. It would be a terrible waste if the military applications are not adapted for civilian uses. Could the Minister share whether there are plans to synergize and share military cybersecurity knowledge and technology to develop and deepen our civilian cybersecurity infrastructure? After all, as it is stated in the strategy paper, cybersecurity is a way of putting Total Defence into action and everyone has a role in creating a safer cyberspace for everyone, and this must include the military.
There are two other specific ways that the military could play a key role to realise our cybersecurity strategy objectives. These are already observed in public commentary on the Strategy and many have pointed to the Israeli military as a successful example. First, our military has a peculiar asset: the commitment of tens of thousands of full-time and operationally ready national servicemen. This represents a potentially significant investment of time, not only of manpower, but of brainpower, by our highly educated workforce. The time invested could be harnessed to serve both military and civilian cybersecurity needs. A cybersecurity corps could be formed to train budding IT professionals when they are serving full-time national service. Deferment could also be considered for these young men to obtain degrees in cybersecurity first, so that they would hone their classroom skills in the military. They could then enter the cybersecurity industry when they become operationally ready and return to the military with enhanced knowledge and skills during their NSmen call-ups. This is a win-win method to developing a vibrant cybersecurity system for Singapore.
Second, our unique military institution could also be used to foster startups to develop Singapore’s cybersecurity industry. Israel is already ahead of everyone in this game and there are an estimated 420 cybersecurity companies in Israel today, many of which are at the forefront of innovation and exporting their technology. It is now well known that the Israel Defence Force acted as the incubator for the start-ups. We have similar institutional features here, so there is no reason why the SAF cannot also serve as such an incubator. It would be a win for the military and a win for our entrepreneurship sector and economy too.
Why are Higher Education and Research Institutions not covered?
I move on now to the second set of clarifications on the scope of the Cybersecurity Bill. The Bill defines “critical information infrastructure” in Section 7 as the computer system “necessary for the continuous delivery of an essential service”, and the compromise of which would lead to a serious effect on the availability of the essential service. “Essential service” is defined in Section 2 as “any service essential to national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule.” I am surprised that higher education and research institutions are not listed as essential service in the First Schedule and would like the Minister to clarify why this is so.
There are three reasons why I am surprised. First, it was reported that the National University of Singapore (NUS) and Nanyang Technological University (NTU) both suffered separate cyberattacks in April last year. It appeared to be the work not of casual hackers but of carefully planned, sophisticated cyberattacks that might be aimed at stealing information related to government and research. This is an extreme cyberattack scenario which this Bill is aimed at defending against. If our top public universities are being targeted by organized hackers, who could not be named by the CSA for operational security reasons, and they were going after some precious information, which again the CSA could not reveal for security reasons, then there must be critical information residing in our universities and research institutions.
Second, of course, a sophisticated, targeted cyberattack on our universities does not mean that the service provided by the universities is essential as defined in the Bill. I am however inclined to argue that there is a lot of research that is going on in our universities and other associated research institutions that have to do with the continuous delivery of essential services. The theft of information related to these research projects could lead to cyberattacks or other forms of attack that could seriously affect the availability of essential services. I would like to ask the Government therefore to review whether the computer networks for research related to essential services, especially government-linked research projects, should also be considered as Critical Information Infrastructure.
Third, our universities are central to cybersecurity innovation and training. In the paper outlining Singapore’s Cybersecurity Strategy, four of our six autonomous universities are named as playing key roles in fostering cutting-edge research and development and talent development. It is envisioned that each of the six universities would become a “cybersecurity centre of excellence” developing its own area of specialization. The training of our cybersecurity workforce is also entrusted to the universities. The Singapore Institute of Technology (SIT) and the Singapore University of Technology and Design (SUTD) offer bachelor and master programmes in cybersecurity. What this means is that there is a lot of meta-information on cybersecurity residing in our universities. The theft of this meta-information could compromise the general resilience of our cybersecurity infrastructure or that of specific CIIs.
Reporting of cybersecurity incidents
I move on finally to the third and last set of clarifications that have to do with the duty to report cybersecurity incidents as specified in Section 14. I have two points of clarifications for this, the first is specific to Section 14, and the second has to do with cybersecurity incident reporting in general. First, Section 14(1)(b) specifies that the owner of a CII must notify the Commissioner of a cybersecurity incident in any computer or computer system under the owner’s control that is interconnected with or that communicates with the CII. This seems onerous and yet limiting.
It is onerous because it enlarges the scope of regulation beyond the CII into a far larger field of secondary computer systems. For the owner of a CII, this would mean the requirement of detection mechanisms in those secondary computer systems. Yet Section 14(2) is not clear whether it is a legal requirement. Would the Minister clarify whether it is a requirement for the owner of a CII to install detection mechanisms in secondary computer systems interconnected with the CII? Would the Minister also clarify whether this reporting requirement is indeed onerous, especially since MCI and CSA’s response to feedback during the consultation on the draft Bill stated that “computer systems in the supply chain supporting the operation of a CII will not be designated as CIIs”, implying that the regulation would be more narrowly scoped.
Yet, Section 14(1)(b) is limiting if the intention is to protect the CII from cyberattacks in adjacent interconnected computer systems, as the clause is now worded to limit regulation to only secondary computer systems under the owner’s control. I would like to ask the Minister to clarify what does owner’s control mean in real operational terms? What if the secondary computer system interconnected to the CII is not under the control of the CII owner, does it mean that such a computer system would not pose a risk to the CII? If a secondary computer system not under the control of CII would still pose a risk to the CII, then why limit reporting to secondary computer systems under the CII owner’s control? If the risk is the same regardless, then why not remove the need to report cybersecurity incidents in secondary computer systems altogether?
My final point has to do with reporting of cybersecurity incidents beyond the CIIs. Threat reports issued by cybersecurity firms often point to the problem of underreporting, as many companies and organizations often choose not to report or to reveal the full extent of cyberattacks and data thefts. This is understandable, as sensational news reports of major data breaches would undermine trust in these organizations and affect the bottom-line of businesses. At the same time, it not viable for these organizations to hide such incidents from view, as it would erode the general resilience of cybersecurity infrastructure in the long run. After all, large-scale organized cyberattacks would likely begin with trial runs of mini-attacks on non-critical computer systems. The only way forward might be to legislate mandatory reporting of all cybersecurity incidents to the Cyber Security Agency with the assurance of confidentiality and indemnity.
Mr Speaker Sir, the Cybersecurity Bill is a significant step forward in putting Singapore’s Cybersecurity Strategy into action. I support the Bill. It is an expression of our Total Defence culture. As such, I believe there is a greater role to be played by MINDEF to develop our cybersecurity capabilities and enhance our cybersecurity enterprises. I also believe that the Government should look more closely at our Institutions of Higher Learning as they have already come under a severe cyberattack and their computer systems contain crucial information related to our essential services and meta-information related to our cybersecurity infrastructure. Finally, I believe that we need to get the reporting of cybersecurity incidents right and there are kinks in this area in this Bill that the Minister could do well to straighten out.
Thank you.
