PAP Govt amends Cybersecurity Act to improve Singapore’s defence against cyber threats


Parliament passed amendments to the Cybersecurity Act, taking a significant step toward strengthening Singapore’s cybersecurity of systems and entities important to the nation’s interests.  

Senior Minister of State for Communications and Information Janil Puthucheary said in Parliament on May 7 that given the significant shifts in the digital domain, the proposed amendments are a major update to the Cyber Security Act (CSA).   

He explained that the amendments will allow Cyber Security Agency of Singapore (CSA) to keep pace with developments in technology and business practices and respond to evolving cyber security challenges in the cyber threat landscape. This means extending the regulatory oversight to other important systems and entities and using a risk-based approach to regulate entities for cyber security and administer the Act more effectively. 

“These will strengthen Singapore’s national cyber security and increase trust in using online services in Singapore – our highlight digitalised nation”, Dr Janil added.  

Dr Janil stressed the need to better regulate critical information infrastructure (CII) to ensure security and resilience against cyber threats, regardless of technology or business model used.  

The Bill clarifies that the definitions of computer and computer system in specified portions include virtual computers and virtual systems. The new definition makes it clear that CII owners are responsible for cyber security of their virtualised CII.  

Another provision addresses essential services from overseas. CIIs located outside Singapore can be designated and regulated if their owners are in Singapore and the computer systems would have been designated as CIIs under the law had it been located wholly or partly in Singapore. 

Law updated to tackle cyber actors who target systems along supply chain 

The law will be updated to tackle malicious cyber actors who target systems at the periphery or along supply chains, places where Dr Janil said Singapore must start “placing our alarms”.  

Owners of critical infrastructure must report incidents that affect computers connected to or communicate with it. 

The law allows CSA to regulate systems of temporary cyber-security concern. CSA deals with such ICT systems that are critical to Singapore for a limited period and require their owners to comply with heightened cyber-security standards. These can be systems used for high-key activities.  

Provisions will be introduced to cover new entities that could be attractive targets for malicious threat actors. These are entities of special cyber-security interest, such as universities. CSA does not intend to publish the full list of designated entities for security reasons. 

Dr Janil stressed: “The Bill is calibrated to address the risks to the nation, our economy and our way of life while balancing the compliance costs.” 

The Government will continue to refine its approach in consultation with stakeholders and consider new international practices as they emerge. 

Dr Janil stressed that Singapore must constantly improve her defence against cyber threats that are growing in scale and sophistication.   

“Cybersecurity is ultimately about risk management. The only way we can absolutely guarantee cybersecurity is to not use digital technology at all. So, the task at hand is to find the appropriate balance between security, usability, and cost. The Bill is the sum of the Government’s proposal to address this trilemma for the most important systems that affect the national interests. It does involve some trade-offs,” he said. 

“Where national interests are stake, the Government needs to proactively ensure that security considerations are not neglected.  Those responsible for our CII, STCCs (Systems of Temporary Cybersecurity Concern), and FDI (Foundational Digital Infrastructure) services, as well as our ESCIs (Entities of Special Cybersecurity Interest) will have to bear some compliance costs, but this is what it takes to keep Singapore and Singaporeans safe and secure in the digital domain. “ 

Key changes to Cybersecurity Act 

Critical information infrastructure operators in the essential services sectors must report all incidents aimed at their systems, including those managed by or linked to their suppliers. 

CIIs located outside Singapore can be designated and regulated if their owners are in Singapore. 

The definition of “computers” will include virtual systems and cloud infrastructure – servers hosted on the internet that store and process data. CII owners are responsible for the cybersecurity of their virtualised CIIs.  

CSA will regulate systems of temporary cyber-security concern. These are systems that are critical for a time-limited period when they are at high risk of cyber-attacks.   

CSA will regulate entities of special cyber-security interest that could be attractive targets for bad actors due to the sensitive data they hold or function that they perform.