The document discusses Singapore's cybersecurity strategy and legal framework. It has 4 pillars: (1) enhancing Singapore as a trusted hub, (2) promoting collective responsibility, (3) using cybersecurity as an advantage, and (4) national cyber R&D. The Cybersecurity Act designates critical infrastructure and gives the Cyber Security Agency powers to investigate incidents. The strategy aims to strengthen cyber defenses, educate the public, and develop Singapore as a cybersecurity hub in Asia.

1. SINGAPORE CYBERSECURITY ACT AND
CYBERSECURITY STRATEGY
Benjamin Ang
Head Cyber Homeland Defence
Centre of Excellence for
National Security, RSIS, NTU
Twitter @benjaminang

2. SINGAPORE’S
CYBERSECURITY STRATEGY

3. 4 PILLARS OF THE STRATEGY

4. 11 SECTORS OF
CRITICAL INFORMATION INFRASTRUCTURE
SERVICES UTILITIES TRANSPORT
Government services
Emergency services
Healthcare
Media
Banking and financial
services
Power
Water
Telecoms
Transport
Airport
Seaport
1

5. SINGAPORE’S CYBERSECURITY ACT 2018
Critical Information Infrastructure
Designates certain systems /
organizations as CII
Appoints CII Owners
Makes them responsible for
complying with CSA’s standards,
audit, participation in exercises, etc.
Makes it compulsory for CII Owners
to report breaches (still optional for
other organizations)
Other Systems
Gives CSA power to enter and take
over systems (e.g. seize servers) in
serious incidents
Ecosystem
Requires registration of some cyber
professionals e.g. penetration
testers, Security Ops Centres

6. NCAP TO COMBAT CYBERCRIME
National Cybercrime Action Plan
Educate
the public
Equip the
police
Review
the laws
Partner
industry
and
overseas*

7. ENHANCE SINGAPORE’S STANDING AS A TRUSTED
HUB
Strengthen Personal Data Protection Act
Consent required to collect, use, and transfer data
Enforcement by Personal Data Protection Commission
Embrace personal data protection as corporate culture
Professionalise Data Protection Officers
Work with foreign Data Protection Authorities
2

8. PROMOTE COLLECTIVE
RESPONSIBILITY
Make cybersecurity a
business priority
for all organizations,
not just CII
Public education
Tap on government
expertise 2

9. USE CYBERSECURITY AS AN ADVANTAGE
Attract
advanced
companies
Support start-
ups
Support local
champions
Develop
global market
opportunities
3

10. NATIONAL CYBERSECURITY R&D PROGRAMME
S$190m
(US$140m)
3

11. 2017 BUDGET: HELP FOR SME’S
S$80m
(US$60m)
3

12. FUNDING FOR ASEAN
CAPACITY BUILDING
S$10m (US$7m)
ASEAN Cyber
Capacity Programme
S$30m (US$22m)
Singapore–ASEAN
Cyber Security
Centre of Excellence
4

13. HOSTING AND SUPPORTING INTERNATIONAL &
REGIONAL EXCHANGES
Singapore International Cyber Week events
 2018 AMCC tasked Singapore to develop framework
Co-organizing US-SG TCTP Workshops
 3 years x all ASEAN members
Collaborating on The Hague Process
 International Law Applicable to Cyber Operations
Co-Sponsoring the UN/CSA Cyber Diplomacy training for UNGGE 2019/2020

14. SINGAPORE’S LEGAL ENVIRONMENT
FOR CYBERSECURITY

15. TYPES OF LEGAL LIABILITY (IN SINGAPORE) FOR
CYBERSECURITY LAPSES
Negligence Breach of
Personal Data
Protection Act
Breach of other
Laws (OSA,
Cybersecurity
Act)
Breach of MAS
Regulations
Breach of
Contract
Breach of
Directors Duties
to Company

16. COST OF NEGLIGENCE ACTIONS
Yahoo – sued for ‘gross negligence’ in not securing user
accounts (link)
Home Depot – paid settlements of US$25m to banks and
US$19.5 m to consumers for 2014 breach (link)
Neiman Marcus – paid settlement of US$1.6m to shoppers
for 2013 breach (link)
Target – offers US$10m settlement for breach

17. PERSONAL DATA PROTECTION COMMISSION
FINES UNDER PDPA
S$10,000 fine on Propnex Realty for failing to make
reasonable security arrangements to prevent unauthorised
access of customers’ personal data
S$10,000 fine on JP Pepperdine
S$10,000 fine on Tech Mahindra for failing to make
reasonable security arrangement to prevent unauthorised
access / modification of mybill.singtel.com,
myaccount.singtel.com
S$3,000 fine on Smiling Orchid

18. DIRECTORS’ DUTIES (AND SENIOR MANAGEMENT)
3.0.2 … the board of directors
and senior management should
have oversight of technology
risks and ensure that the
organisation’s IT function is
capable of supporting its
business strategies and
objectives.
3.1.2 They should also be fully
responsible for ensuring that
effective internal controls and
risk management practices are
implemented to achieve
security, reliability, resiliency
and recoverability.

