to update
On May 7, Singaporean lawmakers updated the country's cybersecurity rules, giving more power to the agency responsible for enforcing the rules, adopting definitions for computer systems that include cloud infrastructure, and requiring that critical information infrastructure (CII) operators Reports a broader range of cybersecurity incidents to the government.
The amendment to the Cybersecurity Act takes into account the impact of the operation of critical infrastructure management systems on cloud infrastructure and the use of third-party service providers by critical infrastructure operators, as well as the increasingly severe cyber threat landscape. In fact, as many critical information infrastructure operators have outsourced some aspects of their operations to third parties and cloud service providers, new rules were needed to hold these service providers accountable, Janelle Potucheri, Senior Minister of State at the Ministry of Communications and Information, Singapore , He said in a speech In front of the country's parliament.
“The 2018 law was developed to regulate CIIs that were physical systems, but new technology and business models have emerged since then,” he said. “Therefore, we need to update the law to allow us to better regulate CIIs so that they remain secure and resilient against cyber threats, whatever technology or business model they operate on.”
Singapore’s amendment to its cybersecurity law is the latest update to the rules among Asia-Pacific nations. In early April, The Malaysian Parliament has passed its cybersecurity bill, which aims to create a robust cybersecurity framework for the country, including a licensing requirement for certain companies and consultants. In the same month, Japan, the Philippines, and the United States passed a new law on cybersecurity. Establish tripartite arrangements for information exchange To repel nation-state attacks from China, North Korea, and other rival states.
the Cyber Security Agency Donnie Chong, product manager at Nexusguard, a denial-of-service defense company, says the additional regulations have broad support in Singapore after extensive outreach to critical infrastructure providers, citizens, businesses and legal experts.
“The growing number of cyber threats is worrying many people – domestic and global incidents have highlighted vulnerabilities in our digital infrastructure. We are increasingly seeing businesses become more aware of the ways cyber attacks can severely impact essential services and national security, which is driving the need for stricter regulations,” he says.
Cybersecurity in light of changes
The original Cybersecurity Act was intended to strengthen protections around CII, give the Singapore Cybersecurity Authority the authority to manage cybersecurity prevention and response programs in the country, and create a licensing framework to regulate cybersecurity service providers.
However, officials quickly realized that stronger powers were needed to protect national infrastructure, and over time, cloud computing and cloud services changed the regulatory landscape. For example, the CSA has been unable to regulate any critical infrastructure provider or CII service provider located entirely offshore.
“When the law was first drafted, it used to be that internet infrastructure was physical systems that were held on-site and wholly owned or controlled by the owner of the internet infrastructure,” Puthuchiari said. “But the advent of cloud services has challenged that model.”
The amendment divides companies and infrastructure operators into five categories: provider-owned CII, non-provider-owned CII, foundational digital infrastructure (FDI) services, entities with a special interest in cybersecurity, and system owners with a temporary interest in cybersecurity, according to Lim Chong. Ken, managing director and co-head of the data protection, privacy and cybersecurity group of Singapore-based law firm Drew & Napier.
the requirements of such organizations These vary depending on the business category, Lim says, but could include audits, risk assessments, cybersecurity incident reporting, and contract language required for third parties. Since individual companies may have trouble defining requirements with large multinational cloud providers, the CSA will “activate new incident reporting requirements,” he says.
“The expanded regulatory obligations are likely to impose some degree of unavoidable increased compliance costs on companies,” says Lim. “The exact extent of the impact on affected organizations will become clear in due course as the new reporting requirements come into effect.”
Geopolitics and AI pose major challenges
As Singapore relies heavily on global trade and maintains an open digital economy, the country remains a popular target among threat actors, with both nation-state and cybercriminal groups targeting Singaporean organizations and individuals. The country's Cybersecurity Health Report, released earlier this year, found that more than 80% of survey respondents Singaporean organizations were subjected to a cyber incident In the past year, nearly all of these victims (99%) experienced business impact.
The future will also be uncertain, Lim says, as artificial intelligence and quantum computing are emerging technologies that appear to be changing the threat landscape. For these reasons, updated regulations are just the beginning of the road to improved cybersecurity, he says.
“While regulation remains important, it will also be necessary at a broader level to develop a cyber-literate population and ensure support from all stakeholder groups within society… in order to effectively secure cyberspace in Singapore,” he says.
The country is already one of the most internet cultured in the world. More than 90% of Singapore's population communicates online, with a B2B technology adoption rate of 94% in 2022, up from 74% in 2018, according to a report by Singaporean company Puthucheary.
“Business models may change, but the basic principle remains the same,” he told parliament. “Essential service providers must remain responsible for the cybersecurity and cyber resilience of the computer systems they rely on to deliver the essential services they provide.”
UPDATED: This article was updated at 3:15 ET on May 29 to emphasize that the amended law does not directly affect cloud service providers, but rather holds CII operators responsible for their use of cloud service providers. Another context has been added as well.
