Singapore to introduce Digital Infrastructure Act later this year

The long-anticipated  Digital Infrastructure Act (DIA) will be tabled in Parliament later this year. 

The Minister for Digital Development and Information, Josephine Teo said: “We have to work with our colleagues in the Attorney General’s Chamber because there is a legislative calendar for the government, and they will have to obviously look at their capacity to meet all of our requests. If you ask the Ministry, certainly the earlier the better.” 

The Minister made this statement during a visit on Tuesday to a Microsoft data centre. 

The DIA will regulate systemically important digital infrastructure such as major cloud service providers (CSPs) and data centre (DC) operators to strengthen the foundational layer of Singapore’s digital infrastructure. It will complement existing legislation like the Cybersecurity Act to safeguard Singapore’s digital infrastructure. 

Earlier in the day, the Infocomm Media Development Authority (IMDA) introduced advisory guidelines (AGs) for cloud services and data centres. 

While these guidelines are currently voluntary, many of them would eventually be codified in the DIA.  

Speaking about the guidelines, the Minister said: “I think even before we put in place legislative regulatory requirements, it's good to have feedback from the industry. And the advisory guidelines, in a way, allow us to ground-test a set of practices.” 

Opportunity to provide feedback 

She added that the industry will be able to put them into deployment, and then they can provide feedback to IMDA and the Ministry on what has been useful and what are some of the areas that can be refined further.  

To subscribe to the GovInsider bulletin click here.

“I think it will help us shape a set of requirements in the DIA that is more responsive to their (the industry) needs and will bring about greater assurance to the public. So that's the thinking behind it,” Minister Teo said. 

An IMDA spokesperson told GovInsider that the guidelines recommend measures that all CSPs and DC operators in Singapore are “encouraged to adopt to enhance the resilience and security of their services, to minimise the occurrence of disruptions to these services and impact on our economy and society”. 

In the aftermath of the CrowdStrike outage last year, which was the biggest IT services disruption in the world to date, the Ministry of Digital Development and Information (MDDI) spokesperson said that the DIA would ensure the adoption of baseline security and resilience standards for Singapore’s digital infrastructure. 

The IMDA spokesperson added that the guidelines set out best practices to address risks to cloud services and DCs, which could range from misconfigurations in technical architecture to physical hazards such as fires, water leaks and cooling system failures, as well as cyber-attacks.  

In this context, the fire at the Digital Realty Loyang data centre was mentioned. 

Key measures 

The key measures recommended CSPs and DC operators to implement include risk assessment, business impact analysis, business continuity planning, and cybersecurity measures. The guidelines referenced existing international and industry standards such as the Multi-Tier Cloud Security (MTCS) Standard and others.  

The AGs also incorporated lessons from past incidents and were developed in consultation with key CSPs and DC operators in Singapore, the IMDA spokesperson said. 

For cloud services, the AGs cover seven categories of measures to uplift the security and resilience of cloud services. These include areas such as security testing, user access controls, proper data governance, and planning for disaster recovery. 

For DCs, the AGs provide a framework for operators to put in place a robust business continuity management system to minimise service disruptions and ensure high availability for their customers.  

The guidance includes implementing business continuity policies, controls and processes, and continuously reviewing and improving them. The AGs also set out measures to address cybersecurity risks in DCs.  

For both CSPs as well as DC operators, the guidelines have suggested the appointment of a designated senior representative to take charge of the collective effort of building resilience. 

Inter-agency taskforce 

The AGs were developed by an inter-agency taskforce led by MDDI and comprising members from the IMDA, Cyber Security Agency of Singapore (CSA), and GovTech Singapore. 

The spokesperson said the AGs were an additional step to enhance the resilience and security of cloud services and DCs, following the amendments to the Cybersecurity Act last year to address the cybersecurity risks of such digital infrastructure. 

In developing the AGs, the taskforce consulted CSPs and DC operators, as well as end-user enterprises (like banks, healthcare providers, and digital platforms) that rely on such digital infrastructure.  

Recognising the need to provide resilient and secure compute facilities and services as part of their value proposition, the operators largely supported the AGs, the spokesperson said.  

End-user enterprises also expressed their support for the AGs.  

SingHealth’s Group Chief Information Security Officer, Chua Kim Chuan, said a robust digital infrastructure provided by our IT partners and suppliers is critically important to SingHealth.  

“We welcome the AGs and the DIA as they align with our commitment to enhancing cybersecurity and digital resilience, further safeguarding our systems and patients' interests,” Chua added.

IMDA said the guidelines will continuously be updated to incorporate technological developments, learning points from incidents, and industry feedback.  

In addition, a whole-of-ecosystem approach is required to ensure that our economy and society continue to reap the benefits of digitalisation while being prepared to manage digital disruptions, the IMDA spokesperson added.  

Companies that provide digital services are advised to conduct risk assessments and put in place business continuity plans to mitigate the impact of disruptions on their customers, he added.