August 24, 2017
Via
csa_cs_bill_feedback@csa.gov.sg
Subject: Public Consultation for the Cybersecurity Bill
Dear Dr. Yaacob and Mr. Koh:
The American Chamber of Commerce in Singapore (AmCham), BSA | The Software Alliance, the Coalition of Services Industries (CSI), the Information Technology Industry Council, the US-ASEAN Business Council, and the U.S. Chamber of Commerce express our gratitude to the Ministry of Communications & Information (MCI) and the Cyber Security Agency of Singapore (CSA) for the opportunity to submit comments on the draft Cybersecurity Bill (draft bill).
We congratulate you on being rated the top nation in the world for cybersecurity by a special agency of the United Nations. The draft bill is the next step in Singapore’s cybersecurity journey. Achievements in this journey include: the passage of the Computer Misuse and Cybersecurity Act (1993) and its recent revision (2017); the establishment of the National Cyber Security Centre (2014); the establishment of the CSA (2015); the issuance of the Cybersecurity Strategy (2016) as well as numerous activities aimed at promoting cybersecurity in the region, and adopting the latest and most secure innovative technologies domestically.
The draft bill seeks to further strengthen Singapore’s cybersecurity governance and legislative framework by laying out four objectives: (1) providing a framework for regulating critical information infrastructure (CII); (2) empowering CSA; (3) establishing a framework for sharing cybersecurity information; and (4) establishing a licensing framework for cybersecurity service providers.
While there are many aspects of the draft bill that are welcome and that are likely to further strengthen Singapore’s cybersecurity, the members of our respective associations believe that changes to the draft bill are needed to best enable the legislation to meet the goal of improving cybersecurity in Singapore. We accordingly offer the following comments and recommendations:
- Laws should avoid creating disincentives in the investment of security or slow its progress. Policy and legal mechanisms can be put in place to support cybersecurity. For instance, legal avenues to permit fast sharing of threat information is critical, as well as laws promoting researchers to develop and test new security techniques. In this regard, bureaucratic paperwork-based strategy, licensing, and unilateral standards that go out of date quickly, would be a counterintuitive approach to fostering enhanced cybersecurity for Singapore. The draft bill should consider and also aim to promote security innovation. Policy frameworks that impose barriers for companies and individuals to enter the cybersecurity field work against Singapore’s cybersecurity goals to level up cybersecurity and resilience.
- Ensure that the definition and designation of critical information infrastructure (CII) are clear, appropriately limited, and consistent. We agree with the core objective of the draft bill, which is to enhance cybersecurity and resilience for CII. However, broad definitions cause uncertainty for business owners, their providers, and the CSA during enforcement. We urge CSA to apply a rigorous, proportionate, and risk-based analysis to determine what should be designated CII. In addition, we would like to seek clarification that compliance with this draft bill is the responsibility of entities that provide essential services as defined in the First Schedule.
- Codes of practices or standards of performance must leverage existing best practices and global industry-led standards. Standards and best practices are most effective when developed in collaboration with the private sector, adopted on a voluntary basis, and recognized globally. Singapore should align any practices and standards it issues with industry-backed approaches to risk management, such as the ISO/IEC 27000 family of information security management systems standards or the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. Allowing CII operators to combat evolving cyber threats with evolving best practices and standards permits a more flexible, current, and risk-based approach to cybersecurity.
- Prescriptive regulation is counterproductive. Prescriptive regulation is ill-suited to address fast-paced cyber threats and malicious actors that find new ways to launch attacks on governments, companies, and CII. Onerous reporting and compliance mandates (e.g., audits, risk assessments, incident reporting) force businesses to divert scarce resources away from proactively managing evolving cyber risks in order to fulfill requirements that quickly become outdated. It may also inadvertently drive a culture of checking of boxes, creating an industry focused on compliance rather than a proactive and thoughtful approach that focusing on improving cybersecurity.
- Cybersecurity incident reporting is distinct from cybersecurity threat sharing. The former occurs after an incident happens and the damage is done, whereas the latter is proactive, informing organizations of potential threats (e.g., malicious code, indicators of compromise, tactics of cyber criminals) so that organizations can protect and defend their networks. While the draft bill mandates incident reporting, it is silent on cyber threat information sharing. A mechanism for information sharing should be added to the draft bill and should include the following parameters: multidirectional cyber threat sharing (e.g., government to industry, industry to industry); voluntary sharing of information; and protections from liability (including liability under data protection and anti-trust laws) when sharing information with industry peers or governments. Threat information sharing must protect privacy. Information sharing arrangements are most successful when they build on trust, enable bi-directional sharing, and enable victims of attacks to share information about both successful intrusions and near-miss attempts without fear of being investigated, sued, or held criminally liable as a result.
- Mandatory and broad incident reporting requirements can be counterproductive.Frameworks that force companies to report cybersecurity incidents without clearly defined risk-based criteria, leaving broad thresholds for reporting, can unintentionally inhibit cybersecurity by causing companies to over notify of any incident on their systems. This can lead to notification fatigue, increased costs, and operational distractions, which makes it difficult to identify and address the most important incidents. Additionally, it is unclear what the exact goals for incident reporting are and what CSA would do with the information once submitted.
- Investigatory powers must be clearly defined and subject to checks and balances.We urge the authors of the draft bill to limit officials’ investigatory powers to only those systems that have been directly impacted by, or are suspected to have propagated, an incident which significantly impacts the continuity of essential services. We further urge the government to ensure that there are appropriate checks and balances in place to guard against the abuse of investigatory powers.
- Criminal liability under the draft bill penalizes the wrong actors.Criminal liability should be reserved for perpetrators of attacks, not CII owners. Not only do such penalties punish the wrong actor, they create a significant disincentive for investment in Singapore. Regulatory agencies should rely on specific directions to CII owners, with fines or injunctive relief as a means to promote compliance.
- Licensing cybersecurity providers and professionals is problematic.We recommend eliminating the licensing requirement as it runs counter to the objective of developing of a vibrant cybersecurity ecosystem in Singapore. According to estimates, Singapore’s cybersecurity industry has the potential to double in value by 2020 with the potential to provide more than 2,500 additional job openings by 2018. The proposed licensing requirements, however, lack transparent and established eligibility criteria, create burdensome jurisdictional complexities that could increase the difficulty and cost for international firms, and could hamper the development of a vibrant cybersecurity ecosystem in Singapore. An industry-led effort is better suited to keep pace with the technological changes. Companies offering cybersecurity services must offer high-quality and effective security solutions in order to effectively compete in the market, and most companies adhere to global best practices.
- Transparency and public-private partnership are essential to successfully countering highly adaptive cybersecurity threats. It is not possible to develop effective governmental oversight for cybersecurity risk management without transparent policy development mechanisms. As Singapore moves forward with finalizing and implementing this law, any changes to codes of practice, standards, incident reporting, licensable servicers, and essential services should include a public consultation before amendments are made.
The
table explains our concerns in greater detail, seeks clarification on several provisions, and offers our recommendations.
Cyber secure and resilient economies do not come about as a result of top-down legislation or regulation. Singapore will continue to be a world leader in cybersecurity by promoting public-private collaboration, expanding trust-based information sharing exchanges, and supporting use of best-in-class cybersecurity solutions. We appreciate your consideration of our concerns and look forward to working with you.
Signed,
The American Chamber of Commerce in Singapore
BSA | The Software Alliance
Coalition of Services Industries
Information Technology Industry Council
US-ASEAN Business Council
U.S. Chamber of Commerce