As data grows in value and importance, the phrase “data is the new gold” is now heard regularly in the corporate world. With 5G mobile networks and the internet of things (IoT), more data than ever is being mined and Singapore is in the prime regional position to store this new “gold.”
In its 2019 and 2020 reports3, the consultancy Cushman & Wakefield ranked Singapore’s data center capabilities as sixth worldwide and first in Asia-Pacific market, which is “forecast to reach US$28 billion by 2024, 20% higher than the US$23.4 billion North American market.” The reports reasoned that data center players will “favor Singapore for its relative security to store mission critical data and the business-as-usual data in the neighboring countries.”
Cybersecurity Laws In A Nutshell
Singapore has adopted a framework of key legislation and sector-specific regulations to address cybersecurity issues. The Cybersecurity Act 2018 moved Singapore away from sector-based regulation and required cybersecurity service providers to gain a license. It empowered the Commissioner of Cybersecurity, amongst others, to establish mandatory codes of practice and reporting/auditing requirements for owners of critical information infrastructure (CII). A non-owner of CII has an obligation to cooperate in cybersecurity investigations by the commissioner. The Act is linked to the Computer Misuse Act which criminalizes cybersecurity offences such as unauthorized access to computers. The Personal Data Protection Act 2012 (PDPA) also requires organizations to implement security measures to prevent unauthorized access, collection, use or disclosure of personal data.
At the same time, sector-specific regulations continue in force. For example, the Monetary Authority of Singapore publishes notices and guidelines on cybersecurity best-practice for the banking and finance industry. There is also the Infocomm Media Development Authority’s Telecommunication Cybersecurity Code of Practice. Singapore’s legislative efforts are commendable in light of the 2020 breaches at US-based cybersecurity company FireEye. However, several practical and persistent challenges remain. We discuss three ways in which Singapore’s cybersecurity laws may be improved.
The International Law Framework
That Singapore’s cybersecurity laws do not relate to a coherent international law framework hampers their practical effectiveness. There are two key unresolved jurisdictional issues.
First, the range of cyber actors can include individuals and even nation-states. It is unclear over which actors the cybersecurity laws give Singapore jurisdiction, considering state immunity defenses, traditional conflict of jurisdictions rules and other policy factors. As a result of this lack of clarity, companies must determine which jurisdiction’s cybersecurity laws they have to comply with.
This has real consequences. For example, the reporting and investigation requirements under the Cybersecurity Act 2018 are not replicated in other jurisdictions. A company discovering a cybersecurity incident must comply with various reporting and investigation requirements across jurisdictions rather than devoting more time to prevent further incursions.
Second, it is also unclear how Singapore can identify the origin of a breach. Breaches are not always confined within the geographical boundaries of a state. There is no public international law principle – or even customary international law – as to whether cyberspace is international space or how it should be divided between states. Even ratification of the Budapest Convention on Cybercrime has taken a long time. Establishing jurisdiction matters because it determines the appropriate national and international dispute settlement mechanisms. The Permanent Court of Arbitration may be a good candidate for such a mechanism since it already has a mandate on outer space, energy and environmental disputes between states.
Singapore has signed several memoranda of understanding with other countries but more needs to be done. Singapore must renew focus on adopting and implementing international norms even as states aim to implement data localization measures. China-based technology company Huawei recommended a common cybersecurity standard just like European Union’s General Data Protection Regime9 and the World Economic Forum (WEF) agreed with this principle in its April 2016 white paper.10 The WEF recommended that in addition to regulation, “governments also can alter behavior through encouraging the creation and adoption of norms … at the national, regional or global level.”
Focus On Regulating Human Behavior
Singapore’s cybersecurity laws must be able to evolve along with technology. To surmount this seemingly Sisyphean challenge, the laws must focus instead on regulating human behavior and creating a resilient cyber society.
The current state of Singapore’s cyber resilience is reflected in how small and medium enterprises (SMEs) still consider cybersecurity an afterthought. In a 2018 survey conducted by QBE Singapore, while 90% of SMEs are aware of cyber risks, 25% lack any internal processes or policies to protect themselves. And yet, 35% of businesses in Singapore have suffered a ransomware attack. In 2017, 328 cyber-scam cases involved impersonating business suppliers resulting in losses of about S$43 million. In the same year, almost 40% of 146 phishing cases and ransomware scams came from businesses. The recent data leak from UOB after its employee fell for an impersonation scam highlights the importance of adequate cybersecurity and data security training.
To instill greater resilience, Singapore’s cybersecurity laws must reflect a more nuanced understanding of the differing interests in the public and private sectors.
To instill greater resilience, Singapore’s cybersecurity laws must reflect a more nuanced understanding of the differing interests in the public and private sectors. It may be helpful to introduce more soft law options such as codes of practices, threat assessment templates, model incident response plans and preventive guidelines. Social values may change over time and generational values may clash, but certain fundamental human rights and constitutional rights should not be undermined.
Lower Compliance Costs And Encourage Innovation
The two most common barriers to implementing digital solutions are the high costs of investment (40% of respondents) and lack of digital skills (35% of respondents), according to QBE Singapore.17 It is a good start that Singapore is a certificate authorizing nation under the Common Criteria Recognition Arrangement since 2019, but more similar steps must be taken.
A solution could be to legislate for cybersecurity insurance as cover for liability and associated costs from system damage or lost revenue. Legislation is needed to help insurers determine how to underwrite risks where traditional models do not work. Costs also come from having to compete for the limited talent pool to fill the roles. Again, Singapore’s cybersecurity laws can establish clear skill accreditation as is the case with specialist accreditation scheme for both building and construction law and maritime and shipping law.
Further, the laws should aim to encourage innovation in cybersecurity. Innovation is self-sustaining and naturally spurs the growth of Singapore as a cybersecurity hub. For example, legislating for stricter security features in software products will provide a strong market incentive for software manufacturers to innovate and comply with standards. The laws could include a public-private partnership model for cybersecurity research projects and incorporate tax incentives for approved investments made by a company towards cybersecurity.
That said, as was seen in the process of making Singapore into an arbitration and insolvency hub, cybersecurity laws responsive to cutting-edge thinking must be backed by competent investigation services, access to technology to process electronic evidence, quality local and international talent and appropriate training for the judiciary and Attorney’s General Chambers. These will help Singapore become a cybersecurity hub.
Data may be the new “gold,” but the bigger picture involves more than just data. With technologies like blockchain being applied in other contexts, the needs of national security are being intertwined with cyberspace. Add to this the greater role of telecommuting and a growing dominance of fintech, and cybersecurity will surely be a focal point over the next few years.
If you require advice on any of the issues raised in this briefing, please contact the authors below.
Kang Zhi Ni
*This article is the IHC Magazine’s off-shore update for April 2021 issue. Click here to read the full magazine