Need for the Bill
1. Indeed, cyberspace presents new opportunities for criminals to operate. Hacking tools are readily available; criminals can misuse these tools to carry out attacks on computer systems. Many criminals commit computer offences to illegally obtain personal information, which can then be used in turn to carry out offences like theft and fraud. Cybercriminals are emboldened by the fact that computer offences can be carried out from overseas.
2. I will use two previous examples of cybercrime cases, to illustrate the need for this Bill.
3. Members may recall the case of hacker James Raj. James Raj, who adopted the pseudonym "The Messiah", was convicted of numerous charges under the Act, for committing a series of hacks in 2013. He was responsible for hacking the server of Fuji Xerox, The Straits Times' blog, as well as the websites of certain government agencies. The statements of 647 private banking clients of Standard Chartered Bank, which had been stored on the hacked Fuji Xerox's server, were found on James Raj's laptop. This was hacked personal information. Various hacking tools were also found on his system.
4. The second example, just last year, a former administrative assistant James Sim. He was charged for cracking the passwords of about 300 SingPass account holders in 2011, and selling the account holders' personal details to a China-based syndicate involved in sham Singapore visa applications. The syndicate successfully applied for 23 visas, with 20 Chinese nationals entering Singapore using these visas. Three of the Chinese nationals were later found to have committed criminal offences while in Singapore. They were charged, and repatriated. James Sim's actions enabled criminals to breach Singapore's immigration and border protection system.
5. Now these two cases show that the amendments in this Bill are necessary, to deal with the unique law enforcement challenges posed by cybercrime. The amendments to the Act will enable the Police to effectively deal with the evolving tactics of cybercriminals and the transnational nature of cybercrime.
Striking a balance
6. Several members spoke about the new sections 8A and 8B of the Bill.
7. We need to strike a balance between protecting the public interest, and ensuring that the legitimate cybersecurity industry practices can continue because they contribute to the overall atmosphere of cybersecurity in Singapore and elsewhere. We have therefore introduced exceptions in these provisions. These were drafted in consultation with stakeholders from the cybersecurity industry, Telcos and Internet Service Providers. With these exceptions, legitimate practices will not be criminalised.
8. Mr Desmond Choo asked what "personal information" in Section 8A would cover. "Personal information" is defined in the Bill. It includes information about an individual, whether true or not, which is commonly used alone or in combination with other information, to identify the individual. This is a broad definition, and can include addresses, dates of birth and credit card numbers. These information types are sold online, often for criminal gain. Personal photographs may, depending on the circumstances, be considered personal information. Depending on the facts of the case on how the photographs are obtained and used, there may be other Penal Code offences, such as cheating by personation or harassment under the Protection from Harassment Act (POHA). Section 8A will only apply if the personal information in question was obtained through a computer crime.
9. Mr Ang Wei Neng referred to the recent cases of Members of this House having been impersonated via fake Facebook accounts. Hacking an existing Facebook account is already an offence under the CMCA. Creating a fake Facebook account is not a CMCA offence in itself. But, depending on the facts of the case, for instance, if cheating is involved, other Penal Code offences, such as cheating by personation, may have been committed.
10. Mr Murali asked whether a journalist or a researcher dealing with hacked personal information in the course of their work would have committed an offence under the new section 8A. There is nothing wrong with the journalist reporting on the hacking incident, or the researcher who works with the hacked personal information for research purposes. But it is doubtful if they would ever need to disclose the hacked personal information itself, as part of the report or research findings. For example, there is no need for them to publish details such as hacked credit card numbers as part of the report on the hacking incident, or the research findings. Depending on the circumstances, indiscriminately making available hacked personal information may amount to an offence.
11. Care should always be exercised where hacked personal information is transmitted, even if purported for a legitimate purpose. This could be done by ensuring that the information is only transmitted to trusted persons who have a legitimate reason to receive the information. Where possible, the personal information should be redacted, or anonymised.
12. Mr Desmond Choo asked if website owners have an added responsibility to watch out for unlawful information posted on their sites. Website owners who are aware of hacked personal information hosted on their servers, are encouraged to report this to the authorities. This is no different for anyone who comes across hacked personal information.
