Quantcast
Channel: Feature Archives - The Singapore Law Gazette
Viewing all articles
Browse latest Browse all 153

The Evolution of Cybersecurity Policy and Law in Singapore

$
0
0

This article describes the evolving concept of “cybersecurity” to cope with the rapid changes in the infocomm tech landscape and artificial intelligence. It argues that the traditional notion of cybersecurity as the securing of computer hardware and software from cyberattacks is too narrow and the current Singapore law and policy actually focuses on a broader understanding of cybersecurity that includes the protection of the ever more complex digital infrastructure, wider categories of data and forms of technology intermediaries. There is also a noticeable shift from deterrence/punishment to prevention/mitigation in the types of measures to deal with security vulnerabilities and breaches.

The range of cybersecurity threats emerge concomitantly with developments in Infocomm Technology (ICT) innovation. The nature of these threats, the vulnerabilities of computer systems and networks as well as the type of menace they cause to society have rapidly evolved with the changing nature of ICT and the increasing use of AI in every aspect of life. Aware of these challenges, the Singapore government have been revising its policy and legal instruments to counter the dangers involved in the use of ICT even as it remains committed to the Smart Nation initiative.1The three pillars of the Smart Nation Initiative are the digital society, economy and government. See, Smart Nation Singapore, Pillars of a Smart Nation at < https://www.smartnation.gov.sg/about-smart-nation/pillars-of-smart-nation/>.

The government’s ICT policy, how it has translated into law, and the build-up of expertise in the workforce, are largely aimed at encouraging ICT innovation and investments into Singapore. The overall objective is to provide a conducive and welcoming environment for the industry to flourish, but not at the expense of social stability and peace.

The concept of “cybersecurity” has changed as data use – both for training computer systems, and the operationalization of such systems for social interaction and professional transactions – become more sophisticated. There is now a greater focus on the type of data involved and its potential and actual impact on society and the economy.

The reality is that nefarious agents have the tools and expertise to remain anonymous and operate from outside Singapore’s jurisdiction. Moreover, harmful effects on individuals and entities as well as the potential de-stabilization of the social and economic structure of the country can come not only from hostile actions by third parties conducting cyberattacks, but also occur without any external interference such as from computer system vulnerabilities that can cause network inefficiency, computer malfunction or data leak. Hence, it makes sense that, although crime and punishment remains a key component of the cybersecurity strategy, the main focus is now more on prevention and deterrence.

The solution to the cybersecurity problem has also become more multi-faceted with greater emphasis placed on the role and involvement of technology intermediaries in the prevention and deterrence of cybersecurity threats, and the mitigation of cybersecurity incidents. This is apparent from the increased presence of such intermediaries in recent ICT legislation.

The earliest form of cybersecurity law was based only on the odd provision in the then Computer Misuse and Cybersecurity Act (CMCA, now the Computer Misuse Act (CMA)21993 (2020 Rev Ed). The cybersecurity aspects of the erstwhile CMCA were taken out pursuant to s.49 of the CSA.). However, in the last five years, a suite of laws that deal with cybersecurity concerns (understood in the broader sense) have emerged – from the stand-alone Cybersecurity Act (CSA)3No. 9 of 2018. The Act provides for more measures to protect Singapore’s critical information infrastructure from cyberattacks and set up the Cybersecurity Commissioner to respond to such threats and incidents. It also set up the licensing regime for cybersecurity service providers. See, Cybersecurity Agency of Singapore, Cybersecurity Act: <https://www.csa.gov.sg/legislation/Cybersecurity-Act>. to the Personal Data Protection Act (PDPA)42012 (2020 Rev Ed).; the Protection of Online Falsehoods and Manipulation Act (POFMA)52019 (2020 Rev Ed). to the Foreign Interference (Countermeasures) Act (FICA)6No. 28 of 2021.; and the latest Broadcasting Act amendments (BA Internet regulations)7In particular, Act 38 of 2022 that introduced Part 10A (Online Communication Service Regulation). The other relevant, and older, Internet regulation is contained in the Broadcasting (Class Licence) Notification G.N. No. S 306-1996 (2004 Rev Ed) and Code of Practice. to the Online Criminal Harms Act (OCHA)8No. 24 of 2023. which commenced on 1 February 2024. These legislation are all part of a comprehensive scheme to counter the diverse range of cybersecurity threats, not just to the effective technological functioning of computer systems and networks that support essential services, but also that which takes advantage of ICT in such a way that can cause socio-economic harm.9In the context of these legislation, a risk and impact assessment is made to determine the conditions for legal liability (to punish and deter cyber-attackers) and the pre-requisites for legal responsibility of technology platforms, in particular modern communication service providers, for both access and sharing of data (to prevent and mitigate harm).

