Giving teeth to cyber security

SINGAPORE - A law passed this week gives the Government powers to take pre-emptive steps to prevent potentially crippling cyber attacks on essential services.

The new Computer Misuse and Cybersecurity Act grants power to the Home Affairs Minister to order, say, telcos and banks to disclose information to the Government long before a cyber attack hits Singapore. Before this change, the minister could issue a directive only when the attack on Singapore was imminent.

During the debate in Parliament on the new law, MPs raised concerns about confidential information being leaked and possible abuse of power.

Lawyer Gilbert Leong, partner at Rodyk & Davidson LLP, gives his assessment of the law and these concerns.

What can the new legislation achieve that the old law couldn't?

Under the old law, the minister could only authorise a party - an organisation or a person - to take measures to prevent or counter such threats. Clearly, this power may not have been sufficient because the party could well have declined to act. The old law did not contain any provision to compel the party to act. It had no teeth.

But under the new law, non-compliance has been made an offence, carrying a jail term of up to 10 years, a fine of up to $50,000, or both. Additionally, the new law allows the party identified by the minister to direct another person or company that holds any information that may be required to "identify, detect or counter" the threats to provide that information.

For instance, if a telco is directed by the minister to carry out some measures that the telco cannot do without certain information held by a security services company, the telco may compel that security services company to provide the information.

Another significant point is the widening of the definition of "essential services". The new law now covers land transport infrastructure, aviation, shipping and health services (as opposed to only medical services). Arguably, without the amendments, the minister would not have been able to authorise - much less direct - any counter-measures if those services were under attack.

Should the new legislation go further?

For now, the new law is adequate. The changes are already quite expansive and will cover most, if not all, areas of concern. For instance, organisations or individuals may be worried about lawsuits if they reveal commercially sensitive information when complying with the minister's direction. New provisions address that.

Those who act on the minister's direction get immunity from civil and criminal liability. This immunity also applies to disclosures which would otherwise be breaches of non-disclosure agreements. The only exception is information subject to legal privilege; that cannot be disclosed.

What balance should the Government strike in protecting Singapore's critical services as well as the interests of private companies?

It must be appreciated that the powers conferred on the Government would only be used in extreme and perhaps dire circumstances. The Government does not require these powers to perform its day-to-day functions. Those circumstances would not occur frequently and from that perspective, the risk to private companies would be rather low.

In any case, this is not the only piece of legislation which empowers the Government to seek information from individuals or companies. Other laws include the Internal Security Act, whereby the minister may authorise a police officer to inspect any banker's books, and the Competition Act, whereby the Competition Commission may even seize documents.

What the Government needs to do is to exercise these wide-ranging powers judiciously, and vigorously enforce the safeguards that protect the confidentiality of such information. One safeguard is a jail term of up to one year, a fine of up to $10,000, or both, if a recipient of information that may be commercially sensitive wrongfully discloses or uses it.

How about forming an independent panel as one of the safeguards?

An independent panel to vet the minister's intended directive is not a good idea.

One might contend that advance notice will give the intended recipients an opportunity to be heard before the directive takes effect, or allow the minister to change his mind or modify the directive.

However, I do not believe that giving advance notification is appropriate or desirable, as the circumstances are likely to be extreme or dire. The proverbial horse would have bolted.

It might not be a bad idea though if the purpose of the panel was to review the directive and the reasons why the minister acted in the way that he or she did, so that lessons could be learnt.

What makes the Government a better judge than, say, the security experts already hired by banks or telcos for deciding on what security measures should be taken to protect critical services?

We are not addressing a situation where the Government tells the banks or telcos what security measures ought to be adopted on a day-to-day basis. The measures adopted by the banks or telcos are probably adequate or may even be best-in-class.

However, private entities may lack a sense of awareness of what is happening to other parties here or globally.

For example, Singapore Power may notice that something is amiss with the electricity output of the power-generating companies in Singapore. So, it reports the anomaly to the Energy Market Authority which, after investigation, realises that the companies are experiencing a simultaneous cyber attack. The minister may then order telcos to assist in repelling the attackers.

In this instance, the Government may be the only one to have a bird's eye view of the attack.

A wrong ministerial directive may even cripple essential services.

That may well be true. But when dealing with cyber criminals or cyber terrorists, it would usually be a cat and mouse game - they would always try to outsmart the defences which have been put up. In that context, no one can really be sure what steps or actions are correct, suitable or effective to counter the attack.

The minister may be wrong, but actions taken by private enterprises may also be wrong. From that perspective, the risk evens out. One thing is certain though: If you do nothing in the face of a cyber attack on your essential services, those services will be crippled.

itham@sph.com.sg


Get a copy of The Straits Times or go to straitstimes.com for more stories.

Become a fan on Facebook