The Computer Misuse and Cybersecurity (Amendment) Bill was introduced for First Reading in Parliament today.
Background
2. The Computer Misuse Act (CMA) was enacted in 1993 to criminalise unauthorised access or modification of computer material, and other computer crimes. The Act was amended twice between 1994 and 2012 to, amongst other things, introduce new offences to keep pace with changes in criminal behaviour. In 2013, the CMA was amended to include cybersecurity measures and renamed the Computer Misuse and Cybersecurity Act (CMCA).
3. The Bill seeks to amend the CMCA to tackle the increasing scale and transnational nature of cybercrime, as well as the evolving tactics of cybercriminals.
4. In developing this Bill, we had consulted businesses and professionals in the internet services and cybersecurity industries, and have taken their views into account.
Key Amendments
5. The key proposed amendments are summarised below:
- Criminalise the act of dealing in personal information obtained via an act in contravention of the CMCA
Criminals may use personal information obtained illegally from a computer (e.g. hacking) to commit or facilitate the commission of crimes (e.g. identity fraud).[1] For example, criminals may trade hacked credit card information even though they themselves may not have been responsible for hacking the credit card information. This amendment makes it an offence for persons to obtain or deal in such personal information for illegitimate purposes.
- Criminalise the act of dealing in items capable of being used to commit a CMCA offence
Criminals could gain easy access to items that are capable of facilitating the illegal access of a computer (commonly known as hacking tools). Examples of such hacking tools include malware and port scanners, which can be readily obtained online.
This amendment criminalises the act of obtaining such items to commit or facilitate the commission of a computer offence, as well as the act of dealing in such items, intending it to be used for committing or facilitating the commission of a computer offence.
- Extraterritorial application of CMCA offences with "serious harm" to Singapore
Currently, it is not an offence under the CMCA if the perpetrator commits a criminal act while overseas, against a computer located overseas, even if the impact is felt within Singapore.
This amendment makes this an offence under the CMCA, if the act causes or creates a significant risk of serious harm in Singapore. Serious harm in Singapore would include, among other things, illness, injury or death of individuals in Singapore, as well as disruptions to essential services in Singapore.
- Amalgamate charges for CMCA offences
Cybercriminals may conduct multiple unauthorised acts against a computer over a period of time. This amendment allows for multiple acts of a similar nature to be amalgamated as a single charge. This allows the attack to be appropriately described as a whole, rather than as a series of acts. It also allows for the application of enhanced penalties when the combined acts result in high aggregate damage.
[1] The following acts are prohibited under Sections 3 to 8 of the CMCA:
-
Unauthorised access to computer material;
-
Access with intent to commit or facilitate commission of offence;
-
Unauthorised modification of computer material;
-
Unauthorised interception of computer service;
-
Unauthorised obstruction of use of computer; and
-
Unauthorised disclosure of access code.