13. Mr Louis Ng and Mr Dennis Tan spoke about the prosecution not having to prove the particulars of the computer offence, through which the personal information was obtained, i.e. no need to prove the predicate offence when prosecuting the case of person under 8A. The prosecution first has to prove that the person involved knew or had reason to believe that the personal information was obtained by an act of hacking, in contravention of the CMCA. There will be cases where it will be clear from the circumstances that the information in question could only have been obtained by hacking. For instance, there is evidence to show that credit card numbers were purchased from a website that trades in hacked credit card information. Or, there if there is an entire file of bank account passwords that the person downloaded from such a site. But it can be practically difficult for the prosecution to also prove the particulars of the actual hacking offence for each of the pieces of information found on the site containing information that had been obtained through hacking. In the earlier example where the credit card numbers were purchased from an illegal website, the identity of the hacker and the exact time when the hack took place may not be known, or easily verifiable. The law therefore needs to allow the prosecution to go after the criminal who has committed the offence of dealing in the hacked personal information, without having to also prove the particulars of the actual hacking offence, which may be impossible to fully investigate.
How the CMCA complements the Personal Data Protection Act
14. Mr Murali made several points about data protection, including how the provisions in the CMCA and the Personal Data Protection Act, or PDPA, would apply.
15. The PDPA establishes various rules governing the collection, use and disclosure of personal data by organisations. It recognises both the needs of organisations to collect, use and disclose personal data for legitimate and reasonable purposes, and the rights of individuals to have their personal data adequately protected from intentional misuse and unauthorised disclosure.
16. Section 8A criminalises acts done in relation to personal information of individuals that the perpetrator knows or has reason to believe has been obtained through a computer crime. MHA's intent is to prevent the misuse of such hacked personal information for criminal purposes.
17. For example, in a scenario where a report was received regarding the online posting of hacked personal information belonging to say, customers of a company, the Police would investigate whether a criminal offence under Section 8A had been committed by the person who posted the information. The Personal Data Protection Commission (PDPC) would look into whether the company had made reasonable security arrangements to prevent the unauthorised access of this personal information.
18. The Police and the Commission will work closely together in dealing with such cases, and ensure that there is no overlap in investigation responsibilities, while protecting the public's interest.
19. As for Mr Murali's question on whether we should criminalise the sale of personal information obtained through unauthorised means, regardless of whether the information is hacked, this is beyond the scope of the current Bill. But depending on the circumstances, this may be covered under other laws. We will consider the Member's suggestion in the review of these other pieces of legislation.
Plans for the Government to level up cybersecurity in the private sector
20. Several members highlighted the need for the private sector to level up cybersecurity by strengthening cybersecurity awareness among businesses and growing cybersecurity expertise in the private sector.
21. These are both focus areas in Singapore's Cybersecurity Strategy, and are led by CSA.
22. Cybersecurity is a collective responsibility and everyone, whether individuals or businesses, has a role to play in making cyberspace a safer place. To promote cybersecurity awareness, the Government has been running the Cybersecurity Awareness Campaign since 2011. The Cyber Security Awareness Alliance, started in 2008, brings together government agencies, private enterprises and professional associations to promote the adoption of essential cybersecurity practices. The Singapore Computer Emergency Response Team (SingCERT) under CSA provides advisories to help businesses pre-empt and prevent cyber-attacks. Businesses are also encouraged to read cybersecurity tips and resources on CSA's GoSafeOnline website.
23. Ms Joan Pereira and Ms Thanaletchmi spoke about keeping SMEs informed of the latest developments in cybersecurity. By the third quarter of 2017, businesses will be able to get in-person help at the SME Digital Tech Hub set up by IMDA. The Tech Hub will provide technical advice to SMEs with more advanced digital needs, such as cybersecurity and data analytics. The Hub will help to connect SMEs to ICT vendors and consultants, as well as conduct workshops and seminars to help SMEs to build their digital capabilities.
24. On their part, businesses must also recognise and treat cyber risks as important business risks.
25. The Government is also collaborating with industry to grow the cybersecurity workforce for Singapore. For example, under the Cyber Security Associates and Technologists (CSAT) programme, CSA and IMDA work with the industry and with the Institutes of Higher Learning (IHLs) to attract new graduates and convert existing professionals from related fields. Our universities and polytechnics are also offering cybersecurity programmes for those keen to pursue cybersecurity education. These efforts will go a long way towards creating a vibrant cybersecurity ecosystem for Singapore.
