Singapore: Computer Misuse and Cybersecurity Act (Part II)

This is part II of my post on the proposed changes to the Computer Misuse Act (which will be known as the Computer Misuse and Cybersecurity Act after the changes). 

Active Defence

The move by the Singapore Government to make changes to the Computer Misuse Act parallels the moves of other governments. The Washington Post reported that US President Obama signed Presidential Policy Directive 20 which set out "a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace". There are other pieces of cyber-security legislation winding their way through both the US House of Representatives and the US Senate which would permit the deployment of countermeasures. I also previously highlighted a UK parliamentary commission suggesting that proactive first-strike measures be taken in the event of a cyber attack. 

The issue of active defence is controversial mainly because of an expansion in its scope and the challenges in implementing such measures. For example, the US Secretary of Defence Leon Panetta suggested the possibility of pre-emptive strikes, and a former FBI official suggested that companies should be allowed to take more aggressive action to defend themselves.

The Bill provides the legal cover for persons and companies in Singapore (at the direction of the Singapore Government) to potentially walk down that path (that is, if the Singapore Government ever decides that it is necessary to do so).

As the Bill does not limit the type of measures which the Singapore Government can direct a person to take, it could conceivably range from reactive defensive measures to proactive defensive measures to offensive measures. While no one can doubt the right to adopt reactive defensive measures within the perimeters of one's own network, the complications start to arise when measures are of a pre-emptive or intrusive nature.

To put this into context: if a hacker manages to steal proprietary information from your computer system, a reactive defensive measure would be to identify and close off the vulnerability or exploit that was used by the hacker to access your system. An example of a proactive and intrusive defensive measure could be the gaining of entry into the hacker's system to delete only the proprietary information which was stolen. An example of an offensive measure would be to deploy software within the hacker's systems to disrupt the systems of the hacker (think Stuxnet) or to conduct surveillance on the hacker's activities. 

I am reminded by what Chief Justice Menon mentioned in his response to my question on amending the Computer Misuse Act. He said that while it was easy to say that we could have a carefully constructed exception to the general prohibitions against unauthorised access or use of a computer in the Computer Misuse Act, the practicalities of such an exception would be more complex. The upshot was that it would not be that easy to apply active defence measures in practice. I agree with him. 

So, what could be the challenges of requiring the deployment of active defence measures (which are pre-emptive, intrusive or offensive in nature) in the context of the Bill?

What would constitute a threat to the national security, essential services or defence of Singapore or foreign relations of Singapore? 

The term "foreign relations" is not defined and could also mean a host of things like espionage to Wikileaks.

The term "essential services" is defined as services "directly related to communications infrastructure, banking and finance, public utilities, public transportation, land transport infrastructure, aviation, shipping, or public key infrastructure, or emergency services such as police, civil defence or health services".

That definition covers a large swarth of companies (both domestic and foreign). I am not sure how many companies in these sectors are aware of this Bill (coverage in the mainstream media of the Bill was not prominent) but they should take note of it given the broad powers granted to the Singapore Government and the measures or requirements which they may be asked to implement or comply with, and the mere fact that all that is needed is a certificate from the Minister of Home Affairs that the Minister is satisfied that there is a threat to the national security, essential services or defence of Singapore or foreign relations of Singapore.

Are there limitations on the scope of measures which the specified person can take? 

The Bill refers to “any measure or … requirement”. There is no restriction in the Bill on the type of measure which may be deployed. As mentioned earlier, these could take the form of both offensive (whether pre-emptive or retaliatory) and defensive (both reactive and proactive) measures.

The procedures and standards which will be applied by the Singapore Government in any particular cyber attack or exploitation will undoubtedly be highly classified (and rightfully so). These procedures and standards would probably need to address a range of issues: 

• What are the standards that will be adopted to pass the test of being satisfied that the measures are necessary for preventing, detecting or countering a threat to national security, essential services, defence or foreign relations of Singapore?

While every person has the right to exercise self-defence, what about a pre-emptive strike in anticipation of an attack? How imminent must a threat be? How many threats or attacks must there be (a single threat or repeated attacks)?

• A question of attribution. Who is the attacker? It is not always possible to identify who the attacker is.

For example, there is still speculation as to which country or organisations were behind the Stuxnet virus (although many people point towards the U.S and Israel). Even if investigators are able to discover evidence within a virus, the investigators have to be circumspect as well given the possibility of false flags being embedded in the software code to throw investigators off the scent.

What if attackers have commandeered layered systems of innocent third parties (bot-nets) for the purposes of launching distributed-denial-of-service attacks?

What is the threshold of proof of the identity of the attacker which is required before a retaliation is warranted? Also, will the active defence measure be limited to the attacker's systems?

As a cyber attack can be launched from hijacked systems, retaliatory  attacks may not be effective in situations where it is difficult to attribute responsibility and to limit the collateral damage.

