When Singapore’s Ministry of Communications and Information and the Cyber Security Agency of Singapore (CSA) asked for views in their Public Consultation Paper on the draft Cybersecurity Bill earlier this year, they received so much feedback that they extended the consultation period.
Much of this feedback was positive, including support from industry experts, cyber security professionals and academics, for the comprehensiveness of the Bill in dealing with protection of critical information infrastructure (CII).
CII refers to the provision of key services such as telecommunications, transport, healthcare, banking and energy.
Others, including regional law firms, raised concerns about the powers granted to the CSA to take information when responding to cyber breach incidents, which they feared would conflict with banking secrecy and data privacy requirements, and could in turn harm the competitiveness of businesses here.
The CSA has since taken pains to clarify that it intends to focus on technical information, not personal data. More significantly, the report on the public consultation states that CSA will appoint assistant commissioners for each sector, to take into account existing sector-specific requirements, including international ones.
The public consultation resulted in several other significant changes and clarification. The report clarified that only systems that have been officially designated as CIIs will be subject to the legal duties of compliance, thus excluding suppliers and third-party vendors.
The fact that a company has been officially designated as a CII will no longer be subject to the Official Secrets Act.
Finally, the proposed licensing regime for individuals and companies in the provision of cyber security services will be also modified to “allow the Bill to be more future-proof and to enable it to stay relevant even as cyber security services continue to evolve”.
It is from this last development that we can draw useful lessons for policy development in this field. The public and private sectors are united in the desire for the law to be dynamic and evolve to meet the changing threats. This is in line with the global quest for “future-proof legislation” that can adapt to rapid developments in the scientific, technical and technological field.
One of the keys to future-proof legislation is to build in flexibility. For example, the report has recognised that it would be unwieldy to legislate a distinction between “investigative” and “non-investigative” types of licensable services. Future-proofing sometimes requires stepping away from the very natural tendency to try to define every possible scenario in detail, because new situations will emerge that defy prediction.
Instead, it can be more effective to be flexible and to review the landscape on a regular basis.
Most recently the Computer Misuse and Cybersecurity Act was amended to respond to the further evolution of cybercrime. The amendments create new offences for obtaining stolen personal information, hacking tools and more – actions which were not significant at the time of the original legislation.
Legislation can be considered future-proof if it is proactive, provides legal clarity and certainty, and if citizens see it as legitimate, because of participation in bringing outcomes or solutions to collective problems.
Public consultation is, therefore, a good way to help make legislation future-proof, especially in fields like cyber security where the issues affect every aspect of society.
Consultation on legislation is not new: Ministries and statutory boards have a long history of informal consultation with experts and major stakeholders. Today, many agencies post their requests for public consultation on the Government’s Reach portal.
One example is the Monetary Authority of Singapore (MAS), which has shared that despite its drawbacks – it lengthens the policymaking process and requires resources – public consultation improves the policymaking process by tapping practitioners’ market knowledge to validate and refine policies, identifying implementation issues in advance, providing an avenue to explain and garner support for policies, and providing greater certainty for affected parties.
These are all benefits that are deeply relevant to cyber security policy. A healthy level of public-private partnership and participation by industry, civil society, experts, academics and business owners can provide the Government with the breadth and depth of up-to-date expertise that is required for policymaking in this field, especially in response to developments in international regulations, quantum computing, big data, machine learning and artificial intelligence.
For example, businesses here may accept the CSA’s powers for incident response for now, because of a high level of trust in the authorities. However, if international regulations like the European Union’s GDPR (General Data Protection Regulation) impose more requirements on Singapore companies dealing with European customers, the private sector may then have to step forward to form an independent industry body for oversight and to safeguard businesses.
A successful public-private partnership will require the active participation of all parties. Since the report mentions further public consultation, it should follow the best practices of this round, which include allowing the public contributions to influence decisions, recognising and communicating the needs and interests of all participants, and communicating to participants how their input affected the decisions. It would be unrealistic to expect the authority to implement every input, but every input should be recognised, to encourage participation in future processes.
On the other hand, industry, civil society, experts, academics and business owners should continue to contribute frankly and vigorously to the discussion. The healthy dialogue that has arisen from this public consultation is a good start, and will be essential in the years to come as cyber security develops in ways we cannot imagine today.
(The writer is Senior Fellow/ Head of Cyber and Homeland Defence, Centre of Excellence for National Security, S. Rajaratnam School of International Studies, Nanyang Technological University.)