New developments in the Computer Misuse and Cybersecurity Act, Singapore; actions by the Personal Data Protection Commission under the Personal Data Protection Act (PDPA); thought on the upcoming Cybersecurity Act 2017

1. New Developments in Cyber Law
Benjamin Ang
Senior Fellow / Head Cyber Programme, Centre of
Excellence for National Security (CENS)
Education Chair, Internet Society Singapore Chapter
Twitter @benjaminang and @ISOCSingapore
www.isoc.sg

2. TRANSITION FROM IPV4TO IPV6
IS IN PROGRESS

3. Risks during transition
• "Tunnel-based IPv6
transition mechanisms
could allow the setup of
egress communication
channels over an IPv4-
only or dual-stack
network while evading
detection by a network
intrusion detection
system,"
• Hedgehog in the Fog: Creating and
Detecting IPv6Transition Mechanism-
Based Information Exfiltration Covert
Channels, NATO defence alliance's
Cooperative Cyber Defence Centre of
Excellence and Tallinn University of
Technology, Estonia

4. Risks during operation
• Atomic fragments can be used as
fragmentation attack vector against routers
in large-scale core networks
– https://www.theregister.co.uk/2017/01/18/net_boffin_ipv6
_needs_hardening_against_fragmentation_attacks/
• Some security tools and DDOS mitigation
tools are not IPV6 ready
– http://searchsecurity.techtarget.com/feature/Address-
IPv6-security-before-your-time-runs-out

5. WHAT DOES IT MEAN FORYOU?

6. Unauthorised access
to computer
material
3.—(1) …
knowingly causes a
computer to
perform any
function for the
purpose of
securing access
without authority
to any program or
data
Aha, I’ve found
Betty’s credit
card info in her
documents

7. Unauthorised
modification of
computer material
4.—(1) … knowingly
causes a computer
to perform any
function for the
purpose of securing
access to any
program or data
held in any
computer with
intent to commit an
offence
I can use the info
to buy stuff using
Betty’s account

8. Access with intent to
commit or facilitate
commission of offence
5.—(1) … does any
act which he
knows will cause
an unauthorised
modification of the
contents of any
computer
I will change the
data to make Betty
look dishonest

9. Unauthorised use or
interception of
computer service
6.—(1) any person
who
(a) secures access
without authority
to any computer
for the purpose of
obtaining, directly
or indirectly, any
computer service;
Hey look, I’m using
Betty’s wi-fi without
her knowledge

10. Unauthorised
obstruction of use of
computer
7.—(1) Any person
who, knowingly
and without
authority or lawful
excuse —
(a) interferes with,
or interrupts or
obstructs the
lawful use of, a
computer; or
Betty, if you don’t
pay the ransom, you
will never see your
files again

11. Unauthorised
obstruction of use of
computer
7.—(1) (b) impedes
or prevents access
to, or impairs the
usefulness or
effectiveness of,
any program or
data stored in a
computer
I hate Betty, I
shall launch a
DDOS on her
server

12. 8A. Obtaining
personal information
(1)(a) Obtaining or
retaining personal
information a
person knew or had
reason to believe
came from s3, 4, 5,
or 6,
(2)(a) to commit an
offence, or
(2)(b) to supply it for
committing an
offence
I found Betty’s credit
card info on
freecreditcards.com – I
can use it to buy stuff
Not my fault … I
didn’t hack Betty,
but someone else
surely did

13. 8A. Supplying
personal information
(1)(b) Supplying or
transmitting
personal
information a
person knew or
had reason to
believe came from
s3, 4, 5, or 6,
(2)(b) to facilitate
committing an
offence
I’ll send Betty’s credit
card info over to
Charles, he can use it to
buy stuff too

14. What is Personal Information?
• “any information, whether true or not, about an
individual … alone or in combination … to identify an
individual, including (but not limited to)
– biometric data,
– name,
– address,
– date of birth,
– national registration identity card number,
– passport number,
– a written, electronic or digital signature, user
– authentication code,
– credit card or debit card number, and password.”

15. 8B Items used for
offences
(1)(a) Obtaining or
retaining any item
(i) Intending to
commit or
facilitate an
offence under
s3, 4, 5, 6, 7 This tool is useful; I can
use it to gain entry to
Betty’s documents and
take her credit card info

16. 8B Items used for
offences
(1)(b) Making,
supplying, offering
to supply or
making available,
an item,
Intending it to be
used to commit
and offence under
s3, 4, 5, 6, 7
I can send the same tool
to Bob, I’m sure he’ll
want to get into Betty’s
documents too

17. What are these illegal ‘items’?
• s8B(2)(a)Any device /
program that is
– Designed
– Adapted, or
– Capable of being used,
• to commit an offence
under s3 – 7
• (b) Password or access
code, which can be used
to commit an offence
under s3-7