26. Mr Mahdev Mohan and Mr Dennis Tan asked if there would be other Cybersecurity legislation and what its shape would be like. Members will be aware that MCI is planning to table a Cybersecurity Bill later this year. The CMCA will complement this new Bill.
27. The Cybersecurity Bill will ensure that owners and operators of Critical Information Infrastructure take proactive steps to secure their systems and networks, and report incidents. It will also empower CSA to respond to cyber threats, facilitate the sharing of cybersecurity information, and raise the standards of cybersecurity providers in Singapore.
28. But cybersecurity and cybercrime are closely related. The perpetrators of cyber incidents – which CSA would manage – might have committed an offence under the CMCA in the process of carrying out the attack.
Scope of extraterritorial jurisdiction
29. Mr Thomas Chua, Mr Murali and Mr Dennis Tan spoke about widening the extraterritorial jurisdiction of the Act beyond acts that result in serious harm.
30. As mentioned, offences in the CMCA currently have extraterritorial effect if the perpetrator or the computer, program or data was in Singapore at the material time. For example, the act of hacking a computer which was located in Singapore would already be covered by the Act, even if the perpetrator were located overseas at the material time.
31. Mr Desmond Choo asked how cloud services and distributed databases affect enforcement and investigation of cybercrimes. Today, an increasing amount of data that is hosted on the cloud may actually be physically stored in servers located overseas. This makes cybercrime investigations more challenging. This is a challenge faced by law enforcement agencies worldwide. Where necessary, the Police will work with overseas counterparts to investigate such cases.
32. The widening of the jurisdiction of the CMCA will enable the Police to investigate cases where the criminal act resulted in serious harm, or created a significant risk of serious harm, in Singapore. Even if the perpetrator was overseas at the material time, and targeted a computer overseas.
33. The amendment in clause 4 will allow such cases to be charged and prosecuted in our Courts.
34. However, we have scoped the definition of "serious harm in Singapore" carefully, so that the cases that we investigate and prosecute are those that have a significant impact in Singapore.
- These may include cases where there is illness, injury, or death caused to individuals in Singapore;
- A disruption of essential services, such as services directly related to public transportation, banking and finance, and public utilities;
- A disruption of the performance of any duty or function of the Government;
- And where there is damage to the national security, defence or foreign relations of Singapore.
35. Mr Murali asked that we also include as serious harm, any act that damages the economy of Singapore. The definition of essential services already takes into consideration the critical factors that will affect the economy, should they be attacked.
36. Mr Dennis Tan wanted to know how the amended Section 11 subsection 4 paragraph (c) in the definition of "serious harm in Singapore", will be operationalised in respect of the sub-clause on "serious diminution of public confidence" in Government services or disruption of Government functions. What constitutes the "serious diminution of public confidence" will certainly depend on the facts of the case but there are examples in the Bill of acts that seriously diminish or create a significant risk of seriously diminishing public confidence in the performance of any duty or function of, or the exercise of the power by the Government, an Organ of State or statutory board. These examples include, providing to the public access to confidential documents belonging to a Ministry of the Government, as well as publication to the public of the access codes for a computer belonging to a statutory board.
37. Thomas Chua asked for similar protection for essential services to be extended to the National Trade Platform (NTP). I hope that is an accurate translation/interpretation of what you said earlier in Mandarin. The NTP can be considered as supporting an "essential service" as currently defined in the CMCA. It is also a function provided by the Government. So depending on the actual situation, a disruption to this could be considered within the scope of "serious harm" in the Bill.
38. Mr Melvin Yong, Mr Murali Pillai and Mr Desmond Choo spoke about the challenges of investigating cybercrimes committed overseas. This is another reason why the provisions have to be scoped, so as to ensure that Police resources are not over-committed to pursue crimes that have a limited or no impact on Singapore. For the cases that are investigated, Police will work closely with overseas counterparts to provide and share evidence of such cases, with a view to prosecuting the criminals in Singapore.
39. Mr Murali Pillai and Mr Mahdev Mohan both asked if we would make CMCA extraditable under the Extradition act. MHA is working with MinLaw to specify offences under the CMCA as extradition offences.
