New law grants cybersecurity czar new powers

SINGAPORE - Singapore will have a cybersecurity czar who is empowered to obtain confidential information from local organisations to investigate suspected cyber attacks, under a Bill passed in Parliament on Monday (Feb 5).

Nineteen MPs spoke in support of the Cyber Security Bill, during a lengthy three-hour debate.

Many of them expressed concern, however, about the broad powers of that the new Commissioner of Cybersecurity - Mr David Koh, chief executive of the Cyber Security Agency of Singapore - will wield.

The new laws will allow the commissioner to demand data or seize computers not only from owners of critical information infrastructure (CII), but also non-CII systems deemed to be necessary for the purpose of the investigation.

CII refers to any system that relates to 11 essential services, including banking, telecommunications, transport, healthcare and energy.

Workers' Party MP Pritam Singh (Aljunied GRC) asked what threshold will be set to investigate incidents and if the broad powers would be used on dissenters. "Can the Minister confirm the envisaged threshold of what qualifies as a major incident so that the house is assured the commissioner's powers will be used very judiciously and not against government critics and individuals?" he queried.

Mr Zaqy Mohamad (Chua Chu Kang GRC), Mr Darryl David (Ang Mo Kio GRC) and Ms Sun Xueling (Pasir Ris-Punggol GRC) asked what safeguards will be in place to protect consumers' privacy, especially when computers contain sensitive health records from insurance companies or investments portfolios from banks.

Said Mr David: "Potential ethical dilemmas could arise when cyber security officers, in the course of their work, gain access to personal data that contains identifiers, when the providers of that information did not give explicit consent for the information to be used or accessed." Minister for Communications and Information Yaacob Ibrahim assured MPs that the powers under the Bill "are not meant to intrude privacy".

He also told the House that the commissioner's powers are calibrated and strictly meant to keep the lights on for essential services, noting that any information required will primarily be technical in nature.

These include network and system audit logs and network configuration."Such powers are necessary given the potential impact from serious cyber-security threats and incidents, which can disrupt our essential services, potentially cause physical damage and harm, and affect our economy and way of life," said Dr Yaacob.

CII owners will be notified of any intrusive network scanning or any seizing of computers,which Dr Yaacob said will be done only when the benefits of these measures outweigh the sacrifices.

Failure to share the required information or comply with any orders from the commissioner can lead to a fine of up to $100,000 or two years jail, or both.

Nee Soon GRC MP Henry Kwek suggested stiffer penalties for misuse of data, particularly for perpetrators from the cyber security industry. "How do we keep watch on the guards?" he asked, calling for more due diligence to be conducted on cyber security professionals.

In response, Dr Yaacob said any cyber security professional who misuses data will be prosecuted under the existing Computer Misuse and Cybersecurity Act (CMCA), which was renamed the Computer Misuse Act (CMA) on Monday (Feb 5).

THE STRAITS TIMES