So I finally got round to reading about the new Draft Singapore Cybersecurity Bill this weekend and I have to say it is very interesting.

The stand out points for me:

  • The Bill will create official Critical Information Infrastructure (CII) in Singapore “any computer or computer system necessary for the continuous delivery of essential information services.”
  • The CII’s will then have designated owners who will be appointed statutory duties specific to the cybersecurity of the CII.
  • Singapore will create a Cyber Commissioner who “will have significant powers to respond to, and prevent, Singapore cybersecurity incidents…..and where satisfied that the cybersecurity threat meets a certain specified severity threshold, impose measures requiring a person to carry out remedial measures or to cease certain activities.”

Having been fortunate enough to run cyber attack simulations with some of the best teams in Australia, I can say that most incident responses ultimately come down to a risk decision for the team or organisation. This legislation appears (at a certain threat level) to take that risk decision out of the hands of the organisation and gives it to the government.

Definitely an interesting one to watch.

The Draft Bill can be found here: