The document discusses Singapore's cybersecurity strategy and legal framework. It has 4 pillars: (1) enhancing Singapore as a trusted hub, (2) promoting collective responsibility, (3) using cybersecurity as an advantage, and (4) national cyber R&D. The Cybersecurity Act designates critical infrastructure and gives the Cyber Security Agency powers to investigate incidents. The strategy aims to strengthen cyber defenses, educate the public, and develop Singapore as a cybersecurity hub in Asia.
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
1. SINGAPORE CYBERSECURITY ACT AND
CYBERSECURITY STRATEGY
Benjamin Ang
Head Cyber Homeland Defence
Centre of Excellence for
National Security, RSIS, NTU
Twitter @benjaminang
4. 11 SECTORS OF
CRITICAL INFORMATION INFRASTRUCTURE
SERVICES UTILITIES TRANSPORT
Government services
Emergency services
Healthcare
Media
Banking and financial
services
Power
Water
Telecoms
Transport
Airport
Seaport
1
5. SINGAPORE’S CYBERSECURITY ACT 2018
Critical Information Infrastructure
Designates certain systems /
organizations as CII
Appoints CII Owners
Makes them responsible for
complying with CSA’s standards,
audit, participation in exercises, etc.
Makes it compulsory for CII Owners
to report breaches (still optional for
other organizations)
Other Systems
Gives CSA power to enter and take
over systems (e.g. seize servers) in
serious incidents
Ecosystem
Requires registration of some cyber
professionals e.g. penetration
testers, Security Ops Centres
6. NCAP TO COMBAT CYBERCRIME
National Cybercrime Action Plan
Educate
the public
Equip the
police
Review
the laws
Partner
industry
and
overseas*
7. ENHANCE SINGAPORE’S STANDING AS A TRUSTED
HUB
Strengthen Personal Data Protection Act
Consent required to collect, use, and transfer data
Enforcement by Personal Data Protection Commission
Embrace personal data protection as corporate culture
Professionalise Data Protection Officers
Work with foreign Data Protection Authorities
2
12. FUNDING FOR ASEAN
CAPACITY BUILDING
S$10m (US$7m)
ASEAN Cyber
Capacity Programme
S$30m (US$22m)
Singapore–ASEAN
Cyber Security
Centre of Excellence
4
13. HOSTING AND SUPPORTING INTERNATIONAL &
REGIONAL EXCHANGES
Singapore International Cyber Week events
2018 AMCC tasked Singapore to develop framework
Co-organizing US-SG TCTP Workshops
3 years x all ASEAN members
Collaborating on The Hague Process
International Law Applicable to Cyber Operations
Co-Sponsoring the UN/CSA Cyber Diplomacy training for UNGGE 2019/2020
15. TYPES OF LEGAL LIABILITY (IN SINGAPORE) FOR
CYBERSECURITY LAPSES
Negligence Breach of
Personal Data
Protection Act
Breach of other
Laws (OSA,
Cybersecurity
Act)
Breach of MAS
Regulations
Breach of
Contract
Breach of
Directors Duties
to Company
16. COST OF NEGLIGENCE ACTIONS
Yahoo – sued for ‘gross negligence’ in not securing user
accounts (link)
Home Depot – paid settlements of US$25m to banks and
US$19.5 m to consumers for 2014 breach (link)
Neiman Marcus – paid settlement of US$1.6m to shoppers
for 2013 breach (link)
Target – offers US$10m settlement for breach
17. PERSONAL DATA PROTECTION COMMISSION
FINES UNDER PDPA
S$10,000 fine on Propnex Realty for failing to make
reasonable security arrangements to prevent unauthorised
access of customers’ personal data
S$10,000 fine on JP Pepperdine
S$10,000 fine on Tech Mahindra for failing to make
reasonable security arrangement to prevent unauthorised
access / modification of mybill.singtel.com,
myaccount.singtel.com
S$3,000 fine on Smiling Orchid
18. DIRECTORS’ DUTIES (AND SENIOR MANAGEMENT)
3.0.2 … the board of directors
and senior management should
have oversight of technology
risks and ensure that the
organisation’s IT function is
capable of supporting its
business strategies and
objectives.
