With new laws passed, Cybersecurity czar granted new powers: Singapore
On February 5, a bill stating that Singapore will have a cybersecurity czar which is authorized to obtain confidential information from local organisations to investigate suspected cyber attacks was passed in the Parliament.
The Cyber Security Bill was supported by a majority of the MPs in a 3-hour debate at the Parliament. Some of them expressed their concerns about the enormous powers given to the Commissioner of Cybersecurity - Mr David Koh, Chief Executive of the Cyber Security Agency of Singapore.
As per the new law, the Commissioner can demand data or seize computers not only from owners of Critical Information Infrastructure (CII), but also non-CII systems if necessary, for the purpose of the investigation. Any system that relates to 11 essential services, including banking, telecommunications, transport, healthcare and energy form the CII.
Workers' Party MP Pritam Singh (Aljunied GRC) questioned as to what would be the outset for investigating incidents. He also confirmed if the broad powers would be used on dissenters. "Can the Minister confirm the envisaged threshold of what qualifies as a major incident so that the house is assured the commissioner's powers will be used very judiciously and not against government critics and individuals?" he queried.
Mr Zaqy Mohamad (Chua Chu Kang GRC), Mr Darryl David (Ang Mo Kio GRC) and Ms Sun Xueling (Pasir Ris-Punggol GRC) asked what safeguards will be in place to protect consumers' privacy, especially when computers contain sensitive health records from insurance companies or investments portfolios from banks.
Mr David said, "Potential ethical dilemmas could arise when cyber security officers, in the course of their work, gain access to personal data that contains identifiers, when the providers of that information did not give explicit consent for the information to be used or accessed." Minister for Communications and Information Yaacob Ibrahim assured MPs that the powers under the Bill "are not meant to intrude privacy".
Observing that any needed information will be technical in nature, Mr. David also told the House that the commissioner's powers are calculated and strictly meant to keep the lights on for essential services like network and system audit logs and network configuration.
"Such powers are necessary given the potential impact from serious cyber-security threats and incidents, which can disrupt our essential services, potentially cause physical damage and harm, and affect our economy and way of life," said Dr Yaacob.
CII owners will be notified of any intrusive network scanning or any seizing of computers and a fine of up to $100,000 or two years jail, or both would be conferred upon those who fail to share the required information or comply with any orders from the commissioner.
While the question of keeping the guards on watch was raised, Dr Yaacob said that any cyber security professional who misuses data will be prosecuted under the existing Computer Misuse and Cybersecurity Act (CMCA), which was renamed the Computer Misuse Act (CMA).
