Terrorists can’t do much harm on computers right? ….right?
In a physically secure country such as Singapore, terrorist attacks may not come from guns, knives and run-away cars. It may come from more creative means, such as on computers.
But what harm can computers do? So far, the most malicious thing that has happened is mischief and vandalism. Hardly life threatening. However, if you think that way, you’re not thinking like a terrorist.
With access to computer systems connected to vulnerable installations such as air traffic control, traffic light controls, medical equipment or military equipment, persons with malicious intent can let lose mayhem. The Ministry of Communications and Information (MCI) is particularly concerned about attacks on systems that run utility plants, transportation networks, hospitals and other essential services.
Also, there are deadly leaks that wreck havoc for diplomatic relationships that could lead to souring trading relationships or worse, conflict. Remember Julian Assange and the WikiLeaks?
Singapore is considered a highly connected country, our bank accounts, SingPass accounts and even social media accounts are prone to attacks. Funds could be transacted away from you, scapegoats could be mined and panic can be caused on social media.
The internet is also grounds for recruitment – it is fertile ground for grooming new combatants. Without laws and enforcement, even ordinary webpages can serve material to convince the ordinary person to join their cause.
These are just some of the ways that terrorists can manipulate our wired nation and if we did not have the policies, laws and organisations to secure it, we are opening up ourselves to myriad dangers.
A Cybersecurity Bill will be put up in Parliament and if passed, will form our first legislation protecting the country from this threat. One of the means of protection is to draw up a list of responsibilities for owners of “Critical Information Infrastructure” (CII). Public consultation is now being sought for the following powers:
1. Establish a Commissioner of Cybersecurity
The Bill confers power on the Cyber Security Agency’s chief as Commissioner of Cybersecurity to investigate threats and incidents to ensure that essential services in 11 critical sectors here – including telecommunications, transport, healthcare, banking and energy – are not disrupted in the event of a cyber attack. Other officers such as a Deputy Commissioner and Assistant Commissioners of Cybersecurity may also be appointed to carry out the Commissioner’s duties.
2. Protect all sectors
The Bill aims to harmonise the requirements to protect critical information infrastructure (CII) across the public and private sectors, mandating that organisations share information to facilitate in the investigations of cyber-security threats or incidents undertaken by CSA. Banking and privacy rules that forbid the sharing of confidential information will be superseded by the Cybersecurity Bill.
3. Responsibilities for owners of Critical Information Infrastructures
Owners of CII such as those that run essential services must:
Notify the Commissioner of the CII suffering a cyber-security attack;
Conduct regular system audits by a Commissioner-approved third-party;
Conduct regular risk assessments of the CII;
Comply with directions issued by the Commissioner, including providing access to premises, computers or information during investigations.
4. Designation of CII
The Commissioner may identify and designate new systems as CII during times of national emergency. The designation of a computer as a CII is an official secret under the Official Secrets Act.
5. Licensing framework for cybersecurity vendors
Vendors providing services in two areas – investigative work that involves hacking and forensic examination, and non-investigative work such as managed security operations – must be licensed, just like how locksmiths are licensed in Singapore. Investigative cyber-security service practitioners such as hackers must also apply for an individual licence. Those found guilty of not having the required licences face a maximum fine of $50,000, jail of up to two years, or both.