Madam Speaker, I beg to move, ‘That the Bill be now read a second time’.
2. Madam, we last amended the Computer Misuse Act in 2003 to strengthen Singapore’s defence against cyber attacks. Over the past decade, we have witnessed tremendous technological change. Cyberspace has become an integral part of our daily lives, and is used extensively for the delivery of a wide range of public and private sector services. At the same time, our increasing dependence on cyberspace has brought about new risks and vulnerabilities. Hence, it is timely to review our legislative framework to ensure that it remains relevant and effective in protecting our economy and society against cyber threats.
Fast Growing Cyber Threats
3. In recent years, the number of cyber attacks across the world has risen sharply. Criminals, terrorists and state-sponsored groups have been exploiting cyberspace to their advantage. In 2010, McAfee uncovered an average of 55,000 new malicious software (or malware) threats every day. This figure is now 100,000 – double what it was just two years ago. A 2012 report by the World Economic Forum ranked cyber attacks among the top five global risks.
4. Critical information infrastructure (or CII) refers to systems which are necessary for the delivery of essential services to the public in various key sectors. These sectors include energy, water, finance and banking, government, healthcare, infocomm, security and emergency services, and transportation. Cyber attacks often occur with little warning and have tremendous potential for contagion. They can disrupt daily lives and threaten our nation’s security, economy, public health and safety. They can bring a country to a complete standstill. It is precisely because of this that CII are prime targets of cyber attacks.
5. Cyber attacks on CII pose a real and present danger to all countries. Widespread damage can easily result from a single piece of malicious software or the exploitation of one point of weakness. In 2007, Estonia encountered a series of cyber attacks which lasted three weeks and resulted in widespread damage to society and the economy. It crippled the country’s government and banking services for many days, while users were unable to access the Internet across a wide range of functions. In the US, the reported number of such attacks has increased 20-fold within the last two years. According to a McAfee report in 2011, nearly two-thirds of critical infrastructure companies worldwide reported regular findings of malware designed to sabotage their systems. It is estimated that 24 hours of down time from a major cyber attack would cost a critical infrastructure enterprise on average more than US$6 million.
6. The technology and sophistication of saboteurs are also rapidly evolving. In July 2010, Stuxnet, a sophisticated form of malware, was discovered – reportedly responsible for infecting 45,000 industrial control systems worldwide. Many of these systems were integral to a country’s critical infrastructure such as energy, water and communication networks. Two years on, Stuxnet has been joined by other equally if not more sophisticated malware. One of them, known as Flame, has been described by some experts as being 20 times more powerful than any known cyberwarfare programme, including Stuxnet. We can expect the potential for damage to be far more severe. To prevent a successful attack, we need a nimble and comprehensive response that can guard against a broad spectrum of attacks and threats.
7. Singapore is not immune to cyber threats. We are a highly inter-connected nation. As of 2011, 85% of Singapore households had access to broadband at home, while 81% of businesses used the Internet. With cyberspace being essential to many aspects of our lives, we are vulnerable in many ways to any breaches. In fact, we too have been the target of cyber attacks in recent years. For example, in the lead-up to the APEC 2009 meetings held in Singapore, there were at least seven waves of malicious email attacks which targeted members of the APEC Organising Committee and APEC delegates from various countries. While these attacks did not target our CII, they are indicative of the potential for future attacks against other Singapore targets.
Review of Section 15A of the Computer Misuse Act
8. The cyber threats that we face today are sophisticated and malicious. Our legislative framework must keep pace with the nature of this evolving cyber threat. Section 15A of the Computer Misuse Act was introduced in 2003. It empowers the Minister for Home Affairs to authorise measures to prevent or counter cyber threats to our CII in the event of an outright cyber attack or where there is specific intelligence received of an imminent attack. These powers are no longer adequate, given the operating environment that I have described.
9. To make our CII more robust and resilient against cyber threats, my Ministry has reviewed Section 15A of the CMA. The review was undertaken in consultation with CII operators and regulators. It also took into account legislative enhancements which other countries such as the United States, Israel, Estonia, South Korea and Australia have implemented or are considering.
10. The amendments to Section 15A will strengthen the cybersecurity of our CII by enabling the Government to take more effective and timely measures - to prevent, detect and counter cyber attacks that may threaten national security, essential services, defence or the foreign relations of Singapore. This approach is no different to how we deal with national security threats in the physical realm. For example, if there is credible intelligence of a potential terrorist threat to our aviation sector, we would immediately take pre-emptive steps to enhance security measures at our airport and carriers in response to the threat. Similarly, in cyberspace, we must take proactive and upstream action against a threat before it materialises to cause any harm. The proposed amendments will strengthen our ability to do so. It will enhance our ability to act against cyber threats, with safeguards to ensure that the enhanced powers are exercised appropriately.
