Updated 14 November, 2017:
The Singaporean government will halt plans to introduce a licensing program for cybersecurity service providers and professionals after receiving public feedback. The country’s Cyber Security Agency (CSA) does however intends to license penetration testing and managed security operations centre (SOC) monitoring service providers. CSA also plans to work with industry to establish voluntary accreditation programs to improve the quality of cybersecurity services. These moves come after officials introduced a bill in July that recommends stronger state controls on cybersecurity firms and professionals.
The draft bill, expected to be delivered to Parliament early next year, aims to improve the country’s defenses against sophisticated cyberattacks by regulating individuals and companies in the cybersecurity sector and requiring Critical Information Infrastructure (CII) owners in eleven key sectors – government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport, and maritime – to report cybersecurity incidents and to share information with CSA officials when ordered.
During a six-week public feedback period from 10 July to 24 August, CSA received ninety-two feedback submissions from a “wide and diverse range of stakeholder groups”, including companies and industry associations according to the Ministry of Communications and Information (MCI) and CSA. Critics worry that licensing requirements for cybersecurity professionals would limit progress within the cybersecurity sector. The proposed bill will also make it difficult for Singaporean companies to bring in assistance from foreign cybersecurity service providers at short notice during cyber emergencies.
Critics of the bill also want CSA to narrow the bill’s’ definition of CII industries, to which CSA has agreed to update the definition to industries that are “explicitly designated” by the Commissioner of Cybersecurity. This means third-party vendors supporting CII operations will not face the same requirements imposed on CIIs such as reporting cybersecurity incidents.
The cybersecurity industry calls for safeguards to curb the broad powers the bill assigns to the Cybersecurity Commissioner, but CSA’s chief executive David Koh reassures that “the Bill gives CSA the powers to investigate and to respond in the event of a cybersecurity incident that affects the nation. It doesn’t give CSA broad powers to oversee every computer in Singapore.”
“The Bill actually defines the powers that CSA has, and it’s only in respect to the event of a cybersecurity incident,” Koh said, adding that CSA officers may also be criminally liable should they misuse information obtained from a computer seized during a cybersecurity investigation.
The bill, which is expected to pass, will take effect in the second half of 2018.