3.1.2 They should also be fully
responsible for ensuring that
effective internal controls and
risk management practices are
implemented to achieve
security, reliability, resiliency
and recoverability.
19. EXAMPLE: MAS NOTICE ON CYBER HYGIENE:
FI’S MUST IMPLEMENT 6 CYBER SECURITY MEASURES
1. address system security flaws
in a timely manner;
2. establish and implement
robust security for systems;
3. deploy security devices to
secure system connections;
4. install anti-virus software to
mitigate the risk of malware
infection;
5. restrict the use of system
administrator accounts that can
modify system configurations; and
6. strengthen user authentication
for system administrator accounts
on critical system
20. THE REAL STATE OF
SECURITY
in June 2018, the attacker used a
dormant local administrative
account with the commonly used
password hash of P@ssw0rd.
The password had not been
changed since 2012.
22. SECTION 19 - POWERS TO INVESTIGATE AND
PREVENT CYBERSECURITY INCIDENTS
Require anyone to answer questions
Require anyone to produce records
Interview anyone
23. SECTION 20 - POWERS TO INVESTIGATE AND
PREVENT SERIOUS INCIDENTS
Criteria
Real risk of harm to CII
Real risk of disruption to essential
service
Real threat to national security,
foreign relations, economy
Severe because of number of
computers or value of information
Powers
Direct anyone to carry out remedial
measures
Require the owner to assist
Enter premises
Access computers
Scan computers
Take copies
Take computers
25. SECTION 23 – EMERGENCY CYBERSECURITY
MEASURES
Criteria (Minister decides)
necessary for preventing, detecting
or countering any serious and
imminent threat to —
(a) the provision of any essential
service; or
(b) the national security, defence,
foreign relations, economy,
public health, public safety or public
order of Singapore
Powers
Can direct anyone to “take such
measures or comply with such
requirements as may be
necessary to prevent, detect or
counter any threat”
27. CONCERNS AND RESPONSES
Concerns
Conflict between CSA and
Sector Regulators?
Suppliers of CII affected?
Overseas computers?
How much must CII owners do?
What if CII owners just fail to
comply?
Responses
Make Sector Regulators into Asst
Commissioners
Suppliers not affected
Only Singapore
CII owners must take reasonable
steps
Penalties only for wilful non-
compliance
28. CONCERNS AND RESPONSES (CONTD)
Concerns
Can CSA seize computers?
How will CSA define
‘emergency’?
What if CSA officers abuse
data?
Responses
CSA can seize with consent, in
emergency
‘Emergency’ decided with
regulator and business
CSA officers are subject to
criminal prosecution
29. CONCERNS AND RESPONSES (CONTD)
Concerns
Will threat or incident info
shared with CSA be safe?
Will CSA breach data privacy?
Responses
Info shared with CSA is
protected under Act
CSA will only access technical
data
32. A MANAGEMENT ISSUE
"I thought to myself: 'If I report
the matter, what do I get?' If I
report the matter, I will simply get
more people chasing me for more
updates. If they are chasing me
for more updates, I need to be
able to get more information to
provide them."
34. CHALLENGES TO IMPLEMENTATION
● Is it impossible to monitor / enforce / attribute?
● Is it impossible to define (e.g. what is a cyber weapon?)
● Would it take too long to negotiate / would become obsolete
● Would Norms be more flexible?
● Will some states want to maintain their cyber offensive
capability?
● Will some states object on human rights issues (cyber warfare or
info warfare?)
35. OPEN QUESTIONS IN INTERNATIONAL LAW
1. Definition: is cyberspace = WWW or
cyberspace = information space?
2. Sovereignty – how much do states have in
cyberspace?
3. Due diligence – what duty do states owe?
4. Responsibility – when are states responsible for
actions of third parties or proxies? Are
countermeasures allowed?
5. Espionage – what about IP theft?
6. Use of force – what is ‘armed attack’ in cyberspace?