Singapore’s approach is accretive, eschewing an omnibus instrument like the European Union’s (EU) Artificial Intelligence Act (AI Act)10European Union, Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts (COM/2021/206): < https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52021PC0206>. or the direct and wholesale prohibition of any technology or entity,11Such as that based on foreign ownership, identified as a national security threat. See e.g., Ganesh Sitaraman, The Regulation of Foreign Platforms, 72 Stan. L. Rev. 1073 (2022) and Zhang Zhining, Paradigms for Foreign Tech-Platforms Regulation: U.S. Options After the TikTok Saga, 18 Wash. J. L. Tech. & Arts 1 (2023). that are often broad-based and not nuanced enough to deal with the myriad forms of modern technology. These new Singapore tech laws appear as part of a larger plan to plug the legal loopholes incrementally and in a way that deals with specific problems with the most suitable and appropriate tools.

A Broader Notion of Cybersecurity: Practice and Governance

The basic and simple understanding of “cybersecurity” means the protection of both the integrity of the hardware computers and computer systems (i.e. rights of access, use and modification) and the data contained within it, including programs and data (i.e. rights of ownership, control and possession).

A definition that is more aligned with Singapore’s policy and legal approach describes “cybersecurity” as “things that are done to protect a person, organisation, or a country and their computer information against crime or attacks carried out using the internet.”12Cambridge Dictionary Online at <https://dictionary.cambridge.org/dictionary/english/cybersecurity>.

The broader national interests that must be safeguarded from harm and the private interests that should be protected will have to be identified. Then, the ownership and function of the computer hardware and software, and the type of data contained therein, will also have to be determined before the legal rights and liability can be set out. Also, the appropriate level of legal responsibility can then be placed on most suitable technology intermediaries.

This broader conceptualization of cybersecurity can explain the distinction between the CMA and the cybersecurity suite of laws. Firstly, the CMA is essentially a criminal legislation and the main focus is on the punishment for perpetrators of computer-related offences. Second, the nature of the computer, computer systems and program/data is irrelevant in the CMA (i.e. it is technology and value-neutral), except insofar as where damage may be caused or in relation to the “protected computer” category, for the purpose of determining the appropriate sentence.13S.11 of the CMA. Also, more recently, new offences are included for the unlawful acquisition, retention, disclosure or supply, etc. of passwords and access codes relating to the National Digital Identity Service (NDIS) under ss.8A and 8B, with definitions relating to the NDIS set out in the Schedule to the Act. Third, the CMA (and Criminal Procedure Code (CPC)142010 (2020 Rev Ed).) powers relate more to police investigations (for crimes that have already occurred), whereas the Cybersecurity Act (CSA) contains powers to compel cybersecurity owners to take measures to prevent and mitigate any cybersecurity incident,15Another example is the PDPA, which require security measures and mandatory breach notification for the same reasons. See s.24 and Part 6A of the PDPA respectively. and the other laws articulated above also focus more on preventative and other measures by technology intermediaries.

The Evolution of Singapore’s Cybersecurity Policy as a Smart Nation

As part of the national drive towards building a Smart Nation whereby technology is harnessed and integrated into every aspect of Singapore’s socio-economic fabric, it is necessary to build a strong and robust cybersecurity regime and environment to establish a stable environment for innovation and corporate entities to operate while ensuring that the trust and confidence in its use by society is maintained.

