Cybersecurity Bill

Bill No. 2/2018

Read the first time on 8 January 2018.
An Act to require or authorise the taking of measures to prevent, manage and respond to cybersecurity threats and incidents, to regulate owners of critical information infrastructure, to regulate cybersecurity service providers, and for matters related thereto, and to make consequential or related amendments to certain other written laws.
Be it enacted by the President with the advice and consent of the Parliament of Singapore, as follows:
PART 1
PRELIMINARY
Short title and commencement
1.  This Act is the Cybersecurity Act 2018 and comes into operation on a date that the Minister appoints by notification in the Gazette.
Interpretation
2.—(1)  In this Act, unless the context otherwise requires —
“Assistant Commissioner” means any Assistant Commissioner of Cybersecurity appointed under section 4(1)(b);
“assistant licensing officer” means any assistant licensing officer appointed under section 25(2);
“business entity” means —
(a)a corporation as defined in section 4(1) of the Companies Act (Cap. 50);
(b)an unincorporated association;
(c)a partnership; or
(d)a limited liability partnership registered under the Limited Liability Partnerships Act (Cap. 163A);
“code of practice” means any code of practice issued or approved under section 11(1), and includes such a code of practice as may be amended from time to time;
“Commissioner” means the Commissioner of Cybersecurity appointed under section 4(1)(a);
“computer” means an electronic, magnetic, optical, electrochemical, or other data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include such device as the Minister may, by notification in the Gazette, prescribe;
“computer program” means data representing instructions or statements that, when executed in a computer, causes the computer to perform a function;
“computer service” includes computer time, data processing and the storage or retrieval of data;
“computer system” means an arrangement of interconnected computers that is designed to perform one or more specific functions, and includes —
(a)an information technology system; and
(b)an operational technology system such as an industrial control system, a programmable logic controller, a supervisory control and data acquisition system, or a distributed control system;
“critical information infrastructure” means a computer or a computer system in respect of which a designation under section 7(1) is in effect;
“cybersecurity” means the state in which a computer or computer system is protected from unauthorised access or attack, and because of that state —
(a)the computer or computer system continues to be available and operational;
(b)the integrity of the computer or computer system is maintained; and
(c)the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer system is maintained;
“cybersecurity incident” means an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system;
“cybersecurity officer” means any cybersecurity officer appointed under section 4(3);
“cybersecurity program” means any computer program designed for, or purported to be designed for, ensuring or enhancing the cybersecurity of a computer or computer system;
“cybersecurity service” means a service provided by a person for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person (A), and includes the following:
(a)assessing, testing or evaluating the cybersecurity of A’s computer or computer system by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system;
(b)conducting a forensic examination of A’s computer or computer system;
(c)investigating and responding to a cybersecurity incident that has affected A’s computer or computer system by conducting a thorough scan and examination of the computer or computer system to identify and remove elements relating to, and identify the root cause of, the cybersecurity incident, and which involves circumventing the controls implemented in the computer or computer system;
(d)conducting a thorough examination of A’s computer or computer system to detect any cybersecurity threat or incident that may have already penetrated the cybersecurity defences of the computer or computer system, and that may have evaded detection by conventional cybersecurity solutions;
(e)designing, selling, importing, exporting, installing, maintaining, repairing or servicing of one or more cybersecurity solutions;
(f)monitoring of the cybersecurity of A’s computer or computer system by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system;
(g)maintaining control of the cybersecurity of A’s computer or computer system by effecting management, operational and technical controls for the purpose of protecting the computer or computer system against any unauthorised effort to adversely affect its cybersecurity;
(h)assessing or monitoring the compliance of an organisation with the organisation’s cybersecurity policy;
(i)providing advice in relation to cybersecurity solutions, including —
(i)providing advice on a cybersecurity program; or
(ii)identifying and analysing cybersecurity threats and providing advice on solutions or management strategies to minimise the risk posed by cybersecurity threats;
(j)providing advice in relation to any practices that can enhance cybersecurity;
(k)providing training or instruction in relation to any cybersecurity service, including the assessment of the training, instruction or competencies of another person in relation to any such activity;
“cybersecurity service provider” means a person who provides a cybersecurity service;
“cybersecurity solution” means any computer, computer system, computer program or computer service designed for, or purported to be designed for, ensuring or enhancing the cybersecurity of another computer or computer system;
“cybersecurity threat” means an act or activity (whether known or suspected) carried out on or through a computer or computer system, that may imminently jeopardise or affect adversely, without lawful authority, the cybersecurity of that or another computer or computer system;
“cybersecurity vulnerability” means any vulnerability in a computer or computer system that can be exploited by one or more cybersecurity threats;
“Deputy Commissioner” means the Deputy Commissioner of Cybersecurity appointed under section 4(1)(b);
“essential service” means any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule;
“full-time national serviceman” means a person who is liable to render full‑time national service under section 12 of the Enlistment Act (Cap. 93);
“licence” means a licence granted or renewed under section 26;
“licensable cybersecurity service” means any cybersecurity service specified as a licensable cybersecurity service in the Second Schedule;
“licensee” means the holder of a licence;
“owner”, in relation to a critical information infrastructure, means the legal owner of the critical information infrastructure and, where the critical information infrastructure is jointly owned by more than one person, includes every joint owner;
“standard of performance” means any standard of performance issued or approved under section 11(1), and includes such a standard of performance as may be amended from time to time.
(2)  For the purposes of the definition of “cybersecurity service”, a person does not provide a cybersecurity service only because the person —
(a)sells, or sells licences for, cybersecurity programs intended to be installed by a user without the assistance of the seller for the protection of the cybersecurity of a user’s computer; or
(b)provides services for the management of a computer network or computer system, that are aimed at ensuring the availability of or enhancing the performance of the computer network or computer system.
Application of Act
3.—(1)  Part 3 (except section 8) applies to any critical information infrastructure located wholly or partly in Singapore.
(2)  Section 8 applies to any computer or computer system located wholly or partly in Singapore.
(3)  Except as provided in subsection (4), this Act binds the Government.
(4)  Nothing in this Act renders the Government liable to prosecution for an offence.
(5)  To avoid doubt, no person is immune from prosecution for any offence under this Act by reason that the person is a public officer or is engaged to provide services to the Government.