20.—(1) Where the Commissioner receives information regarding a cybersecurity threat or incident which satisfies the severity threshold in subsection (3), the Commissioner may exercise, or may authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to exercise, such of the powers mentioned in subsection (2) as are necessary to investigate the cybersecurity threat or incident, for the purpose of —| (a) | assessing the impact or potential impact of the cybersecurity threat or incident; | | (b) | eliminating the cybersecurity threat or otherwise preventing any or further harm arising from the cybersecurity incident; or | | (c) | preventing a further cybersecurity incident. |
(2) The powers mentioned in subsection (1) are the following:| (a) | any power mentioned in section 19(2)(a), (b), (c) or (d); | | (b) | direct, by written notice, any person to carry out such remedial measures, or to cease carrying on such activities, as may be specified to the person, in relation to a computer or computer system that the incident response officer has reasonable cause to suspect is or was affected by the cybersecurity incident, in order to minimise cybersecurity vulnerabilities in the computer or computer system; | | | Examples of remedial measures include — |
|
| | (a) | the removal of malicious software from the computer; |
|
| | (b) | the installation of software updates to address cybersecurity vulnerabilities; |
|
| | (c) | temporarily disconnecting infected computers from a computer network until paragraph (a) or (b) is carried out; and |
|
| | (d) | the redirection of malicious data traffic towards a designated computer or computer system. |
|
|
|
| | (c) | require the owner of a computer or computer system to take any action to assist with the investigation, including but not limited to —| (i) | preserving the state of the computer or computer system by not using it; | | (ii) | monitoring the computer or computer system for a specified period of time; | | (iii) | performing a scan of the computer or computer system to detect cybersecurity vulnerabilities and to assess the manner and extent that the computer or computer system is affected by the cybersecurity incident; and | | (iv) | allowing the incident response officer to connect any equipment to the computer or computer system, or install on the computer or computer system any computer program, as is necessary for the purpose of the investigation; |
| | (d) | after giving reasonable notice to the owner or occupier of any premises, enter those premises if the incident response officer reasonably suspects that there is within the premises a computer or computer system that is or was affected by the cybersecurity incident; | | (e) | access, inspect and check the operation of a computer or computer system that the incident response officer has reasonable cause to suspect is or was affected by the cybersecurity incident, or use or cause to be used any such computer or computer system to search any data contained in or available to such computer or computer system; | | (f) | perform a scan of a computer or computer system to detect cybersecurity vulnerabilities in the computer or computer system; | | (g) | take a copy of, or extracts from, any electronic record or computer program contained in a computer that the incident response officer has reasonable cause to suspect is or was affected by the cybersecurity incident; | | (h) | subject to subsection (5), with the owner’s consent, take possession of any computer or other equipment for the purpose of carrying out further examination or analysis. |
|
(3) A cybersecurity threat or incident satisfies the severity threshold mentioned in subsection (1) if —| (a) | it creates a risk of significant harm being caused to a critical information infrastructure; | | (b) | it creates a risk of disruption to the provision of an essential service; | | (c) | it creates a threat to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore; or | | (d) | the cybersecurity threat or incident is of a severe nature, in terms of the severity of the harm that may be caused to persons in Singapore or the number of computers or value of the information put at risk, whether or not the computers or computer systems put at risk are themselves critical information infrastructure. |
|
(4) An incident response officer exercising the power mentioned in subsection (2)(e) may require any assistance the incident response officer needs to gain such access from —| (a) | any person whom the incident response officer reasonably suspects uses or has used the computer or computer system; or | | (b) | any person having charge of, or who is otherwise concerned with the operation of, such computer or computer system. |
|
(5) Where the owner of the computer or other equipment does not consent to the exercise of the power mentioned in subsection (2)(h), the power may be exercised if the Commissioner is satisfied that —| (a) | the exercise of the power is necessary for the purposes of the investigation; | | (b) | there is no less disruptive method of achieving the purpose of the investigation; and | | (c) | after consultation with the owner, and having regard to the importance of the computer or other equipment to the business or operational needs of the owner, the benefit from the exercise of the power outweighs the detriment caused to the owner, |
| and the Commissioner has issued to the incident response officer a written authorisation to exercise the power. |
|
| (6) The incident response officer must, immediately after the completion of the further examination or analysis on the computer or other equipment which was taken into possession in exercise of the power mentioned in subsection (2)(h), return the computer or other equipment to the owner. |
(7) Any person who —| (a) | in relation to an investigation under this section, wilfully misstates or without reasonable excuse refuses to give any information, provide any statement or produce any record, document or copy required of the person by the incident response officer under section 19(2); | | (b) | in relation to an investigation under this section, without reasonable excuse, fails to comply with an order issued by a Magistrate under section 19(5); | | (c) | without reasonable excuse, fails to comply with a direction or requirement of an incident response officer under subsection (2)(b) or (c); or | | (d) | without reasonable excuse, fails to comply with a lawful demand of an incident response officer made in the discharge of the incident response officer’s duties under this section, |
| shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 2 years or to both. |
|
|