This is part II of my post on the proposed changes to the Computer Misuse Act (which will be known as the Computer Misuse and Cybersecurity Act after the changes).
The move by the Singapore Government to make changes to the Computer Misuse Act parallels the moves of other governments. The Washington Post reported that US President Obama signed Presidential Policy Directive 20 which set out "a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace". There are other pieces of cyber-security legislation winding their way through both the US House of Representatives and the US Senate which would permit the deployment of countermeasures. I also previously highlighted a UK parliamentary commission suggesting that proactive first-strike measures be taken in the event of a cyber attack.
The issue of active defence is controversial mainly because of an expansion in its scope and the challenges in implementing such measures. For example, the US Secretary of Defence Leon Panetta suggested the possibility of pre-emptive strikes, and a former FBI official suggested that companies should be allowed to take more aggressive action to defend themselves.
The Bill provides the legal cover for persons and companies in Singapore (at the direction of the Singapore Government) to potentially walk down that path (that is, if the Singapore Government ever decides that it is necessary to do so).
As the Bill does not limit the type of measures which the Singapore Government can direct a person to take, it could conceivably range from reactive defensive measures to proactive defensive measures to offensive measures. While no one can doubt the right to adopt reactive defensive measures within the perimeters of one's own network, the complications start to arise when measures are of a pre-emptive or intrusive nature.
To put this into context: if a hacker manages to steal proprietary information from your computer system, a reactive defensive measure would be to identify and close off the vulnerability or exploit that was used by the hacker to access your system. An example of a proactive and intrusive defensive measure could be the gaining of entry into the hacker's system to delete only the proprietary information which was stolen. An example of an offensive measure would be to deploy software within the hacker's systems to disrupt the systems of the hacker (think Stuxnet) or to conduct surveillance on the hacker's activities.
I am reminded by what Chief Justice Menon mentioned in his response to my question on amending the Computer Misuse Act. He said that while it was easy to say that we could have a carefully constructed exception to the general prohibitions against unauthorised access or use of a computer in the Computer Misuse Act, the practicalities of such an exception would be more complex. The upshot was that it would not be that easy to apply active defence measures in practice. I agree with him.
So, what could be the challenges of requiring the deployment of active defence measures (which are pre-emptive, intrusive or offensive in nature) in the context of the Bill?
What would constitute a threat to the national security, essential services or defence of Singapore or foreign relations of Singapore?
The term "foreign relations" is not defined and could also mean a host of things like espionage to Wikileaks.
The term "essential services" is defined as services "directly related to communications infrastructure, banking and finance, public utilities, public transportation, land transport infrastructure, aviation, shipping, or public key infrastructure, or emergency services such as police, civil defence or health services".
That definition covers a large swarth of companies (both domestic and foreign). I am not sure how many companies in these sectors are aware of this Bill (coverage in the mainstream media of the Bill was not prominent) but they should take note of it given the broad powers granted to the Singapore Government and the measures or requirements which they may be asked to implement or comply with, and the mere fact that all that is needed is a certificate from the Minister of Home Affairs that the Minister is satisfied that there is a threat to the national security, essential services or defence of Singapore or foreign relations of Singapore.
Are there limitations on the scope of measures which the specified person can take?
The Bill refers to “any measure or … requirement”. There is no restriction in the Bill on the type of measure which may be deployed. As mentioned earlier, these could take the form of both offensive (whether pre-emptive or retaliatory) and defensive (both reactive and proactive) measures.
The procedures and standards which will be applied by the Singapore Government in any particular cyber attack or exploitation will undoubtedly be highly classified (and rightfully so). These procedures and standards would probably need to address a range of issues:
- What are the standards that will be adopted to pass the test of being satisfied that the measures are necessary for preventing, detecting or countering a threat to national security, essential services, defence or foreign relations of Singapore?
While every person has the right to exercise self-defence, what about a pre-emptive strike in anticipation of an attack? How imminent must a threat be? How many threats or attacks must there be (a single threat or repeated attacks)?
- A question of attribution. Who is the attacker? It is not always possible to identify who the attacker is.
For example, there is still speculation as to which country or organisations were behind the Stuxnet virus (although many people point towards the U.S and Israel). Even if investigators are able to discover evidence within a virus, the investigators have to be circumspect as well given the possibility of false flags being embedded in the software code to throw investigators off the scent.
What if attackers have commandeered layered systems of innocent third parties (bot-nets) for the purposes of launching distributed-denial-of-service attacks?
What is the threshold of proof of the identity of the attacker which is required before a retaliation is warranted? Also, will the active defence measure be limited to the attacker's systems?
As a cyber attack can be launched from hijacked systems, retaliatory attacks may not be effective in situations where it is difficult to attribute responsibility and to limit the collateral damage.
- Assuming the attacker can be identified, what type of measures will be directed at the attacker? What would constitute a proportional response to the attack or the prospective attack?
- If the aggressor is a state or a state-backed actor (assuming that can be proved), could a pre-emptive action be viewed as an act of war? What is the potential for a cyber war triggering a hot war (i.e with missiles and guns)? For a brief discussion on the application of the Law of War to cyber threats, one can read this article.
- As the specified person has civil and criminal immunity if he does anything in good faith for the purpose of complying with any measure directed by the Minister, I think that the direction must contain very detailed and limited parameters so that specified persons (i) have the necessary comfort that they are able to execute with clear instructions and (ii) do not go act beyond the measures identified, and potentially result in escalation of hostilities or unnecessary collateral damage.
These parameters could include identifying the measure, the target, the resources to be used to execute the measure, timing, supporting agencies, co-ordinating instructions with other agencies, command and communication including reporting structure, and the desired outcome. It would certainly would not suffice if the direction was merely an instruction to "counter attempts by XYZ to gain unauthorised access to your system".
The proposed changes to the Computer Misuse Act and the broad powers granted onto the Executive are a reflection of where we are in this quickly evolving and dangerous world of multiple threats and actors, and where the cost of developing and delivering these threats is low compared to other physical/kinetic weapons.
Some may argue that in addressing threats (physical or otherwise), it would be unfair for the target of the attack to be constrained in the fight with one hand tied behind his back. The option of throwing a punch from a defensive crouch instead of merely taking body blows should be made available as new methods of delivering a focused punch can be developed in the future (and it would take too long for the legislative process to legalise that attempt).
However, the difficulties in taking the offensive suggests that the appropriate focus should be to establish and maintain a good defensive crouch first. As such, active defence measures should be considered as options to be considered further down the line of defence. Arguably, the hardening of systems and security by design are equally, if not, more important than active defence. If active defence measures are directed, it should be done with circumspection, clear direction and objectives, oversight and supervision as would be the case with all intrusions into unfamiliar ground. It is hoped that the Singapore Government has developed the procedures and standards for moving into that unfamiliar territory.