Singapore 2025

Introduction

Mr Speaker, this is a significant Bill which establishes a framework for the oversight and maintenance of cybersecurity in Singapore. Its ambit and reach is understandably wide in view of the reliance both the public and private sectors including individuals place on computer programs, systems and services, and the devastating prospect of debilitating cyberattacks on critical sectors of the economy. More specifically, the loss or exposure of private information may also erode trust in government, statutory agencies and private companies as the release of such information into the public realm can seldom be ever completely reversed. I understand the Bill has received significant feedback from industry with in excess of sixty companies, many of them large corporates and separately a healthy number of industry associations – not forgetting civic-conscious and interested individuals – providing feedback to the Ministry on this Bill. For that reason, my clarifications will be limited to the Bill’s broad principles and impulse, centering on queries that pertain to how the envisaged Cybersecurity Act will operate in practice.

Specific Clarifications on the Bill

The first clarification pertains to clause 7 of the Bill covering companies and entities that host Critical Information Infrastructure (CII) that are partly located overseas for business reasons or simply logistical convenience. As a part of a Singaporean entity’s CII ecosystem may located overseas, how does the Bill ensure that this bifurcation does not render a particular CII susceptible to compromise or cyberattack since CII computers and computer systems based overseas are not covered by this Bill? Separately, in light of the feedback received, how common are such hybrid arrangements amongst public and private sector CII owners and is the Ministry concerned that some entities may seek to locate some elements of their CII overseas to hedge against the reach of the Act and as a consequence, compromise its regulatory reach. I have similar clarification to ownership of a CII, particularly if the owner is an offshore entity or individual. What regulatory oversight will the Bill realistically have over CII owners who operate outside our jurisdiction, and would this not represent a loophole?

Secondly, I seek some clarity on the compliance costs that are likely to result for both public and private sector entities as a result of this Bill. Feedback on such costs were received by the Ministry and there was also a suggestion that grants should be extended to help organisations offset these costs. Can the Minister give us some sense or estimate of the dollar value of the compliance costs to the Cybersecurity Bill with regard to, for example, for CIIs in some of the sectors referred to in Schedule 1 of the Bill – perhaps those covering the Civil Aviation Authority of Singapore, the Public Utilities Board and some of our public hospitals? Finally, how much would be set aside in the budget for grants arising out of an increase in such compliance costs?

Thirdly, I understand from feedback to the Ministry there was some concern about what constituted a significant security incident. The language of the Bill in clause 14 focuses on prescribed incidents suggesting that subsidiary legislation will clarify such words and terms. As the Bill imposes a duty on owners of CII to report incidents, can the Minister give the House a general sense, with examples of the specific thresholds of hypothetical incidents which may require reporting under the Act. With this as a backdrop, can the Minister also share with Parliament what punishment would be effected by this Bill against a company like Uber – assuming it is a CII – which caused the compromise of personal information such as names, email addresses and personal contact numbers of close to 380,000 Singaporeans and tried to conceal the same, as reported in November last year. How far does this Bill go to take a CII owner to task for non-reporting should a similar Uber-like episode occur after the Bill becomes law? What other actions would the Government consider against entities that are negligent in securing their computer systems, and separately, if such an incident is aggravated through wilful concealment.

Fourthly, clause 19 of the Bill gives extraordinarily broad powers to the Commissioner of Cybersecurity and his officers to investigate cybersecurity threats and incidents against companies, entities and even individuals with respect to any computer or computer system in Singapore, not just to CIIs. The ambit of these powers is best exemplified by clause 19(1)(a) of the Bill which gives the Commissioner and any authorized officer the power to take, remove or make copies of a hard disk for example, even if it is only to assess the impact or potential impact of a cybersecurity threat. Non-compliance carries with it a fine of up to $5000 and/or an imprisonment terms of up to six months. For avoidance of any doubt, notwithstanding the remarks in the Report on Public Consultation on the Draft Cybersecurity Bill where it was stated that such powers are to be applied in a calibrated manner and more importantly, in response to major cyber-security incidents against non-CIIs, can the Minister confirm the envisaged threshold of what qualifies as a major incident so that the House is assured the Commissioner’s powers will be used very judiciously and not against government critics and individuals. Coming back to the Uber example, does the Government foresee using such powers against foreign companies that operate in Singapore?

Conclusion

To conclude Mr Speaker, I am concerned about how much Singaporeans are actually aware of their online signature and the importance of cybersecurity. While we seek to protect key infrastructure against cyber attack, every Singaporean who uses his or her smartphone to pay for good and services or uses it as a social tool, is susceptible to cyber attack or hacking. This prospect is likely to increase as Singapore undertakes its smart nation drive with more focus and coordination. The Cybersecurity Agency of Singapore is in a privileged position to educate Singaporeans on security tips as we transition to a more cashless economy and live online, as many of us already do. What measures can Singaporeans look forward from the Government to protect them from cybersecurity threats in our smart nation journey?

Mr Speaker, notwithstanding the clarifications sought, I support this Bill.