Virtualization Technology News and Information
Why People Are Concerned About Singapore's New Cybersecurity Bill


On February 5, Singapore's legislators passed a cybersecurity bill into law. It focuses on numerous sectors that provide services and the online-based information associated with each of them:

  • Healthcare
  • Finance and banking
  • Emergency services and security
  • Transport
  • Media
  • Information communications
  • Water
  • Energy
  • Government

The chief executive of Singapore's Cyber Security Agency becomes a Commissioner as a result of this law, and that person has the power to investigate cybersecurity attacks on organizations in those categories based on severity and the interventions required. As such, all companies or agencies victimized by a cyberattack must report them to the Commissioner.

Concerns About What Could Happen After an Attack

Last Year, the Minister for Communications, Yaacob Ibrahim, released a draft version of the bill that caused many stakeholders to make comments and ask for clarifications. Some of them were wary about a part of the document that does not give sufficient details about what happens after a reported cybersecurity attack.

Critics charged the draft bill was not specific enough in defining the Commissioner's power to look into incidents. In response, government officials said the scope varied depending on the extent of the occurrence but would likely include an evaluation of system logs and network configurations.

Also, if it becomes necessary to seize computers or perform intrusive network scans, the parties will receive notification beforehand. The Minister for Communications assured that those more invasive measures would only happen when the benefits outweigh the costs. However, many people were still concerned by that response.

Failure to Obey Could Lead to Massive Fines

Another matter that raises the alarm for individuals in Singapore is the fact that after an attack, the targeted organization must give all requested information to the Commissioner and follow any other orders given. By not doing so, people risk having to pay a fine of up to $100,000, or over 75,000 USD, spend two years in jail or do both.

Some individuals are also concerned because the Commissioner can investigate cyberattacks not associated with the industries in the bulleted list above. That's apparently the case because of how many computer systems are connected to each other, meaning some machines outside the specified service-providing sectors could be affected, too.

If an organization does not agree to have an assessment carried out, it's a criminal offense. Ultimately, it could result in six months in jail or a $5,000 - over 3,750 USD - fine.

Compliance Measures May Be Costly

Most business owners know having cybersecurity precautions in place is an essential part of daily operations. Sometimes, that measure even affects their profits. For example, in the United States, the Defense Federal Acquisition Regulation Supplement (DFARS) clause relates to the U.S. government's interest in keeping proprietary information secure.

It applies to businesses that have Department of Defense contracts. Failing to update an organization's infrastructure to meet minimum standards to safeguard against cybersecurity attacks by the end of last year meant the businesses could sacrifice their contractual agreements.

In response to the Singapore bill, some concerned people brought up how the costs associated with getting their systems in compliance could be prohibitively costly for small and medium-sized businesses.

United States legislators approved the NIST Small Business Cybersecurity Act. It gives small businesses access to assistance from the National Institute of Standards and Technology regarding cybersecurity risk assessments, threat mitigation and similar matters. That information could theoretically reduce their costs by making cybersecurity strategies targeted for precise needs.

Additional Costs to Taxpayers?

Representatives in Singapore mentioned the country's government already has programs in place to reduce cybersecurity threats nationally. Furthermore, they spoke about how many of the businesses required to comply with Singapore's new law should already have some cybersecurity strategies underway meaning they won't be starting from scratch.

Still, some people wondered if the expenses required for compliance - which could cost the equivalent of tens of thousands of dollars or more - would cause extra burdens for the country's taxpayers.

Singapore's cybersecurity bill is not in effect immediately, and those required to comply with it reportedly have time to make adjustments as needed. However, it'll be interesting to see if the parts of the law that have given people pause so far will turn out to be as far-reaching as many individuals assert that they seem.


About the Author

Kayla Matthews is a tech-loving blogger who writes and edits Follow her on Twitter to read all of her latest posts! 
Published Wednesday, February 14, 2018 8:12 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2018>