Cyber Security Bill laudable, but is there a cost to pay?

Recent high profile cyber-attacks on Singapore universities have led to some degree of public panic, and ransomware affecting critical services—such as the National Health Services in the United Kingdom—are regular headlines in the news today. There is much public frustration over the risks in cyberspace, which makes the comprehensive draft Cybersecurity Bill by the Cyber Security Agency (CSA) very timely and reassuring.

The 72-page bill reads as a thoughtful piece of proposed legislation. There are three main innovations in the bill, namely establishing a cyber security commissioner; setting out procedures to punish owners of critical information infrastructures (CII); and licensing requirements for companies or individuals providing cyber security services.

In this climate of heightened security threats, the Cyber Security Bill is useful and reassuring.

However, it leaves unanswered the appropriate relationship between government, business and the public in working together to keep us safe.

Countries around the world have implemented variations of similar bills to enhance cybersecurity.

In the United States, for example, its 2013 bill established 16 critical infrastructure sectors that it deemed are “vital to public confidence and the nation’s safety, prosperity, and well-being”.

Similarly, with this Cyber Security Bill, Singapore has determined its 11 critical sectors, ranging from Government and Healthcare to Infocomm and Water.

The true innovation of the bill lies not in codifying procedures that mimic best practices, but rather it is noticeably an enhanced version of bills abroad.

For example, rather than target the company that owns critical infrastructure, the bill instead aims to “identify the specific computer or computer system that is being designated as a critical information infrastructure,” clearly learning from overly broad specifications that have hindered cyber security operations abroad.

The appointment of a cyber security commissioner is also in line with global practices. This is a recognition that there needs to be a central office to coordinate breach notification and vulnerability disclosure in a complex and increasingly networked digital ecosystem.

Further investing powers in the commissioner to “conduct national cyber security exercises for the purposes of testing the state of readiness of owners of different critical information infrastructure” thoughtfully uses the office to pool resources for better national security.

Crucially, Singapore’s natural advantages and weaknesses are written into the bill itself.

Possibly taking lessons from small, European countries whose security depends on regional cooperation, the bill acknowledges that Singapore cannot solve global cyber security problems on its own.

The commissioner is thus tasked to “represent the Government and advance Singapore’s interests on cyber security issues internationally”, and specifically given the mandate to “cooperate with Computer Emergency Response Teams internationally on cyber security incidents.”

As a first comprehensive bill to deal with cyber security, the CSA has taken a big step in addressing many of the gaps that exist.

Most developed countries have at best a patchwork of frameworks in dealing with critical infrastructure, and this bill is potentially a landmark one that sets standards not just for Singapore but for the Asian region as well.

That said, the bill’s over-arching emphasis on security can potentially hurt business vibrancy and significantly increase compliance cost in the long run, challenging existing efforts to vitalise the digital ecosystem.

The bill lays out procedures and investigative powers of the commissioner, which includes letting the commissioner “establish cybersecurity codes of practice and standards of performance.”

Within the powers of the commissioner is the ability to require owners of CII to provide “information on the design, configuration and security of the critical information infrastructure”.

While we do not yet have the benefit of case law to determine the limits of requests by the government, based on the wording as it stands, companies can reasonably infer that government has the ability to request for proprietary business information during an investigation.

In places like the US, regulatory intermediaries such as Information Sharing and Analysis Centers typically exist between government and industry, in order to guard against both compulsive behaviour by private companies and potential government abuse of power.

With the cybersecurity commissioner being mandated as the ultimate source of legitimate decision-making, further safeguards—other than the secrecy clause in the bill—need to be in place to provide better harmonisation across the industry.

Secondly, as is becoming evident in the discourse in CII elsewhere in the world, any policy surrounding critical infrastructure protection has to take into account the “stacked” nature of many digital-centric services.

For example, broadband internet access services to residential users (which is listed as an essential service) requires not just the reliability between internet service providers but also the layers beneath that make it possible, including but not limited to under-sea cables, domain name servers (DNS), and the “http” protocol layer.

The infamous Mirai Botnet brought down internet access in the US by compromising the DNS.

This raises an important question: should layers such as the DNS should be counted as CII as well?

Or to make a more general point, if CII needs to be protected, how can we systematically determine whether to classify downstream players in the supply chain as CII? In other words, how can we prevent a situation of classifying CII all the way down?

In its current wording, the cybersecurity commissioner has the sole discretion to “issue or approve one or more codes of practice or standards of performance” or “amend or revoke any code of practice or standard of performance.”

Furthermore, the commission can decide to “withdraw the designation of any critical information infrastructure at any time” as long as the Commissioner is “of the opinion that the computer or computer system no longer fulfils the criteria of a critical information infrastructure.”

While we operate in a high-trust regulatory environment and the commissioner is believed to conduct his investigations in good faith, having the responsibility of the ecosystem collapsed onto one individual (or his/her office) might neither be sustainable nor provide an adequately systematic decision-making process for an entire ecosystem.

Finally, the licensing requirement for cyber security companies affects an entire ecosystem of professionals, ranging from backend operations staff to vulnerability assessors and forensics analysts.

While licensing was ostensibly imposed to allow the government to separate “responsible” cyber security professionals from “malevolent” ones, it is unclear if licensing does an effective job at separating the two.

Licensing potentially creates a false sense of security, detracting from the ultimate need to actively monitor the capabilities and intentions of all actors.

More importantly, cyber security professionals often do not come in big outfits and rather exist as small groups of independent consultants.

Imposing a licensing requirement might risk “regulatory capture”, in which small companies with better cybersecurity capabilities lose out to bigger companies simply because they cannot afford the compliance cost that comes with regulation. In the landmark Apple vs FBI case, the FBI hired an independent consultant to work on retrieving information from an iPhone—should the consultant have been subject to licensing requirements, compliance costs may have deterred the independent contractors to step forward, impoverishing the expertise that the government has at its disposal.

The new cybersecurity bill is a great step forward in building a more robust ecosystem, but its further iterations might wish to consider the ways in which it may affect other ongoing initiatives to build smart cybersecurity capabilities for the nation.

ABOUT THE AUTHOR:

Benjamin Goh is a recent Master in Public Policy graduate from the Harvard Kennedy School. He is also research assistant to Professor James Waldo, chief technology officer for Harvard.