Proposed changes to Singapore cyber law welcome

The proposed changes to the Cybersecurity Act 2018 represent a welcome upgrade to the law which helps to protect Singapore’s critical information infrastructure (CII).

The changes, brought forth by the Cyber Security Agency of Singapore (CSA) and first read in Parliament last week, include updates to existing provisions, an expansion of the CSA’s oversight, and the introduction of two new classes of regulated entities.

They show that the CSA is on top of the evolving threat landscape that is targeting CIIs around the world. The problem is more severe than many realise.

Recent studies and empirical evidence show that with increased digitalisation, many CIIs depend on third-party infrastructure in their supply chains, such as cloud computing and IT infrastructure, for their many digital needs.

Malicious actors, often with state sponsorship, have noted this. Instead of attacking usually well-protected CIIs directly, bad actors are targeting downstream IT service provider networks to infiltrate CII networks.

This allows them to often disrupt or potentially disrupt, at an appropriate time, essential services such as water supply, electricity, transportation, banking, and other vital services, thus crippling the economic infrastructure of target.

Keeping pace with cyber threats

CSA says that the objective of the Bill is to update the Act “so that it keeps pace with the developments in the cyber threat landscape, as well as our evolving technological operating context”.

The Minister for Communications and Information, Josephine Teo, spoke about the proposed amendments on 1 March at the Committee of Supply debate 2024.

She said they reflect the increasing importance of ensuring the cybersecurity of the digital infrastructure and services that power Singapore’s digital economy and enable citizens to meet their day-to-day needs, beyond the current CII it covers today.  

While existing provisions relating to the cybersecurity of CII will be updated, one important part of the Bill is how it expands CSA's oversight to cover systems of temporary cybersecurity concern (STCCs). An example of STCCs is those used to support the distribution of vaccines during a pandemic.

Under the draft legislation, the amendments will expand the scope of cybersecurity incidents that CII owners are required to report, including those that happen in their supply chains (such as in the networks of their cloud computing service providers).

To understand why this change is important and can help shore up Singapore’s cybersecurity resilience, it is instructive to look at how insidious cyberattacks have become.

According to cybersecurity firm Forescout, global CIIs, including medical, power, communications, waste, manufacturing, and transportation have been under "near-constant" attack.

Forescout’s research arm, Vedere Labs, reported more than 420 million attacks between January and December 2023. That is 13 attacks per second, a 30 per cent increase from 2022.

Apart from the sheer number of attacks, which by themselves are quite intimidating, the report has some extremely interesting and worrisome data.

Around 212 countries were listed as country of origin for the attacks. Out of these, the top 10 countries accounted for 77 per cent of the malicious traffic, with a spike in attacks from China.

Vedere’s report further noted that 48 per cent of the attacks came from IPs managed by Internet service providers, or ISPs; 32 per cent from organisations in business, government, and other sectors; and 10 per cent from hosting or cloud providers.

This reflects an increase in the use of compromised devices to launch attacks, whether directly or via “residential proxies.”

The data provides context on why CSA puts the onus on CII owners and makes them responsible for cybersecurity and cyber resilience, “even as they embrace new technological and business models, like the use of cloud computing”.

Subscribe to the GovInsider Bulletin for the latest public sector and innovation updates.

Multi-faceted threats

The threats to public utilities are multi-faceted.

Many public utility providers such as Singapore’s PUB, the national water agency, use operational technology (OT) networks to improve the resilience of its infrastructure and ensure uninterrupted water supply.

Contrary to previous notions that such OT networks, like water pressure monitors, are standalone devices, most modern OT networks are seamlessly integrated with the IT network. This improves efficiency but also opens target vectors when IT networks themselves get compromised.

According to a report by Waterfall Security Solutions, at least 68 cyberattacks last year caused physical consequences to OT networks at more than 500 sites worldwide — in some cases causing US$10 million (S$13.5 million) to US$100 million in damages.

Waterfall says that in the past decade and a half, only around a quarter of cyber-attacks on OT systems were caused by attacks that targeted OT networks.

A major faction of the attacks that shut down OT systems targeted compromised machines in the IT network and these attacks cascaded into the OT networks, many of which had to be shut down, thus resulting in disruption of various vital services.

Singapore well-prepared

While all this may sound a bit alarming, it should be noted that CSA is quite aware of these dangers.

In 2021, CSA established the Operational Technology Cybersecurity Panel (OTCEP) that allows Singapore's OT cybersecurity practitioners, operators, researchers, and policymakers from the Government, CII sectors, academia and other OT industries to have direct access to internationally renowned experts.

Apart from this, CSA has launched several other initiatives to protect OT networks.

In case of an incident, the Bill will allow CSA to proactively secure STCCs, which would be at a high risk of cyberattacks because of certain extraordinary events or situations.

Apart from CIIs, the Bill will allow CSA to designate and regulate other important entities, such as Entities of Special Cybersecurity Interest (ESCI) and Foundational Digital Infrastructure (FDI) if they hold sensitive information or perform a function of national interest, such that their disruption could cause potential adverse effects for Singapore.

Examples of such entities could include autonomous universities. Since they are not CII, the level of obligation imposed on the ESCI will not be the same as those for CIIs.

Not an over-kill

One could argue that this puts many CIIs in a bit of a bind.

On one hand, they need to embrace new technologies like cloud computing as a part of their supply chain to ensure that they remain economically viable. On the other hand, incidents in their supply chain can result in a blowback for their core business of providing Singapore with CII services.

CSA has noted that the proposed expansion of incident reporting requirements is intended to address evolving tactics of advanced persistent threat (APT) actors and cybercriminals that involve exploiting supply chains and other peripheral systems to attack CII and disrupt the delivery of essential services.

Though CSA leaves this unsaid, APTs are often linked with nation-state actors and leverage malicious cyber activity for espionage, data theft and system disruption, according to America’s Cybersecurity and Infrastructure Security Agency (CISA).

CSA has pledged to work with CII owners to manage the compliance burden and develop a “pragmatic” approach to the submission of incident reports including those involving the supply chain.

The agency also notes that the decision to use an outsourced CII from a third-party computing vendor is a business decision that a CII owner may undertake depending on its assessment of the costs and benefits involved. 

However, the CSA adds that as the national cybersecurity authority, the agency holds the view that all CIIs, regardless of whether they are outsourced or owned by CII owners should be subjected to similar levels of cybersecurity requirements.

As David Koh the CEO of CSA told GovInsider back in April 2018, “cybersecurity is a team sport… private sector organisations need to do their part and take proactive steps to protect their systems”.

Six years down the line, his point on the need for the private sector and individuals to complement the government’s efforts remains more relevant than ever. The cybersecurity ring fence that CSA has erected around Singapore is only as strong as its weakest link.

Amit Roy Choudhury, a media consultant and senior editor, writes about technology for GovInsider.