In a recent article, The Cybersecurity of Gen-AI and LLMs: Current Issues and Concerns, the Cyber Security Agency of Singapore provides helpful commentary on the security and privacy challenges associated with generative artificial intelligence and large language models. The article outlines issues such as accidental data leaks, vulnerabilities in AI-generated code and potential misuse of AI by malicious actors, before providing recommendations on the steps that technology companies can take to address these concerns.
The Cyber Security Agency (CSA) has just released Guidelines on Securing AI Systems (“Guidelines”) and a Companion Guide on Securing AI Systems (“Companion Guide”).
The Guidelines advocate for a “secure by design” and “secure by default” approach, addressing both existing cybersecurity threats and emerging risks, such as adversarial machine learning. The aim is to provide system owners with principles for raising awareness and implementing security controls throughout the AI lifecycle.
The Companion Guide is an open-collaboration resource, and while not mandatory, it offers guidance on useful measures and controls informed by industry best practices, academic insights and resources such as the MITRE ATLAS database and OWASP Top 10 for Machine Learning and Generative AI.
On 8 June 2024, the Electric Vehicles Charging (Licensing) (Amendment) Regulations 2024 (“Amendments”) came into operation. The Amendments introduce a new Regulation 4A into the Electric Vehicles Charging (Licensing) Regulations 2023 (“Regulations”), which prescribes the types of insurance Electric Vehicle Charging Operators (EVCOs) must have and maintain before EVCOs can be granted a licence to provide EV charging services in Singapore or operate an EV charging station under Sections 45(2)(f) and 45(3) of the Electric Vehicles Charging Act 2022.
Following the publication of the proposed Framework in January 2024 and the feedback received from various stakeholders, the finalized Model AI Governance Framework for Generative AI was released on 30 May 2024 by the Infocommunications Media Development Authority (IMDA) and AI Verify Foundation. The Framework expands upon the Model AI Governance Framework last updated in 2020.
The Singapore Parliament has passed the Cybersecurity (Amendment) Bill (“Bill”) amending the Cybersecurity Act 2018 (“Act”). The Act, which formerly only regulated Critical Information Infrastructure (CII), has been expanded significantly to cover a wider range of entities. Reporting obligations have been expanded. Finally, the penalty regime has also been revised, and the Cybersecurity Agency of Singapore may now issue civil penalties in place of criminal penalties, with the maximum quantum of penalties significantly increased to up to 10% of the annual turnover of the entity in Singapore.
On 2 April 2024, the Cyber Security Agency of Singapore issued its closing note to the Public Consultation on the Cybersecurity (Amendment) Bill (“Bill”). The Public Consultation on the draft Bill was held from 15 December 2023 to 15 January 2024. The CSA First Reading of the Bill took place on 3 April 2024. The Second Reading of the Bill is slated to take place on 7 May 2024.
The Personal Data Protection Commission (PDPC) has issued the finalized Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (“Guidelines”). These Guidelines provide guidance on the use of personal data during three stages of AI system implementation: development, deployment (business-to-consumers) and procurement (business-to-business). In particular, the Guidelines clarify and elaborate on the application of the Consent Obligation and Notification Obligation, and their exceptions, under the Personal Data Protection Act (PDPA) to the use of personal data in AI systems.
The Ministry of Communications and Information has announced that the inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services is studying the introduction of a Digital Infrastructure Act (DIA). The DIA builds on the Cybersecurity Act and aims to enhance the resilience and security of the digital infrastructure in Singapore. The scope of the DIA goes beyond cybersecurity and touches on other risks that may affect resilience.
The Online Criminal Harms Act (OCHA) was introduced in Parliament on 8 May 2023 and passed on 5 July 2023. It has commenced in part on 1 February 2024. Under the OCHA, five types of government directions may be issued to deal with criminal online activities. These directions can be issued to communicators of criminal content, online service providers, and internet service providers. Provisions on the issuance of codes of practice and directives in partnership with online services will come into force at a later stage.
The Cyber Security Agency has published a consultation paper on the proposed Cybersecurity (Amendment) Bill, which would amend the Cybersecurity Act 2018. The CAB seeks to strengthen the legal framework governing the maintenance of national cybersecurity in Singapore, against the pressing need for legislation to effectively address the fast-developing technological environment.