18. Extra-territorial jurisdiction
Offence to commit a
criminal act
• while overseas,
• against a computer
located overseas
• if there is significant
risk of “serious harm” in
Singapore.
• “serious harm” includes
• (i) illness, injury or death of
individuals in Singapore;
• (ii) disruption of, or a
serious diminution of,
essential services;
• (iii) disruption of / serious
diminution of public
confidence in … govt
function; or
• (iv) damage to the national
security, defence or foreign
relations of Singapore

19. What happens if you commit
an offence under CMCA
Prison up to 20 years
Fines up to $100,000

20. What is Negligence?
• Duty of care – you owe a duty to people who
would be foreseeably be affected by your
actions
• Reasonable standard – your duty is to take
reasonable care, based on the industry’s
practice
• Liability for damage – you would be liable if
you failed to meet your duty and there was
damage

21. What happens if you’re sued for
Negligence
• Yahoo – sued for ‘gross negligence’ in not
securing user accounts (link)
• Home Depot – paid settlements of US$25m to
banks and US$19.5 m to consumers for 2014
breach (link)
• Neiman Marcus – paid settlement of US$1.6m
to shoppers for 2013 breach (link)
• Target – offers US$10m settlement for breach

22. Personal Data Protection
Commission fines under PDPA
• S$10,000 fine on Propnex Realty for failing to
make reasonable security arrangements to
prevent unauthorised access of customers’
personal data
• S$10,000 fine on JP Pepperdine
• S$10,000 fine onTech Mahindra for failing to
make reasonable security arrangement to
prevent unauthorised access / modification of
mybill.singtel.com, myaccount.singtel.com
• S$3,000 fine on Smiling Orchid

23. Overseas regulators who might
penalize you
• FTC
• SEC
• USTreasury Department
• European Union, under
General Data Privacy
Directive (GDPR)
– fines of up to 4%
worldwide annual turnover
– or €20 million (whichever
is higher).

24. NEXT: CYBERSECURITY ACT

25. Drafting
We are
here
1st + 2nd
Reading
It will be
introduced in
Parliament as a
Bill in late 2017
Select
Comm
3rd Reading
This will contain
input and
amendments
from the
consultation
Signing
After PCMR
passes it, the
President will
sign it, and it
will be Gazetted
From Bill to Act
Public
Consultation

26. Management / response to cyber
threats – existing CMCA
• 15A.—(1) Where the Minister is satisfied that it is necessary
• for the purposes of preventing, detecting or countering any
threat to the national security, essential services or defence
of Singapore or foreign relations of Singapore,
• the Minister may, ..., authorise or direct any person or
organisation ...
• to take such measures or comply with such requirements as
may be necessary to prevent, detect or counter any threat
to a computer or computer service or any class of
computers or computer services.

27. Some of the concerns
Concerns
• Threats to both IT
systems and Industrial
Control Systems (ICS)
• Threats to availability
and integrity
Responses
• Proactive approach for
protection of critical
information
infrastructure
• Risk-based mitigation,
early detection and
robust response

28. Parts of the Bill
Sharing of
cybersecurity
information
with and by
CSA
Management
of and
response to
cyber threats
Protection of
Critical
Information
Infrastructure

29. Get involved in the discussion
Contact us
@benjaminang
@ISOCSingapore
www.isoc.sg

30. Internet Society (Singapore Chapter)
• Mission:To promote the open development,
evolution, and use of the Internet for the
benefit of all people throughout the world.

31. Internet Society Singapore Chapter
Provides
leadership in
policy issues
Advocates
open Internet
Standards
Promotes
Internet
technologies
that matter
Develops
Internet
infrastructure
Undertakes
outreach that
changes lives
Recognizes
industry
leaders

32. Current Priorities for ISOC.SG
▪ Internet
Governance
▪ Open Internet
Standards
▪ Online Identity
▪ IPv6
▪ Blockchain
▪ Domain Name
System Security
(DNSSEC)
▪ Internet and
Human Rights
▪ Intellectual
Property and
Digital Content
▪ Internet of Things

33. What ISOC.SG
does
Public consultation
with MDA on
changes to
Licensing of
Websites
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit

34. What ISOC.SG
does
Lodging complaint
against law firm
representing
Dallas Buyers Club
in threatening
users
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit

35. What ISOC.SG
does
Seminars on
Charlie Hebdo,
Cybersecurity
Skills Building,
Election Blogging,
IOT, and more
www.internetsociety.org/wcit

36. What ISOC.SG
does
Roundtable on the
upcoming
Cybersecurity Act
www.internetsociety.org/wcit

37. World IPv6 Launch
www.WorldIPv6Launch.org

38. Centre of Excellence for National
Security (CENS)
• Multinational team of research specialists in
national security
• Working with National Security Coordination
Secretariat (NSCS) and Cyber Security Agency
(CSA)
• Part of the S Rajaratnam School of
International Studies (RSIS) at NTU

39. What we do at CENS
• Publish Commentaries and Policy Papers on
National Security issues
• Educate and advise National Security Officials
• Organize workshops and seminars for to
create a community of practice in public and
private sectors