Introduction: Cybersecurity and cybercrime landscape
1. Madam, in recent years, cyber-attacks have increased in complexity, frequency, and scale.
2. The Government has taken steps on multiple fronts, to deal with such threats. The Cyber Security Agency of Singapore, CSA, was formed in 2015 as the central agency to oversee and coordinate Singapore's cybersecurity strategy. CSA nurtures ties with the industry, and raises cybersecurity awareness through public outreach programmes. It is responsible for developing a robust cybersecurity industry and ecosystem. CSA also seeks to strengthen cybersecurity in critical sectors, such as energy and banking, and ensure effective coordination and deployment, in responding to cyber threats. MINDEF will be setting up the Defence Cyber Organisation, which will take charge of developing the military's cyber defence capabilities. While MHA launched the National Cybercrime Action Plan last year, which sets out the Government's key priorities and strategies to combat cybercrime.
3. The Plan focuses on four areas:
- First, educating and empowering the public to stay safe in cyberspace through public outreach programmes;
- Second, enhancing the Government's capacity and capability to combat cybercrime. One key initiative was the establishment of the Police Cybercrime Command in 2015. The command integrates Police's cyber-related investigations, forensics, intelligence and crime prevention capabilities.
- The third priority area is stepping up close partnerships with the industry as well as Institutes of Higher Learning (IHLs), as well as international engagement with foreign counterparts.
- The fourth area is strengthening legislation and the criminal justice framework. This Bill will help ensure that our legislation remains effective in dealing with the transnational nature of cybercrime, and the evolving tactics of cybercriminals.
4. Madam, in Singapore, "cybercrime" typically refers to two categories of offences.
5. The first category involves traditional, real-world crimes that are perpetrated using a computer. Offences in this category, for example e-commerce scams, are covered by criminal laws, such as the Penal Code.
6. The second category involves criminal acts that target computer systems. Offences in this category are covered by the Computer Misuse and Cybersecurity Act which this bill seeks to amend. These include criminal acts like the unauthorised access of computer material. And would commonly refer to these as acts of "hacking".
7. This Bill will enable the Police to be more effective in dealing with this second category of cybercrime. Whereas, for the first category of cybercrime, Police will continue their current efforts, including public education and working with international counterparts. MHA is also reviewing whether changes to other laws are required to tackle the evolving nature of how criminals are using the internet to commit crimes.
Fast-Changing Nature of Cybercrime
8. Madam, we have seen an increase in the number of cybercrime cases in recent years. In 2016, the Police investigated 691 cases under the Computer Misuse and Cybersecurity Act (CMCA). This was more than double the 280 cases in 2015.
9. Apart from the increase in volume, cybercrime cases have also increased in complexity. Cybercriminals use a variety of tactics and tools, to carry out elaborate attacks. For example, the Police investigated nearly 300 cases last year, where the perpetrators hacked into victims' bank accounts. The criminals developed a fake banking App, with accompanying fake banking websites. This tricked victims into keying in their personal details and login credentials, which were then stolen by these criminals.
10. The growth of cybercrime is a global phenomenon, facilitated by technological advances and the ubiquity of the Internet and smart mobile devices.
11. Internet of Things (IoT) devices have also been attacked. Last October, an estimated 100,000 IoT devices were compromised and used to trigger a Distributed Denial of Service, or DDoS attack against the servers of Dyn, a company that controls much of the Internet's Domain Name System infrastructure. This disrupted major websites in the US and Europe, including Twitter, Netflix and CNN.
12. Massive breaches of personal information have become commonplace. Yahoo has suffered one of the worst data breaches, with 1.5 billion user accounts compromised over 2013 and 2014. While in April last year, the Philippines Commission on the Elections database was attacked. Personal information belonging to 55 million voters was hacked. Hacked personal information has been used to facilitate crimes like theft and cheating.
13. On the dark web, hacked credit card information or passwords, as well as hacking tools, can be purchased easily and cheaply. The 2016 Underground Hacker Marketplace Report by Dell SecureWorks reported that stolen Visa or Mastercard details can cost as little as US$7 on the dark web. Hacking tools such as Remote Access Trojans cost less than US$10. Even hacking services are available. Hackers charge a daily rate of around US$30 to US$55 for DDoS attack services.
14. Cybercrime imposes significant costs on individual victims and the society at large. In 2016, victims in Singapore lost about S$10 million through parcel/impersonation scams involving unauthorised accesses to the victims' Internet-banking accounts. The culprits would usually empty the victims' bank accounts. One victim lost almost S$380,000 to the scammers. These financial losses are devastating to the victims because to many of them, these monies are their life savings – intended to finance the education of their children or meant for their retirement.
15. With our high Internet penetration rate, it is even more important that we safeguard ourselves against cybercrime, and enable ourselves to take firm enforcement action against criminals that make use of the anonymity and borderless nature of the Internet to commit cybercrimes.
Key Features of the Bill
16. This Bill therefore seeks to strengthen the operational effectiveness of the Police in dealing with cybercrime.
17. In developing this Bill, we have taken reference from legislation in the United Kingdom and Canada. We have also consulted the cybersecurity industry to ensure that the provisions are practical and appropriately scoped.
18. Let me now take Members through the key provisions of the Bill. Broadly, the key amendments seek to address the evolving tactics of cybercriminals, and the transnational nature of cybercrime.