The Singapore government’s approach is to first establish strong institutional support for the administration and enforcement of its laws and regulations to achieve its goals for cybersecurity, mainly led by the Ministry of Communications and Information (MCI) and its agencies, in particular the Infocomm Development Authority (IMDA), but administered by the most appropriate Ministry (or agency) depending on the objective and subject matter of protection. Second, the legislature will formulate statutes to carry out different policy objectives, which increasingly involve the most appropriate technology intermediary in formulating both legal and non-legal processes and approaches to cybersecurity.

Cybersecurity Law and the Cyberspace Stakeholders

The interests at the national (i.e. political, societal and economic), industrial and individual level are different, although the same or similar measures and mechanisms can be taken to protect these interests. Since such protection can relate to the restriction (and even prohibition) of information and hence consequentially the freedom of speech and expression, they must come under Constitutionally permitted exceptions.16According to art.14(2) of the Constitution of the Republic of Singapore: “Parliament may by law impose on the right (of every citizen to the freedom of speech and expression) such restrictions as it considers necessary or expedient in the interest of the security of Singapore or any part thereof, friendly relations with other countries, public order or morality and restrictions designed to protect the privileges of Parliament or to provide against contempt of court, defamation or incitement to any offence.” (emphasis added)

There are different national interests that have to be secured in the cyber-realm and they are set out in Table 1. (below at row 1). They fall into three main categories:

  1. First, those that relate to sensitive subject that may have a negative effect on social cohesion and harmony in Singapore, which can generally fall under the need to maintain “public order”. Often, these relate to matters that can affect racial and religious harmony, cause disaffection between different nationals living and working in Singapore (and class of persons in our society). This will include laws to protect against information disorder that can pose a threat to the aforementioned public order (i.e. POFMA and FICA); and laws to discourage, prevent and deter criminal behaviour, including anti-social acts, terrorism and scams or malicious cyber-activities (OCHA).
  2. Second, laws to protect both government administration and services (that are pivoting towards the use of ICT), which are often premised on “public interest” grounds or other similar bases such as national security, international relations between Singapore and other countries, and the need to maintain the integrity and reputation of the branches of government (i.e. POFMA and FICA). This category will also include laws to protect the “critical information infrastructure” and the delivery of “essential services” in Singapore (i.e. CSA)17Both are defined in s.2 and designated/listed in the First Schedule of the CSA respectively..
  3. Third, and perhaps most controversially, are laws to protect “public morality”. These are contained in the new BA online communication service regulations that deal with harmful material identified as “egregious content”.18Part 10A (Online Communication Service Regulation). “Egregious content” is defined in s.45D of the BA. It is actually an extension of existing censorship laws that provide for media convergence in prohibiting and restricting certain types of information considered to be harmful, in particular “objectionable” and “obscene” content.19E.g. the Broadcasting (Class Licence) Notification and Code of Practice (supra. at n.7), Undesirable Publications Act 1967(2020 Rev Ed) and the Films Act 1981 (2020 Rev Ed). There is a greater emphasis on protecting children and young persons here.

