A cyber security government bill with unprecedented teeth?
The Singaporean Government have released a Cyber Security Bill that is signifying a step in change in the level of control and rigor being mandated from a legal and political perspective.
If you deliver cyber security services for organizations within this region, or if you run a business in Singapore - you need to be aware of the impact and details within this new bill.
A brave new step?
Many people will have noticed that just a few days ago, the Singaporean authorities unveiled their new Cyber Security Bill. The bill had gone through consultation with industry during 2017, and the second reading was presented in a speech given by Dr Yaacob Ibrahim at the 4th IEEE world forum on IOT.
Many individuals and organizations may have skimmed over the news, thinking that it isn’t important to them as they are focused on delivering cyber security services in other markets around the world. However, the Singaporean Cyber Security Bill is arguably a brave new step by a government in shaping the cyber security market for the future.
Although its jurisdiction is focused on the Singaporean market, it is highly probable that its impact will ripple out across the globe, with many other governments and regulators taking note.
Call yourself a penetration tester?
Many people within the cyber security market recognize that there is a high degree of asymmetry of information between people buying cyber security services and those that are selling services. In addition, there are very few barriers to entry for individuals that want to call themselves cyber security experts.
In many territories, students can leave college, arm themselves with a copy of Nmap, Nessus and Metasploit and call themselves a Penetration Tester. As the majority of buyers around the world struggle to understand the difference between vulnerability analysis, penetration testing, red teaming and threat assessments, it is no wonder that buyers frequently become confused when they are buying services.
They know that they don’t want to be hacked (whatever that means), however they don’t know what type of activity they should be commissioning and they don’t know what type of individuals or companies they should be procuring it from.
The Singaporean Cyber Security Bill brings forth the idea of licensing both Penetration Testers and Security Operations Centers (SOC). The goal of this legislation is not to introduce friction or hinder innovation. Instead it is designed to demand that high standards are delivered and demonstrate what good looks like.
The individuals that deliver good and capable services will have the ability to demonstrate this clearly and concisely to the buying community. Those that don’t make the grade will not be given a license. If they are serious about delivering services in this space, this will arguably drive them towards improving their services and capabilities so that they meet the minimum licensable requirements.
Through building a licensed model for both Penetration Testers and SOC providers, the Singaporean governments will effectively move the median point within its domestic market upwards, with the overall quality of services being improved.
Regulation, legislation vs innovation and market forces
In a fully functioning market, regulation and legislation are often seen to hinder innovation and stifle growth. However, even though we are clearly part of this industry, in truth we would have to accept that the market has elements of dysfunctionality about it.
The world is intrinsically connected, and Penetration Testing and SOC providers can, on the whole, deliver services from any corner of the globe. Yet the quality and consistency of these services is hugely inconsistent from country to country and region to region. In some territories around the world where there has been concerted efforts by academia, government and regulators to raise the bar, there have been pockets of greatness that has appeared. However, in other regions where the market has been left to its own devices, in many instances it has resulted in huge degrees of variability.
Global and cross border challenges
Cyber security is not something that can be tackled on a purely domestic basis. To be effective, we need to look at it globally, and collectively we need to consistently raise the bar, remove the asymmetry and upskill, and mature the industry as a whole.
If we walk in to a hospital or health center in the UK to see a medical Doctor, even though we may not understand biology or medicine, we have an intrinsic trust that the Doctor we will see will be capable and proficient. If we were to do the same in the US, Singapore or central Europe, we would have the same level of confidence. We wouldn’t expect to be greeted by a Vet, a Dentist or a Lab Technician. A medical Doctor in all these countries should be able to consult with a patient with the same level skill or expertise, regardless of the country they practice within.
Expecting professional experts
The cyber security industry needs to evolve and mature so it gets to the same point that the medical industry is in today. Perhaps the Singaporean Cyber Security Bill is a bold step that will move us one step towards this goal.
The concept of licensing Penetration Testers and SOC providers is an innovative approach to building more consistent standards across the Singaporean market.
How will this be applied?
However, it does present a number of questions that need to be addressed.
- What is a Singaporean Penetration Tester or SOC provider? Is it one that is legally based within the country or one delivers services into the country.
- Who has responsibility for ensuring the legislation is adhered to?
- Does the responsibility lie with the procurer of services or the organization delivering the services?
To put it another way, if a global organization procures services in the USA, that extend to one of their remote subsidiaries in Singapore, does the US organization have responsibility for determining that the service provider delivering services in Singapore is adequately licensed?
- In addition, if the Penetration Testing service provider was based in the USA, was contractually delivering services to a USA organization, yet sending pen testing traffic to a Singaporean organization, would they have to be licensed by the Singaporean Government?
- Lastly, what is a Penetration Test?
Does the Singaporean Government class a Penetration Test differently to a vulnerability scan, a red teaming exercise, or on on-box security audit?
With fines of S$50,000 and two years in jail, it isn’t something that a cyber security company would want to get wrong!
Verdict: Good move? Or the wrong approach to be taking?
We have seen many individuals complain that cyber security regulation, standards and compliance frameworks are effectively a tax on organizations. Although we are not going to argue against this view, maybe this move by the Singaporean Government is heralding another way of thinking.
The cyber security market in 2018 continues to grow rapidly as organizations create, consume and analyse ballooning amounts of data. In an industry that has existed for more than two decades, we continue to see multinational organizations such as Equifax being compromised, and organizations such as Maersk and the NHS being compromised by untargeted and indiscriminate ransomware.
In a fully functional market, would we really see this type of fallout? If regulation and legislation improves the cyber hygiene of organizations that hold your data and my data, isn’t that a good thing?
Perhaps, it is time for governments around the world to look at the Singaporean Cyber Security Bill, and introduce legislative controls to help remove the market asymmetry, and raise the bar on an international basis.