My speech during the Second Reading debate on this Bill on 7 May 2024.
The Cybersecurity (Amendment) Bill seeks to extend the regulatory reach of the Cyber Security Agency of Singapore (CSA) by updating the existing Cybersecurity Act of 2018. This includes the broadening of oversight across newly classified critical information infrastructure (CII) and the introduction of stringent compliance and reporting requirements, all aimed at addressing the escalating challenges within our digital environment.
In this age of digitalisation, cyberattacks on critical infrastructure can pose a significant threat to our national security and well-being. Examples of cyber attacks around the world abound.
Cyber attacks worldwide
In December 2015, Ukraine experienced a significant cyberattack targeting its power grid, which resulted in widespread electricity outages across several regions. This was one of the first known successful cyberattacks on a power grid. The attackers, who were sophisticated and well-coordinated, used phishing schemes to install malware on the networks of several regional electricity companies. They were able to gain control of the company’s systems and shut down substations, cutting off power for approximately 230,000 people for several hours. This incident not only disrupted everyday life but also exposed the vulnerability of essential infrastructure to cyber threats and the potential for state-sponsored cyber warfare.
In May 2017, the UK’s National Health Service (NHS) was struck by the WannaCry ransomware, a global cyberattack that infected over 200,000 computers across 150 countries. The NHS faced significant disruption as the ransomware encrypted data on infected machines, demanding payment to restore access. Approximately 19,000 appointments and operations were cancelled, and patients had to be diverted from emergency rooms which were unable to access critical digital services. The attack highlighted the importance of cybersecurity hygiene, as it exploited a known vulnerability in older Windows operating systems that had not been updated with available patches.
Here at home, in 2018, hackers infiltrated SingHealth’s healthcare system, stealing personal data of 1.5 million patients. This included information like names, addresses, and dates of birth. Additionally, medical records of 160,000 patients, including that of the Prime Minister, were also compromised. The sophistication of the attack, the type of data targeted and the resources needed for such a breach suggested that this cyberattack may have been state-sponsored.
Each of these incidents serve as stark reminders of the chaos and danger posed by cyberattacks. They underline the need for robust cybersecurity measures and the ability to rapidly respond to and manage cybersecurity threats, particularly when critical national infrastructure is at risk.
Operational intervention by CSA
Under this Bill, the CSA is empowered to regulate, monitor and enforce compliance through penalties and directives. I would like to ask the Minister if the Bill grants the CSA, or any other national body, explicit authority to take over the operations of critical systems if their owners fail to secure them adequately, despite directions from the Authority. The current provision in Section 23 allows the Minister to direct organisations to take measures to counter serious and imminent threats but does not explicitly grant the authority to directly take over operations of critical information infrastructure. This explicit authority may be necessary in situations where immediate action must be taken to prevent or mitigate a cybersecurity threat that poses a critical security risk.
In contrast, the Bus Services Industry Act 2015 is more explicit in its wording about operational intervention. Section 30 of that Act grants the Land Transport Authority (LTA) the power to make a “step-in order” in certain circumstances. This order allows the LTA to take over the operations of a licensed bus operator or appoint a step-in operator to do so.
The Bus Service Industry Act also specifies the powers and functions of the step-in operator, such as having the same powers as the original licensee and requiring the licensee to provide access to premises, assets and employees. The Cybersecurity Act is less specific about what the emergency “measures and requirements” may entail.
Incorporating similar provisions in the Cybersecurity Act could provide a clearer legal framework for the CSA to directly intervene and take control of critical information infrastructure when necessary to protect national security or the lives of Singaporeans. This would ensure that the government has the necessary tools to respond swiftly and decisively to imminent cybersecurity threats.
In addition, while the CSA’s regulatory and enforcement roles are crucial, in instances where national security is at imminent risk, are there any additional protocols for bringing in the SAF’s Digital and Intelligence Service (DIS) to manage the cybersecurity defences of critical information infrastructure?
Does the Minister see it necessary to develop a framework that enables either the CSA or the DIS to respond rapidly and directly to imminent threats to our critical information infrastructure, ensuring that operational control can be swiftly transferred in a crisis? Having this operational backstop is desirable precisely because cybersecurity attacks have high potential severity and could unfold very quickly.
This will require the strengthening of public-private collaboration to ensure the seamless integration of state and commercial resources in fortifying our national cybersecurity infrastructure. In addition, the CSA will need to ensure it has the necessary expertise to undertake such responsibilities when called upon to do so. The agency needs to be adequately staffed and equipped with the requisite skills and technology in order to effectively manage and mitigate cybersecurity threats. Such an arrangement will be a long-run investment in our own capabilities that is worth making, both in defensive terms but also to enable public-private knowledge diffusion.
Extraterritoriality
Regarding the new sections 7(1A) and 16A(1), how will the government enforce its extraterritorial judgments on overseas providers of critical information infrastructure if the owner is not in Singapore? Can the Commissioner take enforcement action outside of Singapore? If we aren’t able to enforce the laws overseas, what purpose do these extraterritorial provisions serve?
Monitoring
In section 29A on monitoring, relying primarily on examining historical records and conducting ad-hoc inspections may not be sufficient to provide the real-time, continuous monitoring needed to keep pace with rapidly evolving cyber threats. More proactive oversight measures, potentially including direct access to providers’ systems, may be required for effective supervision. WannaCry, the global ransomware attack in 2017, rapidly spread across computer systems over seven hours, while the 2015 Ukraine power grid hack led to electricity outages lasting up to six hours. These are events that unfolded in less than one day. If we really want to monitor with a deterrent view in mind, we need to have operational integration and develop our backstop capabilities.
Conclusion
In conclusion, Mr Speaker, while the Cybersecurity (Amendment) Bill makes important strides towards enhancing our national cybersecurity posture, our approach must remain adaptable to the realities of digital warfare and capable of decisive action in times of emergencies.
Sir, I support the Bill but I look forward to the Minister’s responses to my concerns.