• Assuming the attacker can be identified, what type of measures will be directed at the attacker? What would constitute a proportional response to the attack or the prospective attack? 

• If the aggressor is a state or a state-backed actor (assuming that can be proved), could a pre-emptive action be viewed as an act of war? What is the potential for a cyber war triggering a hot war (i.e with missiles and guns)? For a brief discussion on the application of the Law of War to cyber threats, one can read this article. 

• As the specified person has civil and criminal immunity if he does anything in good faith for the purpose of complying with any measure directed by the Minister, I think that the direction must contain very detailed and limited parameters so that specified persons (i) have the necessary comfort that they are able to execute with clear instructions and (ii) do not go act beyond the measures identified, and potentially result in escalation of hostilities or unnecessary collateral damage. 

These parameters could include identifying the measure, the target, the resources to be used to execute the measure, timing, supporting agencies, co-ordinating instructions with other agencies, command and communication including reporting structure, and the desired outcome. It would certainly would not suffice if the direction was merely an instruction to "counter attempts by XYZ to gain unauthorised access to your system". 

The proposed changes to the Computer Misuse Act and the broad powers granted onto the Executive are a reflection of where we are in this quickly evolving and dangerous world of multiple threats and actors, and where the cost of developing and delivering these threats is low compared to other physical/kinetic weapons. 

Some may argue that in addressing threats (physical or otherwise), it would be unfair for the target of the attack to be constrained in the fight with one hand tied behind his back. The option of throwing a punch from a defensive crouch instead of merely taking body blows should be made available as new methods of delivering a focused punch can be developed in the future (and it would take too long for the legislative process to legalise that attempt).

However, the difficulties in taking the offensive suggests that the appropriate focus should be to establish and maintain a good defensive crouch first. As such, active defence measures should be considered as options to be considered further down the line of defence. Arguably, the hardening of systems and security by design are equally, if not, more important than active defence. If active defence measures are directed, it should be done with circumspection, clear direction and objectives, oversight and supervision as would be the case with all intrusions into unfamiliar ground. It is hoped that the Singapore Government has developed the procedures and standards for moving into that unfamiliar territory. 

Singapore: Computer Misuse and Cybersecurity Act (Part I)

This is a bit overdue but better late than never. 

When US Attorney General Eric Holder was in Singapore to give a talk at the Singapore Academy of Law, I had asked what A-G Holder, the Singapore Foreign Affairs and Law Minister K Shanmugam and the Chief Justice of Singapore Sundaresh Menon thought about companies moving towards unilateral action to actively interrupt or disrupt the systems or activities of hackers (otherwise known as active defence or hack the hacker). I had also asked whether Chief Justice Menon and Minister Shanmugam thought that it would be worthwhile considering looking at Singapore's Computer Misuse Act and whether an exemption relating to active defence could be included so that companies taking such action would not fall foul of the law (the Singapore Computer Misuse Act in its present form makes interrupting or disrupting the systems of a hacker an illegal act). 

That was in July 2012.

On November 12, 2012, a Bill was introduced in the Singapore Parliament to amend the Computer Misuse Act (which will be called the Computer Misuse and Cybersecurity Act).

The Changes

In summary, the changes to the Act will allow the Minister of Home Affairs to:

• authorise or direct a company or person (called the “specified person” … remember that term) to take measures to prevent, detect or counter any threat. Such steps must be for the purpose of preventing, detecting or countering any threat to national security, essential services or defence of Singapore or foreign relations of Singapore. 
• require the specified person to provide any information to the Minister that would be necessary to prevent, detect or counter the threat. 
• require the specified person to direct another person or company to provide any information.
• require the specified person to provide the Singapore Government with a report of a breach or an attempted breach of security of the specified person's computer system. 

It is an offence not to comply with the directions of the Government or the directions of the specified person. The penalty is a fine of S$50,000 or up to 10 years in jail, or both.

What I will be trying to do over two posts is to describe the possible implications of the changes. Here goes.

Broad information gathering powers

The Minister can require the provision of information relating to the design, configuration or operation of any computer, computer program or computer service, and any information relating to the security of any computer, computer program or computer service (section 15A(2)).

This power to obtain information is quite broad on several levels:

• Type of information. The Bill refers to “any information that is necessary to identify, detect or counter any threat”. The Bill also provides examples of what information may be required: information relating to the design, configuration or operation of any computer service, and information relating to the security of any computer, computer program or computer service. (as a side-note, I don’t really understand the drafter’s intention of splitting up the examples in section 15A(2)(b)(i) and (ii). Why not just combine the two examples as “information relating to the design, configuration, security or operation of any computer service, and information”?

"Any information" is pretty broad. 

