Cybersecurity: Does It Go Far Enough?
By Philip Mahboobani
Both Singapore and the UK, as leading information systems hubs, have focused on developing protection against cyber threats. Singapore has utilised a four-pillar strategy: strengthening international partnerships (namely with the UK), developing a vibrant cybersecurity ecosystem, creating a safer cyberspace environment, and building a resilient infrastructure . The UK has similarly sought international collaboration as well as involvement with security agencies to enhance cyber security. This article will analyse whether cybersecurity has been addressed to the fullest extent in light of recent developments, and how both the UK and Singapore may adapt their strategy against this.
Recent PDPA Developments in Singapore
The amendments made to the Personal Data Protection Act 2012 have been made in phases which introduced changes such as a mandatory data notification requirement and a new legitimate interests exception. For the former, companies now have an obligation to notify individuals that their personal data may be used or disclosed, and this must be done during or before the collection of such data . This extends similarly to notifications of data breaches, to which the obligations are certainly welcome. An assessment must be conducted to determine whether the notification can be both reasonable and expeditious . This requires significant harm to individuals, such as a release of their full name or identification number . The organisation then has a duty to demonstrate that it has taken all the necessary steps to protect the individual . However, a limitation of these developments is that notifiability requires significant harm, a somewhat subjective assessment and, further, it is not required where remedial actions have occurred, or appropriate technological measures are undertaken. This unfortunately undermines transparency.
For the latter, the legitimate interests exception can be relied upon where the use or disclosure of personal data in the legitimate interests of the organisation, that outweighs any adverse effects, allows an organisation to rely on this as such . This is welcomed, as developments have introduced an objective standard to determine such legitimate interests, including a recovery of debt or evaluative purposes. Further, this introduces a requirement that an organisation must conduct an assessment to assess these interests and whether they indeed outweigh any adverse consequences.
These amendments seek to resolve a wider public policy objective - to maintain accountability regarding personal data protection. The recent developments are certainly positive in introducing obligations, although, somewhat undermine transparency to the public as many assessments can be conducted without notification. However, these advisory guidelines and its related regulations follow the core concepts of data privacy: consent, purpose, and reasonableness.
A ’full spectrum’ approach in the UK
The UK has proposed an approach taking advantage of the digital revolution which focuses on partnerships within the security industry and better integration across defence and intelligence services. Whilst the Singapore approach innately focuses on personal data protection, the English approach can be described as ‘full spectrum’, focusing on security hazards that lead to costly breaches. This invites collaboration with defence and intelligence agencies to anticipate cyber threats. Therefore, the UK approach can be described as proactive whilst the Singaporean approach is rather more responsive in nature.
This is reflected through the UK’s 2022 National Cyber Security Strategy (NCSS) whereby, with a funding of £2.6 billion , aims to address issues of national security in a preventative manner. It aims to develop such technologies as the UK Crypt-key as well as developing domestic capabilities for core technologies to reduce dependency on foreign technology . It is also focused on quantum technologies, blockchain technology and artificial intelligence to aid not only be proactive for society but also to be used for law enforcement purposes .
However, it remains to be seen whether these changes will be effective. Previously, the government had introduced their 2016 National Cyber Security Strategy, which had been heavily criticised by the Public Accounts committee for wasting funding and not providing enough evidence to measure its success . Seeing that the 2022 strategy has stated that it desires to build upon the progress from 2016, perhaps, once again, success will be hard to measure again. It is certainly important the government provides effective change here, due to the importance of cybersecurity extending to national policymaking, education strategies, legal reforms or foreign policy amongst others. By strengthening UK’s cyber ecosystem, to which the same can be said for Singapore, both nations can not only be leaders of cyber security in the world, but also highly developing and successful nations due to its evident global significance.
In this sense, the UK is looking both forward and around regarding cybersecurity, to which the areas it can affect are certainly endless and must be addressed rapidly. By establishing new organisations, such as the NCSS, to tackle the ever-evolving technologies and subsequently protect other sectors, the UK aims to be a self-established world leader in cyber technology.
Conclusion: The Future of Cybersecurity
Both the UK and Singapore have developed cybersecurity regulations following recent attacks (such as the infiltration of the SingHealth databases) and a general exponential growth in technology startups. To promote a “free, open, peaceful and secure cyberspace”, both the UK and Singapore have sought to resolve the differing data privacy standards across jurisdictions by signing a joint statement to create greater security into sensors and other IoT devices. This represents a collaborative effort between both jurisdictions to improve collective cyber security. However, the Singaporean approach to cybersecurity is one that is inherently responsive to attacks, whilst the UK approach is looking forward to the potentially catastrophic effects of cybercrime developments. It is submitted that the UK approach is one that is beneficial, not only for increasing the capabilities of cyber defence but also one that allows nations to be self-reliant on domestic technologies rather than outsourcing.
: Cyber Security Agency of Singapore. (n.d.). Retrieved June 2, 2022, from https://www.csa.gov.sg/-/media/csa/documents/publications/singaporecyberlandscape2019.pdf
: Section 20, Personal Data Protection Act 2012
: Sections 26A - 26E, Ibid
: Section 3(1), Personal Data Protection (Notification of Data Breaches) Regulations 2021
: Guide on managing and notifying data breaches - PDPC. (n.d.). Retrieved June 2, 2022, from https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-on-Managing-and-Notifying-Data-Breaches-under-the-PDPA-15-Mar-2021.pdf?la=en
: Part 3, First Schedule, Personal Data Protection Act 2012
: Targett, E. (2022, January 7). UK's 2022 National Cyber Security Strategy: The top 10 takeaways. The Stack. Retrieved June 3, 2022, from https://thestack.technology/uks-2022-national-cyber-security-strategy/
: National Cyber Strategy 2022 . GOV.UK. (n.d.). Retrieved June 3, 2022, from https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022
: Goslin, L. M. and C. (2022, March 4). Assessing the aims of the Government Cyber Security Strategy. ComputerWeekly.com. Retrieved June 3, 2022, from https://www.computerweekly.com/opinion/Assessing-the-aims-of-the-Government-Cyber-Security-Strategy
: Dissecting the 2022 UK cyber security strategy: The 'whole of society' approach. CircleID Master. (n.d.). Retrieved June 3, 2022, from https://circleid.com/posts/20220116-dissecting-the-2022-uk-cyber-security-strategy-the-whole-of-society-approach