Update on MHA's other efforts to deal with cybercrime
40. Mr Louis Ng, Mr Desmond Choo and Ms Joan Pereira gave various suggestions on how to deal with cybercrime and I thanked them for that.
41. Last year, MHA launched the National Cybercrime Action Plan (NCAP) which I referred to in my opening statement. The NCAP sets out the Government's key principles and priorities in combating cybercrime.
42. And amending the CMCA is one of the key initiatives of the NCAP.
43. Under the NCAP, we have also enhanced public education and outreach efforts. As Mr Desmond Choo said, the public can play a role in combating cybercrimes by being more vigilant in cyberspace.
44. Mr Louis Ng and Ms Joan Pereira spoke about outreach efforts for vulnerable groups, such as young students and the elderly. Police work closely with schools and organisations such as the Media Literacy Council, to raise awareness of cybercrimes among these vulnerable groups. The Police has also been using existing senior citizen engagement platforms, such as IMDA's Silver IT Fest, to raise the cybercrime awareness of senior citizens. I thank members for their suggestions to further enhance our outreach efforts to the various vulnerable groups.
45. Ms Joan Pereira also asked how we would encourage companies to step forward and report cybercrimes. With greater awareness, the private sector is better able to help the Police to detect cybercrimes. This year, Police established a public-private industry platform, to foster closer collaboration with software companies, Telcos and banks on cybercrime detection and prevention. The Police also regularly reach out to smaller businesses as well to share information on cybercrimes and cybercrime prevention.
46. Mr Desmond Choo asked how we would educate the general public on the provisions of this bill. Our public cybercrime outreach programmes are principally focused on how to prevent members of the public from falling victim to cybercrimes. Most members of the public would not use hacking tools, or transmit hacked personal information. But, we agree that there is a need to reach out to the cybersecurity industry, as well as students. MHA has worked with organisations such as the Singapore Infocomm Technology Federation (SiTF), to publicise information about the new provisions. We will continue to work with CSA on outreach efforts.
47. We have also stepped up enforcement actions against cybercrime. Last year, the Police conducted five islandwide enforcement operations, targeting scams. More than 300 people were arrested in connection with scam cases, involving about $1.8 million in total.
48. Mr Desmond Choo asked what steps the Home Team will be taking to ensure that it has sufficient expertise to handle the increase in cybercrimes. We have been building up new capabilities in the fight against cybercrime. I spoke earlier about the role of the Police Cybercrime Command in coordinating an effective response to cybercrime. We have also set up Cybercrime Response Teams in every Police Land Divisions. The teams augment the manpower available to respond to cybercrime reports, by assisting investigation officers in responding to cybercrime reports through collecting and processing digital evidence.
49. We have also been working closely with industry and Institutes of Higher Learning (IHLs). For example, Temasek Polytechnic and MHA are developing a TALENT Lab, which will be used to train students from IHLs in cybercrime investigations and forensics skills. The Lab will be officially opened later this year.
50. We have also continued to strengthen our international partnerships. Last year, MHA, AGC and CSA organised the first ASEAN Cybercrime Prosecutors' Roundtable Meeting. This event brought together ASEAN cybercrime prosecutors to share their experiences in addressing cybercrime cases, and building networks among the prosecutors.
51. These efforts to fight cybercrime have started to show encouraging results. Notably, the number of reports of Cheating cases involving E-commerce – which forms about half of all online scam cases – decreased by 6.0% last year, from 2,239 cases in 2015 to 2,105 cases in 2016. However, these cases, along with scams like Internet Love Scams and Officials Impersonation Scams, still remain a significant crime concern. We will continue to monitor the cybercrime situation, and calibrate our outreach programme and enforcement efforts accordingly.
52. MHA will continue its efforts under the NCAP, in partnership with industry, IHLs, the public and law enforcement agencies, so that we can collectively create a safe and secure online environment.
53. Madam Speaker, the amendments to the CMCA help strengthen our response to cybercrime. The threats have so far been under control, but they lurk in many dark corners of cyberspace.
54. We therefore need to put in place a robust legislative framework –
- With safeguards, but also with the necessary enforcement levers,
- As part of a comprehensive cybercrime and cybersecurity strategy,
- To ensure that our computers, systems and data are better protected.