Table 1. ICT Legislation and Policy Objective

Legislation Policy Objective
1. National Interest  
Computer Misuse Act
(long title)
An Act to make provision for securing computer material against unauthorised access or modification, for preventing abuse of the national digital identity service, and for matters related thereto.
Cybersecurity Act
(long title)
An Act to require or authorise the taking of measures to prevent, manage and respond to cybersecurity threats and incidents, to regulate owners of critical information infrastructure, to regulate cybersecurity service providers, and for matters related thereto.
Protection from Online Falsehoods and Manipulation Act
(s.5, “public interest” (s.4))
The purpose of this Act is to prevent the communication of false statements of fact in Singapore and to enable measures to be taken to counteract the effects of such communication; to suppress the financing, promotion and other support of online locations that repeatedly communicate false statements of fact in Singapore; to enable measures to be taken to detect, control and safeguard against coordinated inauthentic behaviour and other misuses of online accounts and bots; and to enable measures to be taken to enhance disclosure of information concerning paid content directed towards a political end. [On condition that it is in the “public interest” generally]
Foreign Interference (Countermeasures) Act
(s.3)
The purposes of this Act are to protect the public interest by counteracting acts of foreign interference through countermeasures aimed at such acts by electronic communications activity; and countermeasures aimed at pre-empting or preventing the occurrence of such acts involving persons identified as at-risk because they are politically significant.
[On condition that it is in the “public interest” generally]
Broadcasting Act
(long title, “online communication service regulation (s.45A))
An Act to regulate … online communication services accessible by Singapore end-users.
[And] to ensure that providers of online communication services to Singapore end-users provide a safe online environment for Singapore end-users that promotes responsible online behaviour, deters objectionable online activity and prevents access to harmful content; place adequate priority on the protection of Singapore end-users who are children of different age groups from exposure to content which may be harmful to them; and are regulated in a manner that enables public interest considerations to be addressed.
Online Criminal Harms Act
(long title)
An Act to counter online criminal activity and protect against online harms, and for connected purposes.
2. Private Interest  
Personal Data Protection Act The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
(s.3, “protection of personal data” (s.24)) collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. (emphasis added)
Electronic Transactions Act
(long title, s.3)
An Act to provide for the security and use of electronic transactions … [Including what is commercially reasonable under the circumstances to: facilitate electronic communications, commerce, public administration and services; to minimise forgery and fraud; to establish uniform rules, regulations and standards for authentication and integrity of electronic signatures and records; and to promote public confidence in the integrity and reliability of electronic transactions.]
Copyright Act
(long title)
An Act … to provide for copyright, the protection of performances and related rights …

At the industry level, laws like the ETA and Copyright Act contain provisions relating to protecting and reinforcing protections against cyberattacks for different reasons, primarily commercial.20See Table 1 at row 2. The objective of the ETA is to facilitate identification, authentication and trustworthiness of electronic transactions, including electronic commerce; while the Copyright Act contains provisions to reinforce protections, technical and otherwise, for copyright owners’ proprietary interests. The protection of proprietary electronic programs or data, computers and computer systems (i.e. CMA) is also an important component of the strategy here.

Finally, for the individual, the PDPA balances their rights and interests to their personal data against the need for organisations (commercial or otherwise) to collect, use or disclose that information for purposes that a reasonable person would consider appropriate in the circumstances.21Ibid.

Cybersecurity Law and the Gatekeepers of Cyberspace

It is apparent that the newer Acts provide a more detailed classification of, and increased role for, technology intermediaries as the gatekeepers to online transactions.22Intermediaries are not content creators, and any involvement in content creation, collation, modification or in the selection of recipient will likely take a person or entity outside the scope of its definition. Table 2. (below at column 1) generally classifies the technology intermediaries, the approach (e.g. based on a technological function and/or the type of service)23The approach can also incentivize or compel cooperation – through immunity from liability or penalties for non-compliance – or both. and the measures they may provide to prevent or mitigate harm as determined by the relevant authority (below at column 2).

Table 2. The Role of Technology Intermediaries and Relevant Measures in ICT Legislation

Type of Technology Intermediary Forms of Statutory Measures
Broadcasting Act and Regulations:
“Internet Content Provider”
“Internet Service Provider”
“Internet Access Service”
“Online Communication Services” (currently only “social media services”)
Notice and Take Down
Good Faith
Stop Access or Blocking Direction
Access Disabling and/or
Stop Delivery/Communication
POFMA:
“Internet intermediaries” (prescribed or otherwise) and “Providers of Mass Media Services”
“Internet Access Service Provider”
“Digital Advertising Intermediaries”
Correction Direction (targeted or general)
Disabling Direction
Access Blocking Order
Access Disabling Order
FICA:
“Social Media Service”
or “relevant electronic service””a person”
“App Distribution Service”
“Internet Access Service”
Disabling Direction
Account Restriction Direction
Service Restriction Direction
Technical Assistance Direction
App Removal Direction
Access Blocking Direction
OCHA:
Proprietor of Relevant Location (or person in control of relevant material)
Provider of Online Service (excluding Internet Access or App Distribution Service)
Provider of Internet Access Service
Provider of an App Distribution Service
Stop Communication Direction
Disabling Direction
Account Restriction Direction
Access Blocking Direction
App Removal Direction

