Cyber Security
The law society of Singapore Cyber Security Conference 2018 By Jane Lo, Singapore Correspondent
I
n April last year, “Shadow Brokers”, a group that operated in the Dark Web, leaked a new batch of attack tools and zero-day exploits files allegedly stolen from the NSA in 2013, and triggered the WannaCry chaos in May 2017. WannaCry, and its derivatives (Petya and NotPetya) affected computers in more than 100 countries across the globe, hitting critical infrastructures, and hospitals in UK. Within the region, according to the Singapore Computer Emergency Response Team (SingCERT) from the Cyber Security Agency of Singapore (CSA), “about 500 Singapore IPs could have been affected” by the ransomware attacks. DLA Pipper, a prominent law firm, was also a victim of the attacks. Cyber attacks could be potentially stressful if law firms do not have a ready back-up plan to allow lawyers access to their documents for trial preparations or motions to meet a deadline, or worse, if the information is leaked to competitors or held for ransom. With global and local developments in laws on cybersecurity and data protection, The Law Society’s inaugural Cybersecurity Conference brought by the Cybersecuity and Data Protection Committee could not be more timely.
34 | Australian Cyber Security Magazine
Here we look at some key takeaways from the keynotes and the panel discussions.
b.
Singapore Cybersecurity Act Dr Janil Puthucheary - Senior Minister of State, Ministry of Transport & Ministry of Communications and Information, in his key note address, noted platforms such as the United Nations Group of Governmental Experts (UNGGE), and the ASEAN Ministerial Conference on Cybersecurity (AMCC) to develop global and regional cyber norms. He also highlighted the Singapore Cybersecurity Act, which was passed into law by Parliament in February 2018, and received the President’s Assent in March 2018. The Act requires operators of 11 CII sectors - Government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency and media – to secure their infrastructure and report incidents. It has four key objectives: a.
First, to strengthen the protection of CII against cyber-attacks. The Act provides a framework for the designation of CII, and provides CII owners with clarity on their
c.
d.
obligations to protect CII from cyber-attacks. Second, to authorise CSA to prevent and respond to cybersecurity threats and incidents. The Act empowers the Commissioner of Cybersecurity to investigate cyber threats and incidents to determine their impact and prevent further harm or cybersecurity incidents from arising. Third, to establish a light-touch licensing framework for cybersecurity service providers. Cybersecurity service providers often have significant access into their clients’ sensitive computer systems and networks. Such services, if abused, can compromise and disrupt the clients’ operations. A licensing framework will give businesses and clients more assurance, and is part of our strategy to raise the quality of cybersecurity services in the long run. Fourth, to establish a framework for sharing Cybersecurity Information. The Act facilitates information sharing, which is critical as timely information helps the government and owners of computer systems identify vulnerabilities and prevent cyber incidents more effectively. The Act provides a framework for CSA to request information,