Address evolving tactics of cybercriminals
19. Clause 3 of the Bill introduces new Sections 8A and 8B, to address the evolving tactics of cybercriminals.
New offence: Dealing in hacked personal information
20. Cybercriminals may deal in personal information, such as NRIC or FIN numbers, credit card numbers and residential addresses, which have been illegally obtained from a computer system. Currently, our laws allow us to deal with the culprit who illegally obtained personal information from a computer system, or the culprit who misused the information to commit crimes such as impersonation and cheating. However, there may be other "middlemen" individuals, who may trade in such personal information, but who are not directly involved in the hacking or cheating offences. For example, criminals may run a website buying and selling hacked credit card information online. These individuals are currently not liable for an offence under the Act.
21. The new Section 8A therefore closes the gap by making it an offence to obtain or deal in such personal information.
22. The new Section 8A criminalises acts done in relation to personal information of individuals, that the perpetrator knows or has reason to believe had been obtained by committing a computer crime. The act of obtaining or retaining such personal information will be an offence; as will be supplying, offering to supply, transmitting or making available the information.
23. It is not the Government's intent to criminalise legitimate cybersecurity industry practices. We understand that cybersecurity professionals may deal with hacked personal information in the course of their work.For instance, they may transmit such information for the purpose of analysing a data breach, or for the purpose of highlighting vulnerabilities in a system.
24. We have therefore introduced exceptions in Section 8A. It is not an offence if the individual obtained or retained the personal information for a legitimate purpose. It is also not an offence if the individual supplied, offered to supply, transmitted or made available the personal information for a legitimate purpose, and they did not know or have reason to believe that the information will be or is likely to be used to commit an offence.
25. Ultimately, we need to strike a balance between protecting the public interest, and ensuring that legitimate practices of the cybersecurity industry can continue. It would not be difficult forbona fide cybersecurity professionals to explain why they have hacked personal information in their possession. It is also not the Police's intention to demand that every cybersecurity professional provide such explanations. Rather, in the course of investigations into a CMCA offence, Police need to have the powers to deal with individuals who are found to have such personal information belonging to others. Fundamentally, care should be exercised when dealing with personal information, especially information that has been hacked and may be subsequently used in the commission of an offence. This applies also to cybersecurity professionals.
New offence: Dealing in hacking tool, with criminal intent
26. Madam, the new Section 8B, criminalises acts in relation to an item that is designed primarily for committing a computer crime, or is capable of being used for such purposes.
27. Such items are commonly known as "hacking tools", and will include physical devices, software, passwords and access codes.
28. The prohibited acts include obtaining or retaining the hacking tool, and making, supplying, or making available the hacking tool.
29. To ensure that the provision does not inadvertently prohibit legitimate access by cybersecurity professionals to such tools, this is an offence only if the act is carried out with the intention of committing or facilitating the commission of a computer crime.
30. Other jurisdictions, like the UK, have similarly made it an offence to make, supply or obtain hacking tools, where there is intent to commit, or assist in committing of a computer offence.
Allow for the amalgamation of charges under the Act
31. Madam. Clause 5 introduces a new Section 11A, which allows the Prosecution to amalgamate as a single charge of one offence, two or more acts that are the same computer offence, and which have been committed over a 12-month or shorter period in relation to the same computer.
32. Cybercriminals may conduct multiple unauthorised acts against a computer over a period of time, in preparation for or as part of an actual attack. This amendment allows for multiple acts of a similar nature to be amalgamated as a single charge. This allows the attack to be appropriately described as a whole, rather than artificially as a series of separate acts. Enhanced penalties may be meted out when the combined acts result in higher aggregate damage.
Address the transnational nature of cybercrime
Expand jurisdiction of CMCA
33. Madam. the second area of amendments addresses the transnational nature of cybercrime.
34. The Internet is borderless, and cybercrimes are often perpetrated across geographical borders.
35. Clause 4 amends Section 11 to give Singapore jurisdiction over computer offences, where the act causes or creates a significant risk of serious harm in Singapore.
36. Currently, offences in the Act apply extraterritorially only if the perpetrator or the computer, program or data was in Singapore at the material time. This prevents enforcement actions from being taken against the person who was overseas at the material time and who had targeted an overseas computer.
37. The amendment will give extraterritorial effect to these offences, if the act resulted in serious harm, or created a significant risk of such harm, in Singapore. Police will be able to initiate investigations against cybercriminals located overseas.
Police will collaborate with their foreign counterparts to provide and share evidence of such cases, with a view to extraditing these offenders to Singapore, where possible, and prosecuting them before Singapore courts.
38. As extending the jurisdiction of the Act extraterritorially is not something that we do lightly, we have scoped the definition of the phrase "serious harm in Singapore" carefully, so as to ensure that Police resources will only be used to investigate cases with significant impact in Singapore. We also ensure that we establish extraterritorial jurisdiction in accordance with international norms and standards.
39. The phrase, "Serious harm in Singapore", has been defined to include, among other things:
- Illness, injury or death of individuals in Singapore;
- Disruption of essential services in Singapore; and
- Disruption of the carrying out of governmental duties and functions.
40. This would include acts such as:
- Unauthorised access of bank account details belonging to customers of a bank in Singapore; and
- Publication of the medical records of patients of a local hospital.
41. Madam, in conclusion, this Bill will allow the Police to handle the increasing scale and complexity of cybercrime, as well as the evolving tactics of cybercriminals.
42. Madam Speaker, I beg to move.