Singapore Updates Cybersecurity Law to Account for Cloud

UPDATE

Lawmakers in Singapore updated the nation's cybersecurity regulations on May 7, giving more power to the agency responsible for enforcing the rules, adopting definitions of computer systems that include cloud infrastructure, and requiring that critical information infrastructure (CII) operators report a broader variety of cybersecurity incidents to the government.

The Cyber Security Act amendment takes into account the impact of running critical infrastructure management systems on cloud infrastructure and the use of third-party providers by critical infrastructure operators, as well as a cyber threat landscape that is growing more dangerous. In effect, since so many critical information infrastructure operators have outsourced some facets of their operations to third parties and cloud providers, new rules were needed to hold those service providers accountable, Janil Puthucheary, senior minister of state for the Singapore Ministry of Communications and Information, said in a speech before the country's parliament.

"The 2018 Act was developed to regulate CII that were physical systems, but new technology and business models have emerged since," he said. "Hence, we need to update the Act to allow us to better regulate CIIs so that they continue to be secure and resilient against cyber threats, whatever technology or business model they run on."

Singapore's amendment to its Cyber Security Act is the latest update to rules among Asia-Pacific nations. In early April, the Malaysian Parliament passed its own Cyber Security Bill, which aims to establish a strong cybersecurity framework for the country, including requiring licensing for some firms and consultants. The same month, Japan, the Philippines, and the US put in place a trilateral information-sharing arrangement to blunt nation-state attacks from China, North Korea, and other rival nations.

The Cyber Security Agency (CSA) and the additional regulations have broad support in Singapore following extensive outreach to critical infrastructure providers, citizens, businesses, and legal experts, says Donny Chong, product director at Nexusguard, a denial-of-service defense firm.

"The rising number of cyber threats is worrying a lot of people — both local and global incidents have highlighted the vulnerabilities in our digital infrastructure," he says. "More and more, we're seeing companies becoming aware of the ways cyberattacks can severely impact essential services and national security, driving the urgency for stronger regulations."

Cybersecurity for Changing Times

The original Cybersecurity Act aimed to strengthen the protections around CII, gave the Singaporean CSA the authority to manage the nation's cybersecurity prevention and response programs, and created a licensing framework for regulating cybersecurity service providers.

Officials, however, quickly realized that stronger powers were needed to protect the national infrastructure and, as time went on, that cloud computing and cloud services have changed the regulatory landscape. The CSA, for example, could not regulate any critical infrastructure provider or CII service provider that was wholly located overseas.

"When the Act was first written, it was the norm for CII to be physical systems held on premise and entirely owned or controlled by the CII owner," Puthucheary said. "But the advent of cloud services has challenged this model."

The amendment divides businesses and infrastructure operators into five categories: provider-owned CII, non-provider-owned CII, foundational digital infrastructure (FDI) services, entities of special cybersecurity interest, and owners of systems of temporary cybersecurity concern, according to Lim Chong Kin, managing director and co-head of the data protection, privacy, and and cybersecurity group for Singapore-based law firm Drew & Napier.

The requirements for such organizations differ depending on the category of the business, but could include audits, risk assessments, reporting of cybersecurity incidents, and required contract language for third parties, Lim says. Because individual firms may have trouble setting requirements with large multinational cloud providers, CSA will be working "to operationalize the new incident reporting requirements," he says.

"The expanded regulatory obligations are likely to impose a certain degree of unavoidable increased compliance costs on businesses," Lim says. "The precise extent of impact on affected organizations will become clear in time with the operationalization of the new reporting requirements."

Geopolitics and AI Pose Key Challenges

Because Singapore relies heavily on global trade and maintains an open digital economy, the country continues to be a popular target among threat actors, with both nation-state and cybercriminal groups targeting Singaporean organizations and individuals. The country's "Cybersecurity Health Report," released earlier this year, found that more than 80% of surveyed Singaporean organizations had suffered a cyber incident in the past year, with almost all of those victims (99%) suffering a business impact.

The future will also hold uncertainty, as both artificial intelligence and quantum computing are disruptive technologies that appear to be changing the threat landscape, Lim says. For those reasons, updated regulations are just the beginning of a road to better cybersecurity, he says.

"While regulation remains important, it will also be essential on a broader level to cultivate a cyber-literate population and secure buy-in from all stakeholder groups within society ... in order to secure Singapore's cyberspace effectively," he says.

The country is already one of the most cyber-literate nations in the world. More than 90% of Singapore residents communicate online, with the technology adoption rate among businesses at 94% in 2022, up from 74% in 2018, according to Singapore's Puthucheary.

"Business models may be changing, but the fundamental principle remains the same," he told the parliament. "Providers of essential services must remain responsible for the cybersecurity and cyber resilience of the computer systems relied upon to deliver essential services that they provide."

UPDATED: This article was updated at 3:15 ET on May 29 to emphasize that the amended law does not directly affect cloud service providers, but holds CII operators responsible for their use of cloud service providers. Other context was added as well.