Singapore’s Ministry of Home Affairs has announced amendments to the Republic’s cybersecurity laws, i.e. the Computer Misuse and Cybersecurity Act (CMCA), after a series of high-profile cyberattacks in recent years.
The Computer Misuse and Cybersecurity Amendment Bill (the Bill), which will be discussed when Parliament sits on 3 April 2017, introduces four key changes to the CMCA:
- Making it an offence to obtain, retain or supply personal information obtained through cybercrime
- Making it an offence to obtain items which can be used to commit cybercrimes
- Targeting cybercrimes committed overseas, against overseas computers, which create a significant risk of serious harm in Singapore
- Allowing amalgamation of cybercrime charges
In this briefing, we outline the key aspects of the amendments to the cybersecurity laws and discuss the implications for businesses in Singapore.
1. Making it an offence to obtain, retain or supply personal information obtained through cybercrime
A common situation after an organisation has been hacked: it finds its customers’ names, passwords and addresses listed for all to see online (a classic “data dump”). While the hacker could be prosecuted under the current cybersecurity laws, it unclear whether any criminal recourse could be effectively taken against those who used the information for illegal means.
The Bill attempts to plug the gap by making it an offence to obtain, retain, supply, transmit or otherwise make available personal information if the offender knows the information was obtained through cybercrime. The definition of “personal information” closely resembles the definition of “personal data” in the Personal Data Protection Act, tying the two regimes together. It means that two enquiries are likely to take place simultaneously in the event of a cyberattack: the first focusing on whether the organisation had adequate security measures in place to protect personal data, and the second on trying to prosecute the perpetrator for misusing personal information.
While the change is welcome, difficulties remain where the information hacked is not “personal” – e.g. trade secrets or sensitive political information. Their release is often just as, if not more, damaging. Unfortunately, given that provision only covers “personal” information, it appears that third parties would not be committing a criminal offence by using any information that is not classified as personal information once released. While one may have recourse under other laws, such as confidentiality or breach of contract, the result is nevertheless unsatisfactory. This is because the threat of criminal sanction for use of data that is not classified as personal information may serve as a deterrent against misuse of such data.
2. Making it an offence to obtain items which can be used to commit cybercrimes
In a bid to further deter individuals from committing cybercrime, the Bill introduces a new offence of obtaining or making “tools for hacking”. The amendment mainly targets malware and port scanners, but “tools” are defined broadly – devices or computer programs which are capable of being used for committing cybercrimes – such that the mere purchase of a computer could potentially fall within the definition of obtaining a “tool” for hacking. To prevent the provision from becoming over-inclusive, the prohibition only applies if the tools are obtained with an “intent” to commit a cybercrime. It will be a challenge for prosecutors to prove such “intent”.
The new offence potentially raises issues for ethical hackers and companies in the business of providing security services, including penetration testing, that deliberately breach computer systems to discover vulnerabilities, so that they can be remedied. They should be shielded by the requirement for criminal “intent”, but it is advisable to take measures to ensure that clients give them clear authority to attack their systems for the purposes of testing/ethical hacking.
3. Targeting cybercrimes committed overseas, against overseas computers, which create a significant risk of serious harm in Singapore
The current cybersecurity laws extend extraterritorially, by criminalising acts committed overseas by an individual located in Singapore, as well as acts committed against a computer, program or data located in Singapore (even where the perpetrator was overseas).
The Bill extends the extraterritorial jurisdiction to acts which cause or create a significant risk of serious harm in Singapore. “Serious harm” includes injury to individuals, as well as a disruption or serious diminution of public confidence in the provision of any essential service (communications, banking, public utilities) in Singapore.
In theory, this amendment is certainly welcome – overseas “hacks” not directly involving a computer based in Singapore may have an indirect but equally serious impact on Singapore. For example, a serious attack on servers connected to Singapore servers may have the impact of denying service to users in Singapore. This impact may cause serious damage to Singapore if the service in question is critical. Therefore, there is a clear public interest in extending extraterritorial jurisdiction in this manner.
In practice, it may however be difficult to apprehend transnational cybercriminals. These criminals are often based in jurisdictions with weaker laws and enforcement such that the increase in extraterritorial reach of Singapore’s cybercrime laws may have limited impact in preventing or deterring these criminals.
4. Allowing amalgamation of cybercrime charges
The Bill proposes to allow prosecutors to amalgamate cybercrime charges against a perpetrator, rather than having to bring separate charges for each instance of a distinct act. Due to the nature of cyber offences, cybercrime cases often result in hundreds of charges being brought against a single criminal defendant (e.g. the accused in PP v Sim Guan Liang James, who breached the Singpass system, faced over 800 charges when he was prosecuted).
Both prosecutors and the criminal defence bar are likely to welcome this amendment, as this will reduce the number of charges preferred against cybercrime offenders at the prosecution stage.
This will bring cybersecurity laws in line with other financial crime offences, such as criminal breach of trust, which also allows for the amalgamation of charges.
5. What the Bill does not do
The Bill does not cover standards for mandatory incident reporting, or new duties on critical information infrastructure operators. The Singapore Government has suggested that these topics be addressed in a new Cybersecurity Act, which is likely to be tabled in Q2 – Q3 2017.
We anticipate that the new Cybersecurity Act will likely expand on section 15A of the CMCA. The provision broadly allows the Minister to direct any organisation “to take measures to prevent, detect or counter a threat to computer services.”
Impact on Organisations
What should organisations in Singapore do in response to the Bill?
While the amendments are focused on prosecuting the perpetrators of cybercrimes, organisations are still required to have adequate security measures to protect personal data and should also have a comprehensive cyberattack response plan in place. The response plan should include reporting cyberattacks to authorities so that investigations and charges under the new laws can be made swiftly. Certain sectors – such as financial services already have extensive requirements to meet in respect of information security.
Ultimately, the Bill should be seen as one part of the government’s larger strategy to regulate information and cybersecurity infrastructure in Singapore together with the Personal Data Protection Act and the upcoming Cybersecurity Act, and to secure Singapore’s reputation as a safe place to do online business.