19. EXAMPLE: MAS NOTICE ON CYBER HYGIENE:
FI’S MUST IMPLEMENT 6 CYBER SECURITY MEASURES
1. address system security flaws
in a timely manner;
2. establish and implement
robust security for systems;
3. deploy security devices to
secure system connections;
4. install anti-virus software to
mitigate the risk of malware
infection;
5. restrict the use of system
administrator accounts that can
modify system configurations; and
6. strengthen user authentication
for system administrator accounts
on critical system

20. THE REAL STATE OF
SECURITY
in June 2018, the attacker used a
dormant local administrative
account with the commonly used
password hash of P@ssw0rd.
The password had not been
changed since 2012.

21. SINGAPORE’S CYBERSECURITY ACT

22. SECTION 19 - POWERS TO INVESTIGATE AND
PREVENT CYBERSECURITY INCIDENTS
Require anyone to answer questions
Require anyone to produce records
Interview anyone

23. SECTION 20 - POWERS TO INVESTIGATE AND
PREVENT SERIOUS INCIDENTS
Criteria
Real risk of harm to CII
Real risk of disruption to essential
service
Real threat to national security,
foreign relations, economy
Severe because of number of
computers or value of information
Powers
Direct anyone to carry out remedial
measures
Require the owner to assist
Enter premises
Access computers
Scan computers
Take copies
Take computers

24. SECTION 23
EMERGENCY POWERS

25. SECTION 23 – EMERGENCY CYBERSECURITY
MEASURES
Criteria (Minister decides)
necessary for preventing, detecting
or countering any serious and
imminent threat to —
(a) the provision of any essential
service; or
(b) the national security, defence,
foreign relations, economy,
public health, public safety or public
order of Singapore
Powers
Can direct anyone to “take such
measures or comply with such
requirements as may be
necessary to prevent, detect or
counter any threat”

26. WHAT WOULD SOME OF THE
CONCERNS BE?

27. CONCERNS AND RESPONSES
Concerns
Conflict between CSA and
Sector Regulators?
Suppliers of CII affected?
Overseas computers?
How much must CII owners do?
What if CII owners just fail to
comply?
Responses
Make Sector Regulators into Asst
Commissioners
Suppliers not affected
Only Singapore
CII owners must take reasonable
steps
Penalties only for wilful non-
compliance

28. CONCERNS AND RESPONSES (CONTD)
Concerns
Can CSA seize computers?
How will CSA define
‘emergency’?
What if CSA officers abuse
data?
Responses
CSA can seize with consent, in
emergency
‘Emergency’ decided with
regulator and business
CSA officers are subject to
criminal prosecution

29. CONCERNS AND RESPONSES (CONTD)
Concerns
Will threat or incident info
shared with CSA be safe?
Will CSA breach data privacy?
Responses
Info shared with CSA is
protected under Act
CSA will only access technical
data

30. WHAT HAPPENS WHEN BREACH IS DETECTED?

31. WHAT HAPPENS WHEN BREACH IS DETECTED?

32. A MANAGEMENT ISSUE
"I thought to myself: 'If I report
the matter, what do I get?' If I
report the matter, I will simply get
more people chasing me for more
updates. If they are chasing me
for more updates, I need to be
able to get more information to
provide them."

33. CHALLENGES TO IMPLEMENTATION
OF INTERNATIONAL LAW

34. CHALLENGES TO IMPLEMENTATION
● Is it impossible to monitor / enforce / attribute?
● Is it impossible to define (e.g. what is a cyber weapon?)
● Would it take too long to negotiate / would become obsolete
● Would Norms be more flexible?
● Will some states want to maintain their cyber offensive
capability?
● Will some states object on human rights issues (cyber warfare or
info warfare?)

35. OPEN QUESTIONS IN INTERNATIONAL LAW
1. Definition: is cyberspace = WWW or
cyberspace = information space?
2. Sovereignty – how much do states have in
cyberspace?
3. Due diligence – what duty do states owe?
4. Responsibility – when are states responsible for
actions of third parties or proxies? Are
countermeasures allowed?
5. Espionage – what about IP theft?
6. Use of force – what is ‘armed attack’ in cyberspace?