These intermediaries are legally required to comply with legally-binding regulations, including Codes of Practice (if any), or they may face penalties for non-compliance. In some cases, there is the incentive to comply with statutory orders or directions from the relevant authority as it is a pre-condition for immunity from civil and/or criminal liability.24In some statutes, an intermediary may be exempted or excused from liability (primary or secondary, depending on how an offence is set out), for helping to transmit or communicate the offending material. Intermediaries must also self-regulate as an industry or at the corporate level to avoid more top-down regulations and meet socio-political expectations and ethical standards.

Concomitantly, there are more varied preventive measures depending on the function and role of the intermediary, and technology used.25See Table 2 at column 2. There are often also criminal provisions against the content creator or source to punish them for, and deter the commission of, certain offences. It may also be noted that there are now more statutory provisions punishing the use and abuse of technology to commit offences, the use of unlawfully obtained data to commit other offences,26See ss. 9 and 10 of the CMA, s. 8 of POFMA and s. 416A of the Penal Code. and the provision of financial aid to, or obtaining a financial incentive from, assisting in the commission of offences.27See s.9 of POFMA.

In relation to security measures, not so much against external third party attacks, but to overcome internal weaknesses in securing data from unauthorized access/use or unnecessary leakage,28E.g. s.24 of the PDPA and s.3 of the CMA. the CSA requires robust action to ensure the strong protection of computers and computer systems that are part of the critical information infrastructure to prevent data leak or weakness of processes that may affect the integrity of operations and transactions. In contrast, the ETA is more concerned with the usefulness and reliability of an electronic tool for its function/purpose such as for electronic communications and transactions. The ETA contains provisions on secured electronic records and signatures for identity and authentication as well as for evidential purposes.

A Work in Progress: The Future of Cybersecurity Law

It is apparent that cybersecurity law will continue to evolve. The CSA will be amended to expand its current cybersecurity coverage to Systems of Temporary Cybersecurity Concern (STCCs). Two additional entities will also be regulated (albeit with a light-touch approach) – Entities of Special Cybersecurity Interest (ESCI) and Foundational Digital Infrastructure (FDI) the latter of which can include technology intermediaries like cloud service providers and data centres.29Cybersecurity Agency of Singapore, CSA First Reading of the Cybersecurity (Amendment) Bill, available at: < https://www.csa.gov.sg/News-Events/Press-Releases/csa-first-reading-of-the-cybersecurity-(amendment)-bill>.

The Ministry of Communications and Information (MCI) has also formed a taskforce to look into a Digital Infrastructure Act (DIA) to enhance the resilience and security of Singapore’s digital infrastructure and services in order to further minimise cyber-related risks, such as harms and disruptions caused by cybersecurity threats or vulnerability through the introduction of appropriate legal measures.30See the Ministry of Communications and Information, New Digital Infrastructure Act to Enhance Resilience and Security of Digital Infrastructure and Services (1 March 2024), available at: <https://www.mci.gov.sg/media-centre/press-releases/new-digital-infrastructure-act/>.

