Singapore - Cybercrime law strengthened

On 28 February 2017, the Singapore Ministry of Defence reported that its systems had been compromised, resulting in the loss of personal data of 850 national servicemen and employees. Although no classified military data was stolen, this is a reminder that no organisation is free from cybersecurity threats.

Against this backdrop, the Computer Misuse and Cybersecurity (Amendment) Bill, which amends the current Computer Misuse and Cybersecurity Act (the “Act”), was passed in the Parliament in April 2017. The amendments to the Act broaden the scope of criminal offences to include dealing with personal information obtained in contravention of the Act and dealing with tools to commit an offence under the Act.

Dealing in hacked personal information

Under the amended Act, a person’s use of personal information, which the person knows or has reason to believe is obtained in contravention of the Act, will be a criminal offence regardless of whether they committed the contravening act. For example, a person will be committing an offence under the amended Act if he or she trades in credit card details obtained through hacking, even though he or she was not involved in that hack.

However, this reform has the risk of compromising the freedom of the public (such as journalists and researchers) to use information obtained through criminal means.  When asked in the Parliament if journalists or researchers could fall afoul of the amended Act as they may use leaked information that is derived from hacks, Senior Minister of State for Home Affairs stated that there is "nothing wrong" in reporting a hack, or for a researcher to use the leaked information, as long as they do not circulate specific personal information obtained through the hack. For example, there is no need to report on a specific victims' hacked credit card details when reporting a piece of news on cybercrime.

Dealing in cyber weapons

Under the amended Act, anyone who obtains, retains, sells, creates, supplies or uses methods to commit computer-related offences, or deliberately allows these products to be used, will be committing an offence.

Examples of such products include hacking tools, malware and port scanners, which are readily available online. 

Extra-territorial reach

It is currently not an offence to commit a criminal action outside Singapore against a computer located overseas, even if it impacts Singapore.

This will change in the amended Act which will have extraterritorial reach. The action will be an offence under the Act if it results in ‘serious harm’ to Singapore. ‘Serious harm’ to Singapore is defined as illness, injury or death of individuals in Singapore, disruption of essential services or the performance of any duty or function of the Singapore Government, or damage to national security, defence or foreign relations of Singapore. Examples of disruption of essential services include the publication of medical records or bank account numbers. In practice, enforcing the Act against an offender outside Singapore may be challenging.

Other changes to the Act include amalgamating charges for offences under the Act. Multiple offensive acts over a period of time may be combined under a single charge. The amended Act also allows for the application of enhanced penalties when the combined offensive acts result in high aggregate damage.

Much needed change

These amendments are welcome at a time where Singapore is facing increasing cybersecurity threats. The amendments aim to tackle the increasing scale and transnational nature of online crimes, as well as the evolving tactics of cybercriminals.

Together with the enactment of the new Cybersecurity Act, which is to be tabled in the Parliament this year, the amendment to the Act complements Singapore’s cybersecurity strategy to strengthen the country’s resilience to Singapore’s critical information infrastructures.

By Niranjan Arasaratnam, Adrian Fisher and Chung Yee Gui, Singapore