The Singapore government has proposed amendments to the Cybersecurity Bill 2018 that would expand the scope of the cybersecurity agency’s oversight to include cloud service providers and data center operators.
a government notification In a post late last week, he said the purpose, or at least part of it, was to “beyond critical information infrastructure (CII) to ensure the cybersecurity of other critical systems and infrastructure.” explained.
Cyber Security Authority of Singapore (CSA) named CII operators include the energy, water, banking and finance, healthcare, land transportation, maritime, aviation, government, information and communications, media, security and emergency services sectors.
However, the proposed amendments add a new term: basic digital infrastructure services. The CSA specifically elaborates that the term includes cloud computing services within and outside Singapore and data center facility services within the city-state borders.
The proposed changes require that a new category of underlying infrastructure be lumped together with CII in various ways to ensure continuous provision of services and to prevent compromise of systems and other safeguards. Masu.
This could include cloud service providers such as AWS, Google, and data center operators such as Equinix. In October, an outage at Equinix’s data center in Singapore, followed by failure of disaster recovery plans by the banks using the data center, sparked an afternoon of financial turmoil. Approximately 2.5 million transactions failed as a result of the outage.
Although the government has not explicitly stated that the outages and the proposed amendments are related, the incident points to potential motivation for tighter regulation of these industries.
With this change, organizations covered by the new category will also be responsible for reporting cyber-attacks within a given period. reportedly corresponds to time.
This amendment will also expand the scope of oversight of the CSA Director. Data centers and cloud service providers must comply with requests from Commissioner David Coe, which may take the form of audits, requests for information on data center design, and written instructions.
The proposed amendment also specifies that Coe can designate computer systems as critical information infrastructure even if they are located outside the city-state’s boundaries. To that end, Mr Koh said, “the loss or compromise of a computer or computer system that is necessary for the continued provision of essential services would have the effect of reducing the availability of essential services in Singapore”. I need to convince you of that.
Entities and agencies engaged in joint projects with the Singapore government that handle sensitive or critical data and systems may also be subject to the same CII standards, as a cyber-attack against them could amount to a cyber-attack against the city-state.
Similar rules also apply to temporary systems introduced for high-profile events for a reduced period of one year.
Failure to comply with the proposed requirements will result in penalties and fines.
Further legislation is expected as details will be fleshed out following industry consultation on what is required of permanent and temporary digital infrastructure players. In the meantime, this bill is under consideration from his December 15, 2023 to January 15, 2024 date.