Singapore’s proposed Cybersecurity Bill: Check Point Software weighs in
Singapore’s Cybersecurity Agency (CSA) have proposed a Cybersecurity Bill which has been released to the public for gathering of their feedback.
There are five points to take note about this Bill, namely:
- The Bill confers power on CSA’s chief as Commissioner of Cybersecurity, to ensure ongoing service in 11 critical sectors in the event of an cyberattack. These 11 sectors are telco, transport, healthcare, banking, energy, among others.
- The Bill is overarching across all sectors and across public and private sectors. Organisations are mandated to share information during investigations into cyberattacks or cyberthreats. Banking and privacy rules would be superseded by the Bill.
- Part of the proactive measures to be undertaken by critical information infrastructure (CII) owners are, notifying the Commissioner, regular audits by Commissioner-approved third parties, comply to directions (by the Commissioner) including giving access to premises, computers, information.
- Security services vendors must be licensed. This also applies to white hat hackers who provide cybersecurity services.
- The Commissioner may identify and designate new systems as CII during national emergency. This designation would be per the Official Secrets Act.
The public consultation exercise will end on 3rd of August, 2017.
Enterprise IT News spoke to Tony Jarvis, the APAC Chief Strategist of Check Point Software Technologies, about possible implications of this Bill.
EITN: Does the commissioner of cybersecurity have powers over private and/or foreign entities/organisations ie. banking, telecommunications? How will this role differ from say a CIO of a bank or telco?
Check Point: No comment.
EITN: How do you think banks will react to bank and privacy rules being superseded by the Cybersecurity bill? How will private/foreign organisations react to having to hand over information during investigations?
Check Point: Banks may have concerns around the privacy of the information being handed over. To date, details have not been shared as to how this information will be safeguarded, though we expect to see more on this in the future. Private and foreign organisations based in Singapore must comply with the applicable laws of the country, of which this is one of many.
EITN: How will licensing vendors and service practitioners aid overall in achieving the objective of the cybersecurity bill?
Check Point: We will need to wait until further details are revealed concerning the Bill itself for the specifics of how vendors and practitioners will play a role. At this moment, it is safe to say that they will assist with providing training, securing systems, and supplementing skills that organisations may not possess internally.
EITN: Would you recommend the implementation of a similar bill in other countries like Thailand or Indonesia or even Malaysia? What are the unique characteristics of Singapore that would contribute to the bill’s success and effectiveness?
Check Point: It would be prudent to observe how the Bill is received following its implementation, and the benefit it provides in terms of investigating breaches. Singapore benefits from close involvement between government and enterprise, and a transparent approach towards building a framework for a safer cyber environment. Each country has its own characteristics, with differing approaches towards the investigation of breaches.
EITN: What is the potential immediate role that a security vendor like Checkpoint would play, when this new Cybersecurity Bill is ratified?
Check Point: As part of our efforts to educate businesses concerning all aspects of cybersecurity, we will be analysing the Bill and identifying how this impacts organisations in their day to day security operations. This information will be relevant to business discussions covering topics such as incident monitoring, compliance, forensic analysis and response.
EITN: What kind of cost implications are there? What kind of skills and training would workers need? How would vendors measure up to having to be licensed?
Check Point: The main cost implication being discussed at the moment concerns the additional responsibilities faced by organisations. Staff and systems will be needed to perform such duties, resulting in additional costs being borne by the businesses themselves. Security staff will need to be skilled in the key areas outlined by the Bill, which include functions such as auditing and penetration testing.
These may need to be outsourced to third parties if the skills do not exist internally.