Singapore wants datacenters, clouds, regulated like critical infrastructure
Even systems located outside city-state could be considered 'foundational' and face performance demands
Singapore's government has proposed amendments to its 2018-era Cybersecurity Bill that would extend the oversight of its cyber security agency to cloud service providers and datacenter operators.
A government notice posted late last week explained that the purpose – or part of it at least – is to "look beyond the critical information infrastructure (CII) to ensure the cyber security of other important systems and infrastructure."
The Cybersecurity Agency of Singapore (CSA) named the energy, water, banking and finance, healthcare, land transport, maritime, aviation, government, infocomm, media, and security and emergency services sectors as operators of CII.
But in its proposed amendment it adds a new term: foundational digital infrastructure services. The CSA specifically details that the term encompasses cloud computing services – both inside and outside of Singapore – and datacenter facility services within the city-state's borders.
The proposed changes would lump the new category of foundational infrasucture in with CII in many ways, requiring them to ensure the continuous delivery of services, prevent the compromise of systems and other safeguards.
This could include, among others, the likes of cloud service providers AWS and Google and datacenter operators such as Equinix. In October, an outage at an Equinix datacenter in Singapore, plus failed disaster recovery plans on the part of banks that used the datacenter, led to an afternoon of financial chaos. Approximately 2.5 million transactions failed as a consequence of the outage.
The government has not specified that the outage and its proposed amendments are related – however the incident does illustrate potential motivation for increased regulation of these industries.
- Overheating datacenter stopped 2.5 million bank transactions
- Your landlord should offer on-prem cloud, suggests immersed datacenter upstart
- China's first undersea datacenter sinks – as planned
- Cloud engineer wreaks havoc on bank network after getting fired
Under the changes, orgs covered by the new categories will also be responsible for reporting any cyber attacks within a prescribed period that reportedly amounts to hours.
The amendments would also extend the CSA commissioner's oversight. The datacenters and cloud service providers will have to comply with requests from comissioner David Koh, which can come in the form of audits, requests for information on datacenter designs, a written directive, or more.
The proposed amendments also state that Koh may designate a computer system as critical information infrastructure, even if it is outside the city-state's borders. To do so, Koh must be satisfied it is "necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore."
Entities and institutions engaging in joint projects with the Singapore government that deal with sensitive or critical data and systems could also be held to the same standard of CII, as cyber attacks on them could constitute a cyber attack on the city-state.
And temporary systems – such as those in place for high profile events – come under similar rules for a shortened period of one year.
Failing to comply with the proposed requirements would result in penalties and fines.
More details are to be fleshed out after industry consultation on what is required of digital infrastructure players – both permanent and temporary – so expect more legislation to come. In the meantime, the bill is under consultation from 15 December 2023 until 15 January 2024. ®