We live in an age of rapid digitisation where mobile communication and cloud computing have dramatically increased cyber connectivity.
The economic benefits of digitisation are shown by leading companies such as Google, Amazon, Facebook, Uber, Airbnb, Tencent and Alibaba. Digitisation has, however, produced economic threats such as hacking, cyber espionage and fake news.
As a result, cyber security has become a key concern for countries, businesses and consumers. More than just a technical issue, cyber security is economically important. Cyber risk management involves controlling the negative aspects of the digital economy and protecting its benefits. Singapore's ability to manage the myriad of fast evolving threats to cyber security will determine its future economic trajectory.
On July 10, Singapore's Government released a draft Cyber Security Bill for public consultation that ended recently. The Bill proposes handing broad authority to the Cyber Security Agency (CSA) to coordinate efforts and to designate owners of critical information infrastructure (CII). It formalises the duties of CII owners in ensuring their own cyber security, including conducting regular audits of compliance and making regular assessments of cyber threats. Failure to comply is a criminal offence carrying a maximum fine of $100,000 or a 10-year jail term, or both.
The Bill focuses on CII owners, but its impact is much broader because many organisations have business ties with CII owners.
The Bill shows that Singapore is taking a holistic approach to cyber threats to protect the system of CII.
Although the Bill is comprehensive, it is unrealistic to expect it to cover all aspects of cyber threats or enumerate every possible situation. The Bill largely addresses computer systems, and less so false information and fake news on social media. It also does not seek to identify and prosecute the perpetrators of cyber crimes, which the law enforcement authorities are responsible for.
Research reveals that the efficacy of rules-based regulation declines when complexity increases, and the marginal benefit of compliance decreases when the cost exceeds a threshold. As such, we must weigh the cost of compliance and the economic benefit from strengthening cyber security.
To be sure, the Bill carries risks and rewards should it be passed into law. On the upside, the Bill will help Singapore become a Smart Nation by enhancing its cyber security and information security technology. That will give the country a competitive edge and secure its leadership as a regional centre of finance, shipping and aviation.
The downside is that the costs of regulatory compliance and audits may hurt Singapore's economic competitiveness and deter international investors.
The public needs to be kept apprised of how the Bill's regulatory demands would be met, and an analysis of the economic costs and benefits. Singapore needs to set practical parameters and focus on pragmatic solutions. Regulatory compliance by itself is not enough to tackle cyber criminals from around the world, and spending more on bolstering cyber security may not always work. Companies should, nevertheless, be encouraged to step up their cyber defence capability.
What will become most relevant are regulations specific to individual sectors. The efficacy of Singapore's cyber security will depend on how the legislative Bill is translated into sector-specific regulations. The Government says it will impose reasonable regulatory requirements on CII owners, and harmonise current sector-specific regulations with the Cyber Security Bill.
No matter how much effort is invested in drafting the legislative Bill, there is not a "one-size-fits-all" solution to cyber security, as CII varies in importance. There are also questions on how small and mid-sized companies - many of whom provide services to CII owners - would be affected by cyber attacks. Some software vendors and cloud service providers operate internationally, and it is not clear how the Bill would affect them. Perhaps the Bill can give more leeway to the commissioner of the CSA in carrying out his work.
The real benefit of the Bill will be seen in how it is translated to regulations for individual sectors.
It could spur Singapore to develop innovative risk management solutions by using the expertise of insurance and information security firms in a cost-effective way. That would ease CII owners' regulatory burden and provide them with prevention measures and post-breach recovery plans.
Indeed, legalising the Bill could help Singapore to develop a robust cyber security system and risk management industry. The success of the Bill hinges on whether it enables business solutions to enhance cyber security.