Singapore Introduces Cybersecurity Labelling Scheme

By Jeremy Tan, Loren Leung, Tobias Bräutigam

04-2020

On 3 March 2020, the Cybersecurity Agency of Singapore ("CSA") introduced the Cybersecurity Labelling Scheme ("CLS") as part of Singapore's Safer Cyberspace Masterplan.

The CLS will initially be launched as a voluntary scheme and will apply to network-connected consumer smart devices or Consumer Internet of Things, and is designed to help secure Singapore's cyberspace. Under the CLS, cybersecurity labelling will indicate the level of cybersecurity reflecting the security features of the smart devices. This is designed to help consumers make more informed decisions about their devices and better understand their exposure to cyber risks, while incentivising manufacturers to develop more secure products. The CLS will initially focus on WiFi routers and smart home hubs with assessments and tests on:

i) Meeting basic security requirements such as ensuring unique default passwords;
ii) Adherence to the principles of Security-by-Design;
iii) Absence of common software vulnerabilities; and
iv) Resistance to basic penetration testing.

The CLS is the first such cybersecurity labelling scheme to be announced in the Asia-Pacific region. In November 2019, the Finnish Transport and Communications Agency Traficom launched its cybersecurity labelling programme based on the draft European Standard EN 303 645 'Cyber Security for Consumer Internet of Things' ("Draft EU Standard") with the label already awarded to pilot projects with Cozify (Cozify Hub – a device for smart homes), DNA (Wattinen – a smart heating system) and Polar (Polar Ignite – a fitness smartwatch). Traficom is expecting around ten more companies will be awarded a cybersecurity label in the coming months, and has observed that the amount of applications is increasing. Traficom has indicated that there is a need for more resources in order to examine the applications and adequacy of the companies – a clear signal that the cybersecurity labelling programme has attracted interest among tech companies.

The introduction of the CLS is in line with the establishment of the EU certification framework for digital products and services under the EU Cybersecurity Act. The EU certification framework is designed to be a comprehensive, EU-wide scheme which applies to specified products and services. The cybersecurity certificate would be required to specify the assurance level (basic, substantial or high), taking into account the intended use of the product or service in terms of the probability of and potential impact of an incident. The certificate will be recognised in all EU Member States.

Accordingly, device manufacturers may see a reduced need for duplicated testing and certification as the CLS is expected to be aligned with the Draft EU Standard and other widely-accepted global security standards. The Draft EU Standard is itself developed from the European Telecommunications Standards technical standard TS 103 645 and is built upon 13 outcome-focussed principles:

i) No universal default passwords;
ii) Implement a means to manage reports of vulnerabilities;
iii) Keep software updated;
iv) Securely store sensitive security parameters;
v) Communicate securely;
vi) Minimize exposed attack surfaces;
vii) Ensure software integrity;
viii) Ensure that personal data is protected;
ix) Make systems resilient to outages;
x) Examine system telemetry data;
xi) Make it easy for consumers to delete personal data;
xii) Make installation and maintenance of devices easy;
xiii) Validate input data.

Further details on the CLS and Singapore's broader Safer Cyberspace Masterplan are expected in due course.

This article is produced by our Singapore office, Bird & Bird ATMD LLP, and does not constitute legal advice. It is intended to provide general information only. Please contact our lawyers if you have any specific queries.