Endnotes

Endnotes
1 The three pillars of the Smart Nation Initiative are the digital society, economy and government. See, Smart Nation Singapore, Pillars of a Smart Nation at < https://www.smartnation.gov.sg/about-smart-nation/pillars-of-smart-nation/>.
2 1993 (2020 Rev Ed). The cybersecurity aspects of the erstwhile CMCA were taken out pursuant to s.49 of the CSA.
3 No. 9 of 2018. The Act provides for more measures to protect Singapore’s critical information infrastructure from cyberattacks and set up the Cybersecurity Commissioner to respond to such threats and incidents. It also set up the licensing regime for cybersecurity service providers. See, Cybersecurity Agency of Singapore, Cybersecurity Act: <https://www.csa.gov.sg/legislation/Cybersecurity-Act>.
4 2012 (2020 Rev Ed).
5 2019 (2020 Rev Ed).
6 No. 28 of 2021.
7 In particular, Act 38 of 2022 that introduced Part 10A (Online Communication Service Regulation). The other relevant, and older, Internet regulation is contained in the Broadcasting (Class Licence) Notification G.N. No. S 306-1996 (2004 Rev Ed) and Code of Practice.
8 No. 24 of 2023.
9 In the context of these legislation, a risk and impact assessment is made to determine the conditions for legal liability (to punish and deter cyber-attackers) and the pre-requisites for legal responsibility of technology platforms, in particular modern communication service providers, for both access and sharing of data (to prevent and mitigate harm).
10 European Union, Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts (COM/2021/206): < https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52021PC0206>.
11 Such as that based on foreign ownership, identified as a national security threat. See e.g., Ganesh Sitaraman, The Regulation of Foreign Platforms, 72 Stan. L. Rev. 1073 (2022) and Zhang Zhining, Paradigms for Foreign Tech-Platforms Regulation: U.S. Options After the TikTok Saga, 18 Wash. J. L. Tech. & Arts 1 (2023).
12 Cambridge Dictionary Online at <https://dictionary.cambridge.org/dictionary/english/cybersecurity>.
13 S.11 of the CMA. Also, more recently, new offences are included for the unlawful acquisition, retention, disclosure or supply, etc. of passwords and access codes relating to the National Digital Identity Service (NDIS) under ss.8A and 8B, with definitions relating to the NDIS set out in the Schedule to the Act.
14 2010 (2020 Rev Ed).
15 Another example is the PDPA, which require security measures and mandatory breach notification for the same reasons. See s.24 and Part 6A of the PDPA respectively.
16 According to art.14(2) of the Constitution of the Republic of Singapore: “Parliament may by law impose on the right (of every citizen to the freedom of speech and expression) such restrictions as it considers necessary or expedient in the interest of the security of Singapore or any part thereof, friendly relations with other countries, public order or morality and restrictions designed to protect the privileges of Parliament or to provide against contempt of court, defamation or incitement to any offence.” (emphasis added)
17 Both are defined in s.2 and designated/listed in the First Schedule of the CSA respectively.
18 Part 10A (Online Communication Service Regulation). “Egregious content” is defined in s.45D of the BA.
19 E.g. the Broadcasting (Class Licence) Notification and Code of Practice (supra. at n.7), Undesirable Publications Act 1967(2020 Rev Ed) and the Films Act 1981 (2020 Rev Ed).
20 See Table 1 at row 2.
21 Ibid.
22 Intermediaries are not content creators, and any involvement in content creation, collation, modification or in the selection of recipient will likely take a person or entity outside the scope of its definition.
23 The approach can also incentivize or compel cooperation – through immunity from liability or penalties for non-compliance – or both.
24 In some statutes, an intermediary may be exempted or excused from liability (primary or secondary, depending on how an offence is set out), for helping to transmit or communicate the offending material.
25 See Table 2 at column 2. There are often also criminal provisions against the content creator or source to punish them for, and deter the commission of, certain offences.
26 See ss. 9 and 10 of the CMA, s. 8 of POFMA and s. 416A of the Penal Code.
27 See s.9 of POFMA.
28 E.g. s.24 of the PDPA and s.3 of the CMA.
29 Cybersecurity Agency of Singapore, CSA First Reading of the Cybersecurity (Amendment) Bill, available at: < https://www.csa.gov.sg/News-Events/Press-Releases/csa-first-reading-of-the-cybersecurity-(amendment)-bill>.
30 See the Ministry of Communications and Information, New Digital Infrastructure Act to Enhance Resilience and Security of Digital Infrastructure and Services (1 March 2024), available at: <https://www.mci.gov.sg/media-centre/press-releases/new-digital-infrastructure-act/>.

The post The Evolution of Cybersecurity Policy and Law in Singapore appeared first on The Singapore Law Gazette.


Viewing all articles
Browse latest Browse all 153

Trending Articles