Singapore Moves to Update Cybersecurity Laws
08 September 2017
Significant changes have been proposed to Singapore’s cybersecurity laws – and IP owners and others who collect data in the country need to be aware of how those changes will affect their compliance programmes.
Singapore first introduced cybersecurity laws in 2013 by adding new provisions in the Computer Misuse Act to make it an offence to use a computer to gain unauthorised access to any program or data held in a computer or gain such unauthorized access with intent to commit an offence, says Jonathan Kok, a partner and head of the intellectual property and technology practice at RHTLaw Taylor Wessing in Singapore.
To reflect its new purpose, the title of the legislation was renamed the Computer Misuse and Cybersecurity Act (CMCA) in 2013.
“In April this year, following a series of cyberattacks on government websites by a local member of the hacktivist organization, Anonymous, the previous year, the Singapore government made further amendments to the CMCA,” Kok tells Asia IP.
The four key changes to the CMCA are:
• Making it an offence to obtain, retain or supply personal information obtained through cybercrime;
• Making it an offence to obtain items which can be used to commit cybercrimes;
• Targeting cybercrimes committed overseas, against overseas computers, which create a significant risk of serious harm in Singapore; and
• Allowing amalgamation of cybercrime charges.
“With the amended CMCA, it is now an offence to deal in personal information obtained via a cybercrime such as trading in hacked credit card details and to deal in hacking tools to commit a computer offence,” Kok says. It is also now an offence for someone to commit a criminal act while overseas, against a computer located overseas, should the act cause, or create a significant risk of, serious harm in Singapore, such as injury or death of individuals; or disruptions to essential services in Singapore; or damage to the national security, defence or foreign relations of Singapore.
“These changes come ahead of a new Cybersecurity Act (CSA) that should be introduced sometime next year,” Kok says. “The new standalone CSA will ensure that operators of critical information infrastructure take proactive steps to secure their systems and networks. It will also introduce standards for mandatory incident reporting on critical information infrastructure operators.”
While the existing CMCA is targeted at helping law enforcement agencies investigate and apprehend the individuals or entities behind cybercrimes, Kok says the new CSA will give the Singapore government the power to audit the cybersecurity measures implemented by organizations operating in certain sectors of the economy and the power to manage a major cyberattack should the country be hit by such an attack.
Kok says that some of the basic measures that can be taken to protect databases from unauthorized access include keeping the database server in a secure and locked environment; installing firewalls in the IT system; encrypting stored data and ensuring that backup data is also encrypted and stored separately from the decryption keys; and implementing controlled access to allow only authorized personnel to access the IT system.
“Once the IT system is secure, the organization needs to be very careful about who it decides to grant access to the database,” he says. “By creating specific access controls for all of its users, it can limit their access to only those parts of the systems they need for their tasks.”
Beyond physical measures, he says, organizations should ensure that their personnel are properly trained on good practices to protect and keep data secure. “Databases are only as secure as the weakest link in the organization,” says Kok. “Often the weakest link lies in the carelessness of personnel in using the IT system and protecting their user ID and password from others.”
Organizations should regularly update their IT systems with security patches issued by the operating system provider. “It was reported that the recent cyberattacks (such as the WannaCry and the NotPetya ransomware) exploited old systems that have not been updated with security patches. It is therefore crucial that organisations ensure that their software and hardware security are kept up to date with new anti-malware signatures or patches,” Kok says.
“Above all, it is important to educate and train your end users to be vigilant and not open suspicious email attachments and not to freely disclose their user ID and password to a third party without verifying the identity of the third party,” says Kok. “A common trick used by hackers is to pose as a staff from the organization’s IT department and deceive the user to disclose his log-in information. Attempts like this may come from phone, email or other communication with the user.”