The Singaporean parliament approved an amendment to the Cybersecurity Law on Tuesday that aimed at fortifying the defenses of the nation’s evolving critical infrastructure and adapting to technological advancements.
The amendments to the Cybersecurity Law mandate that owners of critical information infrastructure (CII) report a broader spectrum of incidents, encompassing those occurring within their supply chains.
Senior Minister of State for Communications and Information Janil Puthucheary said it was imperative to address the evolving tactics of malicious cyber actors, stressing the need to extend vigilance to peripheral systems and supply chains.
What the Latest Cybersecurity Law Amendment Mean
The new legislation empowers authorities to regulate Systems of Temporary Cybersecurity Concern (STCC), which are systems at high risk of cyberattacks for a limited period, posing a threat to Singapore’s national interests if compromised.
The amendment gives the Cyber Security Agency of Singapore (CSA) authority to oversee Entities of Special Cybersecurity Interest (ESCIs), whose disruption could have significant adverse effects on defense, foreign relations, economy, public health, safety, or order. To prevent inadvertently identifying ESCIs as targets, their specific identities will not be publicly disclosed.
The proposed law will also add new categories of entities whose digital defenses will be audited by the authorities, including autonomous universities, which may hold sensitive data or perform significant functions.
Moreover, CSA can regulate CIIs supporting essential services from overseas if their owners are based in Singapore. Dr. Janil emphasized that the Bill aims to address shifts in the cybersecurity landscape and operational challenges faced by CSA.
The evolving cybersecurity landscape, characterized by increased cloud computing usage and digital technology reliance, necessitates updated laws to safeguard essential services.
“When the Act was first written, it was the norm for CII to be physical systems held on premises and entirely owned or controlled by the CII owner. But the advent of cloud services has challenged this model,” Dr. Janil said.
“As the tactics and techniques of malicious actors evolve to target systems at the periphery or along supply chains, we must also start placing our alarms at those places,” he added.
The proliferation of digital communication and technology adoption underscores the heightened cyber risks faced by individuals and organizations. Against this backdrop, updating the cybersecurity law is imperative to ensure Singapore’s digital resilience and stay ahead of emerging threats.
While Members of Parliament voiced concerns about compliance costs and regulatory clarity, Dr. Janil clarified that the Bill targets cybersecurity of critical national systems, rather than imposing broad obligations on the business community.
The new law will regulate only the cybersecurity of systems infrastructure and services that are important at a national level because their disruption or compromise could affect Singapore’s survival, security, safety or other national interest, according to Dr. Janil.
“This is a known and finite set of systems and entities. Our approach is a targeted and calibrated one, precisely because we recognise that regulation will involve compliance costs,” Dr Janil said.
“Some compliance costs cannot be avoided where regulation is concerned. It’s something we are mindful of. We do not seek to regulate without good reason.”
CSA will provide support to regulated entities, engaging with them before designating systems or entities and offering guidance on compliance measures.
Appeals processes are in place for designated entities, ensuring transparency and accountability in regulatory decisions. Dr. Janil underscored the significance of decisions to designate entities, emphasizing their potential impact on national security and interests.
The government remains committed to a calibrated approach, balancing regulatory requirements with the need to minimize compliance costs and support affected entities.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.