Australia and Singapore agreement shows potential for cybersecurity cooperation elsewhere, says expert

Out-Law Analysis | 21 Aug 2017 | 10:22 am | 5 min. read

ANALYSIS: A recent agreement signed between Australia and Singapore which will see the two countries work together to address cyber risks is a blueprint for similar collaborations across the globe.

The recent high-profile WannaCry and Petya cyber attacks are examples of the widespread impact on businesses and other organisations across different sectors of the economies and in all regions of the world. Cyber risk is therefore a global issue that requires a global response.

To work effectively, however, cybersecurity cooperation agreements between countries requires stable governments on both sides, as well as strong political and people to people connections. This is reflected in relations between Australia and Singapore.

The roots for successful collaboration in cybersecurity

Australia and Singapore are strong regional partners. Australian troops defended Singapore, at high cost, in World War 2 and then came to the defence of Malaya during the Indonesian Confrontation. Monuments around Singapore bear testament to the sacrifices made. Australia was also the first country to recognise Singapore upon Singapore gaining independence.

The close relationship is also reflected at an economic and political level. Australia's High Commission in Singapore has described Australian's relationship with Singapore as "one of Australia's closest and most comprehensive in southeast Asia". That relationship is "based on long-standing Commonwealth, defence, education, political, trade and tourism links, as well as on the two countries' similar strategic outlook", it has said. This has resulted in the two countries entering into a comprehensive strategic partnership covering the areas of trade, defence, innovation and policing.

A free trade agreement helps support business between the two countries. According to official statistics from Australia's Trade and Investments Commission, the value of Singaporean exports to Australia exceeds AU$13 billion a year, while Australian exports to Singapore amount to nearly AU$10bn. The Singapore-Australia Free Trade Agreement reflects that relationship and has deeper commitments that the ASEAN-Australia-New Zealand Free Trade Agreement.

Australia and Singapore are also partners in matters of security. At the moment, Australia is mulling over the significant expansion of training grounds for the Singapore military. The countries have also signed memorandums of understanding previously on the sharing of military intelligence.

The groundswell of goodwill and the politics therefore supports collaboration on cybersecurity issues, which both countries, like many others, have already sought to address at national level.

Australia and Singapore's efforts to address cyber risks

In recent months in Australia, for example, new data breach notification laws were introduced which require businesses to report some data breaches to Australia's privacy commissioner and affected customers too.

While some exemptions could apply, an Australian government memorandum explained that the notification duties would generally apply where personal information has been compromised and "where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure (assuming, in the case of loss of information, that the access or disclosure occurred)".

Examples of the type of instances where notification would be required include where there has been a malicious breach of the secure storage and handling of information, accidental loss of IT equipment or hard copy documents, or a negligent or improper disclosure of information, it said in February.

The new laws reflect the fact that personal data is often the target for hackers due to its increasing value and relevance in the context of the digital economy. It is also a response to the growing number of cyber attacks faced by businesses – Australia's Cyber Security Centre (ACSC) said in April that almost all Australian organisations were affected by cybersecurity attacks in 2015-2016, with 90% reporting an attempted or successful attempt.

In also recognising the global skills shortage in cyber, Australia has also committed funding to universities in the country to use towards cybersecurity training.

Universities can apply to be recognised as Academic Centres of Cyber Security Excellence (ACCSE) for providing specialised training on cybersecurity under the initiative, which is part of a broader AU$230 million cybersecurity strategy being implemented in the country.

Earlier this year, Australia also announced a new agreement had been put in place with China which would see the two countries cooperate on cybersecurity to protect intellectual property (IP) and business information.

Singapore has been similarly active in ramping up its efforts to address cyber risk.

In October last year, the CSA set out a new cybersecurity strategy aimed at strengthening the country's IT infrastructure, and increasing cybersecurity capabilities and collaboration with other countries.

Building on that announcement, Singapore launched a new S$10m ASEAN cyber capacity programme (ACCP) to help build cross-border competence in areas such as incident response and build confidence in technical cybersecurity measures. The new fund will pay for resources, expertise and training, Singapore's minister for communications and information Yaacob Ibrahim said.

The ACCP is a recognition by the Singapore government of the need to share information at an international level. Information sharing is also a central strand of new laws being considered in a proposed new Cybersecurity Bill, which is due to be implemented by end 2017.

As well as beefing up cybersecurity obligations on businesses, the new legislation is also expected to give the government the power to audit the cybersecurity measures implemented by organisations operating in certain sectors of the economy.

The government in Singapore also moved earlier this year to update the country's existing Computer Misuse and Cybersecurity Act, to criminalise the use of hacking tools in Singapore and discourage businesses that come across databases of personal data stolen from other organisations from retaining that data or sharing it with others.

The cybersecurity cooperation agreement between Australia and Singapore

So it was in the context of close economic and political ties, and broad consensus on cybersecurity risks, that officials from Australia and Singapore penned a new memorandum of understanding on strengthening cybersecurity cooperation on 2 June. The agreement was finalised at a meeting at the Istana, the official residence of Singapore's president. The terms of the agreement will stand for two years.

According to details published about the agreement by the Cyber Security Agency of Singapore (CSA), cooperation will "focus on the protection of critical information infrastructure", which it is fair to say will include banking systems pivotal to the economy, the systems used to operate major energy and transport networks, as well as health systems.

The two countries will participate in "joint cybersecurity exercises" to test the resilience of those systems and pool resources.

In addition, the nations will regularly share information with one another on "cybersecurity incidents and threats", as well as "best practices to promote innovation in cybersecurity".

Australia and Singapore will also work together on training people to build their "cybersecurity skillsets" and collaborate on "regional cyber capacity building and confidence building measures", the CSA said.

To kick-start the new agreement, the countries plan to host a "cyber-risk reduction workshop" for all the countries in the Association of Southeast Asian Nations (ASEAN) at the end of this year.

David Koh, chief executive of the CSA, said at the time the agreement was signed that Singapore and Australia "share close bilateral relations and … have a shared vision that cybersecurity is an enabler which supports innovation, economic growth and social development".

Cybersecurity is the new scourge facing countries around the world. The need to address the vulnerabilities by a borderless threat requires coordination across borders. Singapore, which recently took top spot in the International Telecommunications Union ranking for cybersecurity strategy, has demonstrated that it will take and continue to take steps to ensure that it is as safe as possible from the threat of cybersecurity incidents. These would include working with trusted counterparts to arrive at mutually beneficial outcomes, after all the chain is only as strong as its weakest link. It is in such circumstances that other countries with close relations around the world should seek to cooperate on addressing cyber risk too.

Bryan Tan is a technology law expert at Pinsent Masons MPillay, the Singapore joint venture partner of Pinsent Masons, the law firm behind Out-Law.com. This article was first published by Cyber Security Practitioner in its July 2017 edition.