March 1, 2013
In the case of a cyber attack or a potential cyber attack, the Computer Misuse Act (Act) empowers the Minister to authorise a person (including a private individual or organisation) to take such measures as may be necessary to prevent or counter such attacks.
In view of the prevalence of cyber attacks in recent times, amendments were made to the Computer Misuse Act to widen the powers given to the Minister. The Computer Misuse (Amendment) Act 2013 (Amendment Act) was passed by Parliament in January 2013, and will come into force shortly.
With the amendments to the Act, the Government is able to take more effective and timely measures to prevent, detect and counter cyber attacks that may threaten Singapore’s national security, essential services, defence or foreign relations. “Essential services” include:
- services directly related to communications infrastructure, banking and finance, public utilities, public transportation, land transport infrastructure, aviation, shipping, or public key infrastructure; and
- emergency services such as police, civil defence or health services.
The Minister may authorise or direct a person (referred to in the Amendment Act as a “specified person”) to take such measures or comply with such requirements as may be necessary to prevent or counter cyber attacks. Specified persons are expected to take the necessary measures and comply with the Minister’s orders at their own cost. Failure to do so is an offence.
Specified persons are, in turn, authorised to give directions to another person for the purpose of enabling the specified person to take such measures as are required to prevent or counter the cyber attacks. Any person who, without reasonable excuse, fails to comply with the directions of a specified person, will also be guilty of an offence.
The punishment for these two offences is a fine not exceeding S$50,000 or imprisonment for a term of up to 10 years, or both.
The Amendment Act provides that any directions given pursuant to the Act shall have effect notwithstanding any obligation, immunity or privilege imposed or conferred on a person under any law, contract or rules of professional conduct.
Recognising the harsh effect on the person directed to take the necessary measures, the Amendment Act also provides that no criminal or civil liability will be incurred by such person in relation to any act or omission of the person in complying with its obligations under the Act.
An example of the effect of the Amendment Act is this: When the Government receives intelligence of a planned cyber attack against Singapore’s banking system, the Minister can order telecommunications companies and banks (i.e. the “specified persons”) to provide information on their computer systems and networks and to take such measures as the Minister shall direct. If the information is not in the possession of the telecommunications companies or banks, they will have to direct their IT vendors to release the information. The telecommunications companies, banks and their respective IT vendors are not excused from compliance on the basis that the information constitutes trade secrets, or that they are under a duty of confidentiality. If they do not comply, they will be guilty of an offence.
Although great inconvenience can be caused to persons who are directed to comply with the Minster’s orders, the wide powers conferred on the Minister are necessary in order to avoid catastrophes which may be caused by crippling cyber attacks!