MCI response to PQ on cybersecurity for citizens as more apps are launched

04 JAN 2021

Parliament Sitting on 4 January 2021

QUESTION FOR WRITTEN ANSWER

  1. Mr Chong Kee Hiong: To ask the Minister for Communications and Information in view of the increasing number of phone apps launched by government and commercial organisations, including financial institutions such as banks and insurance companies, healthcare institutions, telecommunications and transport providers, and retailers (a) what measures are in place to (i) ensure that these apps meet quality and cybersecurity standards to minimise the risk of hackers exploiting programming bugs (ii) protect the privacy of users and (iii) ensure that non-app users are not discriminated against through differentiated charges or deprivation of benefits; and (b) how can the right to receive written and printed communications from both public and private organisations be protected.

Answer:

  1. The Government has put in place measures to strengthen consumer protection and support individuals to participate in the Digital Economy as more services move online, and regularly reviews its policies.  

  2. Mobile applications launched by the Government adhere to secure coding standards in the Government Instruction Manual.  The applications also go through strict and robust cybersecurity processes and validation, including security penetration testing to identify and rectify vulnerabilities.  Selected applications with high user traffic are also placed on the Government Bug Bounty Programme, where they will be subject to security penetration testing by external researchers in the cybersecurity community and industry.

  3. While the Government does not directly regulate the development of applications launched by the private sector, applications developed by organisations in Critical Information Infrastructure (CII) sectors such as banking and finance, healthcare, telecommunications, and transport, need to abide by sectoral and corporate guidelines on cybersecurity processes and measures.  The Cyber Security Agency of Singapore (CSA) actively supports and partners CII owners and sector leads to build up their capabilities to adhere to these guidelines.  

  4. Public sector and private sector organisations are also required to abide by data protection requirements prescribed under the Public Sector (Governance) Act (PSGA) and the Government Instruction Manual for the former; and the Personal Data Protection Act (PDPA) for the latter.  Both the PSGA and the PDPA hold individuals accountable for the egregious mishandling of personal data.  Those found guilty of recklessly or intentionally disclosing the data without authorisation, misusing the data for gain, or re-identifying anonymised data without authorisation may be subject to a fine of up to $5,000 or imprisonment of up to two years, or to both.

  5. To support private sector organisations in complying with their data protection obligations, the Personal Data Protection Commission (PDPC) has published guides specifically to help IT managers, architects and developers to build data protection measures into software and applications at the onset.  These include the “Data Protection by Design for ICT Systems” and the “People Centric Approach to Notice, Consent and Disclosure”, which were co-created with start-ups and real-world business examples.  The PDPC will continue to help organisations build data protection capabilities through training programmes and resources such as guidelines, tools, and templates. 

  6. Individuals also have an important role to play in protecting themselves against mobile cybersecurity threats and data misuse by only downloading applications from the official Play Store and App Store and reviewing security permissions required by applications.    

  7. Individuals should have the option to receive communications and to transact through channels other than an application.  The Government is studying the matter and will actively address these concerns in partnership with the private and people sectors, and update regulations where necessary.