This is a bit overdue but better late than never.
When US Attorney General Eric Holder was in Singapore to give a talk at the Singapore Academy of Law, I had asked what A-G Holder, the Singapore Foreign Affairs and Law Minister K Shanmugam and the Chief Justice of Singapore Sundaresh Menon thought about companies moving towards unilateral action to actively interrupt or disrupt the systems or activities of hackers (otherwise known as active defence or hack the hacker). I had also asked whether Chief Justice Menon and Minister Shanmugam thought that it would be worthwhile considering looking at Singapore's Computer Misuse Act and whether an exemption relating to active defence could be included so that companies taking such action would not fall foul of the law (the Singapore Computer Misuse Act in its present form makes interrupting or disrupting the systems of a hacker an illegal act).
That was in July 2012.
On November 12, 2012, a Bill was introduced in the Singapore Parliament to amend the Computer Misuse Act (which will be called the Computer Misuse and Cybersecurity Act).
In summary, the changes to the Act will allow the Minister of Home Affairs to:
- authorise or direct a company or person (called the “specified person” … remember that term) to take measures to prevent, detect or counter any threat. Such steps must be for the purpose of preventing, detecting or countering any threat to national security, essential services or defence of Singapore or foreign relations of Singapore.
- require the specified person to provide any information to the Minister that would be necessary to prevent, detect or counter the threat.
- require the specified person to direct another person or company to provide any information.
- require the specified person to provide the Singapore Government with a report of a breach or an attempted breach of security of the specified person's computer system.
It is an offence not to comply with the directions of the Government or the directions of the specified person. The penalty is a fine of S$50,000 or up to 10 years in jail, or both.
What I will be trying to do over two posts is to describe the possible implications of the changes. Here goes.
Broad information gathering powers
The Minister can require the provision of information relating to the design, configuration or operation of any computer, computer program or computer service, and any information relating to the security of any computer, computer program or computer service (section 15A(2)).
This power to obtain information is quite broad on several levels:
- Type of information. The Bill refers to “any information that is necessary to identify, detect or counter any threat”. The Bill also provides examples of what information may be required: information relating to the design, configuration or operation of any computer service, and information relating to the security of any computer, computer program or computer service. (as a side-note, I don’t really understand the drafter’s intention of splitting up the examples in section 15A(2)(b)(i) and (ii). Why not just combine the two examples as “information relating to the design, configuration, security or operation of any computer service, and information”?
"Any information" is pretty broad.
This could conceivably extend to personally identifiable information. I would have liked the Bill to specifically exclude personally identifiable information of individuals unrelated to the incident or have a provision which requires reasonable efforts in stripping out personally identifiable information of individuals unrelated to the incident. This was something which is present in the PRECISE Act, H.R. 3674 (section 248) and the Cybersecurity Act S. 2105.
It could even include highly sensitive information like software source code. The concern here relates to the Minister requiring a person who licenses software from a software vendor to direct the vendor to provide a copy of its software source code. Would the vendor need to send the source code through the specified person? The way section 15A(2)(c) seems to work is that the vendor would need to send the information through the specified person to the Singapore Government. The relevant words are:
“providing to the Minister or a public officer authorised by him any information … obtained by the specified person from another person pursuant to a measure or requirement under paragraph [15A(2)(b)]”
I would have liked for there to be an option for that other person to provide the highly sensitive information directly to the Singapore Government instead of through the specified person. This would be reasonable as there is no need for a private entity to have access to such sensitive information (especially if the information has an impact on the commercial relationship between the parties), and there is no guarantee that all the vulnerabilities within the specified person (who was the target of the exploitation) have been resolved.
In the source code example, a possible practical work-around would be for the direction to require the vendor to obtain a source code audit itself, and to share the results of the audit to the Singapore Government.
Section 15A(2)(b) and (c) should also clarify that a person should only be required to provide information which it has in its possession or within his control or which is reasonably practicable for the person to provide it. These would then be similar to the defences present in section 59 of the Telecommunications Act.
- Type of service. The Bill covers computers, software, computer services (e.g. cloud services). The definition of computers in the Act is wide enough to cover almost all computer related devices, systems and networks.
- Persons covered. The Bill allows the Minister to authorise the specified person to direct another person to provide information to the Singapore Government. This other person could be a third party vendor/outsourcer/cloud service provider/etc that provide software or services to the specified person.
It would be an offence for that third party vendor to fail (without reasonable excuse) to comply with the direction of the specified person. This has considerable implications for companies which outsource or obtain software or services from a third party vendor, and more importantly, for the vendors themselves.
- Territoriality. The Computer Misuse Act already contains a provision (section 11) which states that the Act has effect in relation to any person regardless of his nationality or citizenship or whether he is in or outside of Singapore. The Act goes on to say that where an offence under the Act is committed by any person outside Singapore, he may be dealt with as if the offence has been committed within Singapore provided that the accused was in Singapore at the material time or the computer, program or data was in Singapore at the material time.
Most companies obtain software or services from third party vendors that have a local presence in Singapore through locally incorporated offices which would then place them within the territorial scope of the Computer Misuse Act.
Even if the third party vendor does not have a local presence and the third party vendor uses a subsidiary in a foreign country to contract, that would not be a problem if the data is in Singapore at the material time (for example, one could argue that this extends to the ability to access the data in Singapore via an interface even though the data is stored in servers outside of Singapore). This would mean the third party vendor will have to comply with the direction to provide the information to the specified person directed by the Singapore Government.
- No restriction on time-frame. One would assume that any direction issued would be reasonable in limiting the time-frame to the time period around the specific incident (e.g. server or application logs for a period of one year prior to). However, if a direction does not specify a time-frame for the information or which specifies a very long time-frame (which is possible since as it may not be possible at the time of issuing the direction to determine when the cyber exploitation took place i.e. the hacker may have exploited the vulnerability a long time ago), one would have to consider how far back to go in the information archives, and then to locate the information sources and collate the information. This could be resource intensive if the time-frame is long (e.g. tape drives have to be obtained from off-site locations, servers may have to be identified to load the data on the tape drives, search parameters have to be determined, the search results analysed, and then collated for the requesting party).
- Retention of the information by a person
While the proposed Bill tries to protect information which is disclosed to a person/company, I would have liked the Bill to require the deletion of information received by a specified person and the Singapore Government after the threat has been resolved, failing which there should be civil liability (vis-a-vis the specified person) arising from losses arising from the failure to delete.
No computer system is 100% impregnable and the repository for that information may itself be attacked for the amount of confidential and sensitive information that it may now contain. Companies that disclose information to specified persons or the Singapore Government should have the assurance that the information provided is deleted after the purpose for which the information was originally collected has ceased to exist.
The language in the proposed Bill is wide enough to require a company to monitor communications of individuals provided that it is to prevent, detect or counter any threat to the national security, essential services or defence or foreign relations of Singapore. For example, an ISP, email service provider, instant messaging provider or social media platform may be required to provide information (including real-time information) relating to the operation of its service (which could potentially include communications made by individuals over the service or platform).
To my knowledge, this will be the first instance of the Singapore statute books requiring certain companies/persons to provide a report of a breach or an attempted breach of computers, computer programs or computer systems. This is as close as Singapore has come to a breach notification requirement though it is not as stringent as breach notification requirements in other countries which are proactive in nature.