Lawmakers in Singapore updated the nation's cybersecurity regulations on May 7, giving more power to the agency responsible for enforcing the rules, adopting definitions of computer systems that include cloud infrastructure, and requiring that critical information infrastructure operators report any cybersecurity incident to the government.
The Cyber Security Act amendment takes into account the impact of running critical infrastructure management systems on cloud infrastructure and the use of third-party providers by critical infrastructure operators, as well as a cyber threat landscape that is growing more dangerous.
In effect, since so many critical information infrastructure operators have outsourced some facets of their operations to third parties and cloud providers, new rules were needed to hold those service providers accountable, Janil Puthucheary, senior minister of state for the Singapore Ministry of Communications and Information, said in a speech before the country's parliament.
Singapore's amendment to its Cyber Security Act is the latest update to rules among Asia-Pacific nations.
In early April, the Malaysian Parliament passed its own Cyber Security Bill, which aims to establish a strong cybersecurity framework for the country, including requiring licensing for some firms and consultants.
The same month, Japan, the Philippines, and the US put in place a trilateral information-sharing arrangement to blunt nation-state attacks from China, North Korea, and other rival nations.
The Cyber Security Agency and the additional regulations have broad support in Singapore following extensive outreach to critical infrastructure providers, citizens, businesses, and legal experts, says Donny Chong, product director at Nexusguard, a denial-of-service defense firm.
Cybersecurity for Changing Times The original Cybersecurity Act aimed to strengthen the protections around CII, gave the Singaporean CSA the authority to manage the nation's cybersecurity prevention and response programs, and created a licensing framework for regulating cybersecurity service providers.
Officials quickly realized that stronger powers were needed to protect the national infrastructure and, as time went on, that cloud computing and cloud services have changed the regulatory landscape.
The CSA, for example, could not regulate any critical infrastructure provider or CII service provider that was wholly located overseas.
The amendment divides businesses and infrastructure operators into five categories: provider-owned CII, non-provider-owned CII, foundational digital infrastructure services, entities of special cybersecurity interest, and owners of systems of temporary cybersecurity concern, according to Lim Chong Kin, managing director and co-head of the data protection, privacy, and and cybersecurity group for Singapore-based law firm Drew & Napier.
The requirements for such organizations include audits, risk assessments, reporting of cybersecurity incidents, and required contract language for third parties, Lim says.
Geopolitics and AI Pose Key Challenges Because Singapore relies heavily on global trade and maintains an open digital economy, the country continues to be a popular target among threat actors, with both nation-state and cybercriminal groups targeting Singaporean organizations and individuals.
The future will also hold uncertainty, as both artificial intelligence and quantum computing are disruptive technologies that appear to be changing the threat landscape, Lim says.
For those reasons, updated regulations are just the beginning of a road to better cybersecurity, he says.
The country is already one of the most cyber-literate nations in the world.
More than 90% of Singapore residents communicate online, with the technology adoption rate at 94% in 2022, up from 74% in 2018, according to Singapore's Puthucheary.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 15 May 2024 01:05:35 +0000