As per newly proposed Cybersecurity Bill by the government of Singapore, the cybersecurity vendors providing services in highly sensitive areas of the country must obtain license.
The draft proposed by Ministry of Communications and Information and Cyber Security Agency (CSA) is expected to be passed by the parliament by the end of this year or the beginning of 2018.
The bill primarily aims to secure country’s entire infrastructure and especially Critical Information Infrastructure (CII). The CII envelopes 11 key areas—government, energy, aviation, healthcare, maritime, banking and finance, security and emergency, infocomm, land transport, water and media. And to minimize the threat of cyberattacks on infrastructures, the bill has drafted four objectives including licensing for cybersecurity service providers.
As per the bill, individuals or businesses extending cybersecurity services in investigative cybersecurity services and non-investigative cybersecurity services must possess license from CSA.
Investigative Cybersecurity Services: This cybersecurity services include penetration testing and services to search for vulnerabilities related to cybersecurity in the computer or computer system of another individual. Its main purpose is to protect computer or computer system from hackers and improve cybersecurity. A license is required for investigative cybersecurity services because:
- Service providers circumvent or avoid the control if that is implemented in computer or computer system.
- The person performing the cybersecurity service needs to obtain deep level of access to computer or computer system to test cybersecurity defenses.
Some of its examples are: designing and implementation of cybersecurity solutions, monitoring cybersecurity threats and advising on new cybersecurity solutions and practices.
Non-Investigative Cybersecurity Services: The organizations or individuals providing cybersecurity services under non-investigative cybersecurity services include managed security operations center monitoring services. It also includes the services that monitor the cybersecurity of a computer or computer system of another individual. Forensic analysis, cyber threat responses, etc. fall under non-investigative cybersecurity services.
Essential Requirements for Licensed Cybersecurity Services Providers (domestic/foreigner)
- Honesty, integrity, and financial soundness of service providers are the first and foremost requirement of licensing. The key executive officers of service providers should bear good moral character
- The service providing organizations should have service record of five years. It must have client information, types of service provided, name of the employee who gave the service, etc.
- Should have maintained Code of Ethics like maintaining confidentiality of client’s information
- Ensuring that employee performing the services are fit and proper
In order to meet the requirement of licensing, CSA will conduct audit time by time. Any licensee who does not meet the conditions of license will be guilty of an offence and is fined up to S$10,000 or imprisonment of up to a year or both.
The cybersecurity services provider who extends services without license will be guilty of an offence and is liable to fine of up to S$50,000 or imprisonment of maximum two years or both.
Singapore is one of the most vulnerable economies to cyberattacks in the world. The vulnerability to digital assaults in this Southeast Asian nation is nine times more than any other Asian economies except Japan and South Korea. Hence, the Bill is expected to minimize the threat of rising digital assaults in the country as Singapore is highly technology dependent nation.
Subarna Poudel is a researcher with Frost & Sullivan. He can be reached at firstname.lastname@example.org
Sapan Agarwal drives content and marketing for Frost & Sullivan. Sapan is based out of Kuala Lumpur Malaysia and can be reached at email@example.com | +603 6204 5830