SINGAPORE intends to introduce a Digital Infrastructure Act to govern key digital infrastructure service providers, in order to address resilience and security risks.
“Large cloud service providers and data centres are crucial to the functioning of a wide array of digital services that enterprises and consumers use daily,” said Minister for Communications and Information (MCI) Josephine Teo during her ministry’s Committee of Supply debate on Friday (Mar 1).
“These operators may therefore need to meet higher security and resilience standards, to reduce the likelihood of systemic disruptions,” she said.
In a media release on the proposed law, MCI noted that disruptions may occur even without cyberattacks, as seen in the four-hour Equinix data centre outage on Oct 14 that disrupted digital banking services.
It was later found that a mistake made by Equinix’s vendor contractor during a planned control system upgrade led to the overheating of some of the data centre’s halls.
“Hence, it is necessary for the government to go beyond the Cybersecurity Act to enhance the resilience and security of other digital infrastructure and services that enterprises and citizens rely heavily on in our highly digitalised economy and society,” the ministry said.
The existing Cybersecurity Act governs the cybersecurity and resilience of critical information infrastructure necessary for the continuous delivery of essential services.
Teo said that the Cybersecurity Act’s coverage will also be expanded to include data centres, cloud services and key entities that may hold sensitive data or perform important public functions in an amendment bill next week.
For the upcoming Digital Infrastructure Act, an inter-agency task force has been studying other countries’ measures to address risks to digital infrastructure and service providers’ resilience and security.
These could range from misconfigurations in technical architecture to physical hazards such as fires, water leaks and cooling system failures.
Teo said that the task force will continue to consult industry players and relevant stakeholders as it develops its proposals.
Other jurisdictions, such as the European Union (EU), Germany and Australia, have introduced regulations to enhance the security and resilience of digital infrastructure.
In the EU, the NIS2 Directive came into force in 2023, aiming to improve the resilience and incident response capacities of public and private entities, authorities and the EU as a whole.
One of the points that the NIS2 Directive makes is that there should be no detrimental effects on whoever discloses vulnerabilities affecting infocomm technology products and services.
It also calls for the establishment of a European vulnerability database where suppliers of network and information systems, as well as authorities and Computer Security Incident Response Teams (CSIRTs) can make voluntary disclosures of vulnerabilities.
“Sources of publicly available information about vulnerabilities are an important tool for the entities and for the users of their services, but also for the competent authorities and the CSIRTs,” it said.