(Delivered in Parliament on 3 April 2017)
Madam, the threats of cyber attacks have increased in recent years. Such attacks affect government agencies as well as companies and individuals.
Attacks on government IT systems may have national security implications. Recently Mindef’s I-net system was breached and the personal details of 850 national servicemen and staff at the Ministry of Defence (Mindef) were stolen in what Mindef has described as a “targeted and carefully planned” cyber attack.
Internationally, foreign governments or element have been accused of hacking into political party emails and servers purportedly for political gains. An example would be the alleged hackings on email servers during the last US Presidential Elections campaign.
Cyber attacks also affect businesses and individuals causing financial losses and breach of confidential information eg downtime, loss of confidential business information or leaking of customer data. In October 2016, Starhub’s servers came under cyber attacks, preventing its customers from going online for two days.
The existing Computer Misuse and Cybersecurity Act (CMCA) grants powers for law enforcement agencies to investigate and take actions against individuals or companies behind acts of cybercrime.
As the incidence of cyber attacks increase, as culprits of cybercrimes get bolder and smarter, we have to take appropriate and proportionate actions against such crimes and their perpetrators.
The Computer Misuse and Cybersecurity Amendment Bill introduces four main changes:
- Creating a new offence to obtain, retain or supply personal information obtained through an earlier act of cybercrime.
- Creating a new offence for obtaining items which can be used to commit an offence under the Act.
- Making it an offence certain acts which are committed overseas, and targeting overseas based computers, but which creates a significant risk of serious harm in Singapore.
- Amalgating charges for offences under the Act
Madam, in the explanatory note to this Bill, we read that this Bill seeks to amend the Act “primarily to deal with the changing modus operandi with which computer offences are carried out”. While I support this Bill, I have two concerns with the amendments.
Clause 3 provides for a new 8A(6) and I quote: “For the purpose of proving under subsection (1) that a person knows of has reason to believe that any personal information was obtained by an act done in contravention of section 3, 4, 5 or 6 it is not necessary for the prosecution to prove the particulars of contravention, such as who carried out the contravention and when it took place.”
This section is doing away with the need for the prosecution to prove the particulars of contravention such as who carried out the contravention and when it took place. Madam, I am somewhat uncomfortable with the prosecution being relieved of the burden to prove the particulars of the contravention in question. I think these are fundamental issues which the prosecution should prove before another person can be charged and convicted of obtaining or retaining or making use of the information in question.
While I agree that we need to enhance our efforts to tackle and prosecute cybercrimes, we should really limit easing the burden of proof in this way. There must be a strong justification before we allow such burden to be eased.
Madam, I next refer to the amendments contained in Clause 4 which pertains to the amendment of Section 11 of the Act. This broadens the courts’ jurisdiction to offences that cause “serious harm” to Singapore, and harm is defined, inter alia, as “serious diminution of public confidence in the provision of any essential service or exercise of any power” in sub section (4)(b) and “a disruption of, or a serious diminution of public confidence in, the performance of any duty or function of, or the exercise of any power by the Government, an Organ of State, a statutory board…” etc. I am concerned that this term may seem unnecessarily broad. How does one define “serious diminution of public confidence”? How do we expect the courts to decide what constitutes “serious diminution of public confidence”?
Finally, in closing, at the 2016 Budget Debate, Minister Yaacob Ibrahim said that there will be a new, standalone Cybersecurity Bill that will be tabled in Parliament in 2017 which will I quote “ensure that operators take proactive steps to secure our critical information infrastructure, and report incidents” and also “empower the Cyber Security Agency (CSA) to manage cyber incidents and raise the standards of cybersecurity providers in Singapore”. In light of the recent incidents, may I take the opportunity to ask the Government to update the House on the Government’s plans for that, even though I know this is from a different ministry?
Madam, I support the Bill.