This could conceivably extend to personally identifiable information. I would have liked the Bill to specifically exclude personally identifiable information of individuals unrelated to the incident or have a provision which requires reasonable efforts in stripping out personally identifiable information of individuals unrelated to the incident. This was something which is present in the PRECISE Act, H.R. 3674 (section 248) and the Cybersecurity Act S. 2105.

It could even include highly sensitive information like software source code. The concern here relates to the Minister requiring a person who licenses software from a software vendor to direct the vendor to provide a copy of its software source code. Would the vendor need to send the source code through the specified person? The way section 15A(2)(c) seems to work is that the vendor would need to send the information through the specified person to the Singapore Government. The relevant words are:

“providing to the Minister or a public officer authorised by him any information … obtained by the specified person from another person pursuant to a measure or requirement under paragraph [15A(2)(b)]”

I would have liked for there to be an option for that other person to provide the highly sensitive information directly to the Singapore Government instead of through the specified person. This would be reasonable as there is no need for a private entity to have access to such sensitive information (especially if the information has an impact on the commercial relationship between the parties), and there is no guarantee that all the vulnerabilities within the specified person (who was the target of the exploitation) have been resolved.

In the source code example, a possible practical work-around would be for the direction to require the vendor to obtain a source code audit itself, and to share the results of the audit to the Singapore Government.

Section 15A(2)(b) and (c) should also clarify that a person should only be required to provide information which it has in its possession or within his control or which is reasonably practicable for the person to provide it. These would then be similar to the defences present in section 59 of the Telecommunications Act.

• Type of service. The Bill covers computers, software, computer services (e.g. cloud services). The definition of computers in the Act is wide enough to cover almost all computer related devices, systems and networks.

• Persons covered. The Bill allows the Minister to authorise the specified person to direct another person to provide information to the Singapore Government. This other person could be a third party vendor/outsourcer/cloud service provider/etc that provide software or services to the specified person.

It would be an offence for that third party vendor to fail (without reasonable excuse) to comply with the direction of the specified person. This has considerable implications for companies which outsource or obtain software or services from a third party vendor, and more importantly, for the vendors themselves.

• Territoriality. The Computer Misuse Act already contains a provision (section 11) which states that the Act has effect in relation to any person regardless of his nationality or citizenship or whether he is in or outside of Singapore. The Act goes on to say that where an offence under the Act is committed by any person outside Singapore, he may be dealt with as if the offence has been committed within Singapore provided that the accused was in Singapore at the material time or the computer, program or data was in Singapore at the material time.

Most companies obtain software or services from third party vendors that have a local presence in Singapore through locally incorporated offices which would then place them within the territorial scope of the Computer Misuse Act.

Even if the third party vendor does not have a local presence and the third party vendor uses a subsidiary in a foreign country to contract, that would not be a problem if the data is in Singapore at the material time (for example, one could argue that this extends to the ability to access the data in Singapore via an interface even though the data is stored in servers outside of Singapore). This would mean the third party vendor will have to comply with the direction to provide the information to the specified person directed by the Singapore Government.

• No restriction on time-frame. One would assume that any direction issued would be reasonable in limiting the time-frame to the time period around the specific incident (e.g. server or application logs for a period of one year prior to). However, if a direction does not specify a time-frame for the information or which specifies a very long time-frame (which is possible since as it may not be possible at the time of issuing the direction to determine when the cyber exploitation took place i.e. the hacker may have exploited the vulnerability a long time ago), one would have to consider how far back to go in the information archives, and then to locate the information sources and collate the information. This could be resource intensive if the time-frame is long (e.g. tape drives have to be obtained from off-site locations, servers may have to be identified to load the data on the tape drives, search parameters have to be determined, the search results analysed, and then collated for the requesting party).

• Retention of the information by a person

While the proposed Bill tries to protect information which is disclosed to a person/company, I would have liked the Bill to require the deletion of information received by a specified person and the Singapore Government after the threat has been resolved, failing which there should be civil liability (vis-a-vis the specified person) arising from losses arising from the failure to delete.

No computer system is 100% impregnable and the repository for that information may itself be attacked for the amount of confidential and sensitive information that it may now contain. Companies that disclose information to specified persons or the Singapore Government should have the assurance that the information provided is deleted after the purpose for which the information was originally collected has ceased to exist. 

The potential ability to monitor communications

The language in the proposed Bill is wide enough to require a company to monitor communications of individuals provided that it is to prevent, detect or counter any threat to the national security, essential services or defence or foreign relations of Singapore. For example, an ISP, email service provider, instant messaging provider or social media platform may be required to provide information (including real-time information) relating to the operation of its service (which could potentially include communications made by individuals over the service or platform).

Breach report

To my knowledge, this will be the first instance of the Singapore statute books requiring certain companies/persons to provide a report of a breach or an attempted breach of computers, computer programs or computer systems. This is as close as Singapore has come to a breach notification requirement though it is not as stringent as breach notification requirements in other countries which are proactive in nature. 

[More of this in Part II]