Speech By Mr Mark Lee Kean Phi, Nominated Member Of Parliament, On The Cybersecurity (Amendment) Bill

Mr Speaker Sir,

    1. As a highly digitalised nation, Singapore's ability to function effectively has become increasingly dependent on the seamless and secure operation of our digital infrastructure. The cyber-attack on SingHealth in 2018, which compromised the personal data of 1.5 million patients, serves as a reminder of the severe consequences a cyber breach can have on our nation's well-being and public trust. More recently, the personal information of parents and staff of 127 schools was accessed due to a data breach linked to a device management app installed on personal learning devices used by students.

    2. Based on the SBF National Business Survey 2023/2024, cybersecurity concerns, including increase in cyber-attacks was the top trend that businesses expect to impact them in the next 12 months.

    3. Globally, the World Economic Forum estimates that cybercrimes cost the world economy over $1 trillion in 2020 alone, underscoring the pressing need for robust cybersecurity measures.

    4. In this context, the government's proactive review of the Cybersecurity Act 2018 is a welcomed one, which will keep pace with our evolving cyber threat landscape and business environment. However, Singapore businesses, have some concerns about the potential impact of these proposed amendments.

    5. First, we seek greater clarity on the criteria and processes involved in designating entities as Foundational Digital Infrastructures (FDIs), Entities of Special Cybersecurity Interest (ESCIs), and Systems of Temporary Cybersecurity Concern (STCCs).

    6. How will businesses be informed about their designation, and what is the redress process for companies to review and appeal these designations? This is crucial for businesses to understand their obligations and plan accordingly as additional processes and resources will have to be committed to comply with the responsibilities of designated entities.

    7. Second, while recognising the importance of enhancing cybersecurity, we must also acknowledge the additional compliance burden these new regulations will impose on our Critical Information Infrastructures (CIIs) and designated entities. We urge the government to work closely with businesses to operationalise the incident reporting requirements in a streamlined and cost-effective manner.

    8. Third, the Bill does not cover standards for mandatory incident reporting or new duties on critical information infrastructure operators. We should ensure that these standards are developed together with industries before implementation.

    9. Fourth, the Bill currently focuses on "personal" information, leaving other types of confidential business information unprotected. I would like to seek clarification whether the scope of the Bill will be expanded.

    10. In addition, the overly broad definition of "tools" capable of being used in cybercrimes could inadvertently criminalise legitimate cybersecurity research and tools. I would like to propose for this definition to be refined further to avoid such unintended consequences.

    11. Lastly, we would like to understand how the proposed monitoring powers for the Commissioner and Licensing Officers will be exercised, and what safeguards will be put in place to prevent any misuse or abuse of these powers. While acknowledging the need for regulatory oversight, we must ensure that these monitoring activities do not impede business operations or compromise sensitive data and trade secrets.

    12. My next part of my speech, I would like to turn to the pressing issue of cybersecurity within our small and medium enterprises (SMEs). According to a 2020 survey by the Cyber Security Agency of Singapore (CSA), only 34% of Singapore SMEs had implemented cybersecurity measures, leaving the majority vulnerable to cyber threats. The survey also revealed that 35% of SMEs experienced at least one cyber incident in the past year, with ransomware and phishing attacks being the most common.

    13. These findings highlight that SMEs are particularly vulnerable to cybersecurity threats and that there is an urgent need to help SMEs strengthen their cybersecurity readiness, as many may lack the resources and expertise to do so effectively.

    14. As the amended Cybersecurity Bill comes into effect, businesses, especially SMEs, along the value chain will need to develop resources and capabilities to report incidents while managing their operations effectively, promptly and accurately. We encourage the government to look into providing funding for qualified SMEs to beef up their cybersecurity posture and capabilities. There is also scope to look into how Trade Associations and Chambers (TACs) can collaborate with SkillsFuture Singapore to encourage and incentivise business to equip their employees with basic cybersecurity knowledge.

    15. At the individual level, our government can also encourage mid-career workers to use the recent top-up in Skills Future credits to receive training on cybersecurity to ease the talent crunch in the cybersecurity domain.

    16. In addition to capability building, SMEs also need actual and urgent support in the event of a cybersecurity attack. While time is of the essence in mitigating the impact of such incidents, many SMEs find themselves at a loss with no clear response strategy in such situations. We propose that in addition to the structured reporting framework for incidents, which will be covered by the amended Bill, the government could also look into structuring centralised support, or pooled services for SMEs to turn to for incident response and advisory services.

    17. In conclusion, Singapore's success as a trusted and secure digital hub hinge on our ability to strike a delicate balance between robust cybersecurity measures and operational efficiency for businesses.

    18. It is therefore essential for the government to foster the correct perception of incident reporting from one of compliance and potential fault-finding to a supportive process that provides real assistance. As we have discussed today, the vulnerability of businesses, especially SMEs, to cyber threats, coupled with their often limited resources, highlights the critical need for a change in approach.

    19. Incident reporting should be seen as a partnership opportunity between the government and businesses, where each report triggers not just a compliance check but a supportive mechanism to help businesses address and recover from cybersecurity issues.

    20. By providing this assistance, we reinforce a culture of security and resilience rather than one of penalty and fear. This strategic shift will ensure that businesses, particularly SMEs, view engaging with cybersecurity frameworks not only as a regulatory requirement but as a valuable resource for enhancing their security posture and ensuring their continued prosperity in our digital economy.

    Mr Speaker Sir, notwithstanding my clarifications, I support the Bill.

    Watch the coverage here.


    Tuesday, 7 May 2024