11. Madam, let me now elaborate on the key amendments.
Renaming of the Act
12. Clause (2) of the Bill amends the long title of the Bill to reflect the substance of the re-enacted section 15A. Clause (3) of the Bill amends the short title of the Act to “Computer Misuse and Cybersecurity Act”. These amendments will more accurately reflect the scope of the Act, including its objective of securing Singapore against cyber threats that may endanger our national interests.
Cybersecurity Measures and Requirements
13. Clause (4) of the Bill repeals and re-enacts Section 15A to enhance the powers to act against cyber threats and introduce corresponding safeguards.
14. Sub-section (1) of the new Section 15A empowers the Minister to issue a certificate to authorise or direct a person or an entity to take measures or comply with requirements necessary to prevent, detect or counter a threat to the national security, essential services, defence or foreign relations of Singapore.
15. For example, a CII operator may be required to provide information relating to the design, configuration, operation and security of computers, computer programmes or computer services. This will help identify and address cyber threats and system vulnerabilities. A CII operator may also be required to report cybersecurity breaches to the Minister or an authorised public officer. This will provide situational awareness of cyber threats at the national level and help assessments on the need for further security measures. Before a certificate is issued by the Minister, CII stakeholders will be consulted on the implications, where practicable. The measures required under the certificate will be limited to what is necessary to safeguard national security, defence, foreign relations, or essential services.
16. I want to emphasise that it is also in the interests of a CII stakeholder to proactively invest in preventive cybersecurity measures. This is because a successful cyber attack could lead to significant financial loss and reputational damage for the CII stakeholder. Hence, as domain owners responsible for the security of their assets, CII stakeholders will generally be expected to bear the cost of these measures.
17. Given the severity of the threat that cyber attacks can pose to the nation, the new sub-section (4) makes it an offence if a person fails to take any measure, or comply with the directions of the Minister, under Section 15A of the Act. Similarly, non-compliance with the directions of a person who is acting pursuant to the certificate issued by Minister under Section 15A will also be an offence. It will also be an offence to obstruct a person from complying with the Minister’s directions to him. These offences will be punishable with a fine not exceeding $50,000 or imprisonment for a term not exceeding 10 years or both.
Immunity from Civil & Criminal Liability
18. New sub-sections (6) and (7) confer various immunities for acts done in good faith pursuant to the Minister’s certificate under Section 15A of the Act, including any direction given pursuant to such a certificate. This is necessary to ensure that those who are acting pursuant to the certificate or direction can perform their functions without being constrained for fear of civil or criminal liabilities.
19. For example, if a malware is detected to be targeting a particular make and model of equipment used by our CII operators, the Minister may issue a certificate to the CII operators to direct that certain cybersecurity measures be taken. In the course of implementing these measures in good faith, if there is service degradation or disruption that results in the failure of the CII operators to meet their contractual Service Level Agreements with their customers, the CII operators can claim immunity in any legal proceedings against them by their customers.
Safeguards to Protect Information Obtained
20. Information that the Minister may direct CII operators to provide to aid in the prevention, detection, and countering of cyber threats will generally be technical in nature. For example, network design architecture, firewall rules, and software algorithms may be required to help with the early detection of an attempted cyber attack or an ongoing cyber attack.
21. A new sub-section (8) introduces safeguards to restrict the use and disclosure of information obtained under the Minister’s certificate. The information obtained is to be used or disclosed only for the purpose of preventing, detecting or countering the cyber threat. Otherwise, the written permission of the party from whom the information was obtained would be required before it can be used or disclosed. Information can also be divulged to a law enforcement authority if it reveals an offence. In addition, disclosure or use will be permissible if there is a need to comply with a requirement of a court or a written law. Contravention of the safeguards prescribed at sub-section (8) will be punishable with a fine not exceeding $10,000 or imprisonment for a term not exceeding 12 months or both.
Expand Definition of “Essential Services”
22. Lastly, the new sub-section (12) expands the definition of “essential services”. Currently, it covers services directly related to communications infrastructure, banking and finance, public utilities, public transportation, or public key infrastructure, as well as emergency services like police, civil defence and medical services. For the purpose of this Act, the scope of “essential services” will be expanded to include services directly related to land transport infrastructure, aviation, shipping, and health services.
23. Madam Speaker, our cybersecurity capabilities must continue to adapt, grow and remain relevant in this fast changing cyber threat landscape. This requires the close collaboration amongst the stakeholders. The proposed legislative amendments will provide the Government with greater ability to work with our stakeholders to take timely actions against cyber threats to our CII. These enhanced powers come with important safeguards to ensure that they are used in an effective and responsible manner to protect our national interests. Madam Speaker, I beg to move.