WIXLIB

underinvestment in this area by the private sector. Government agenciesshould also take an active role in assisting the private sector in improving itscybersecurity efforts, such as by having government-funded researchers workclosely with the private sector to identify and eliminate threats. Governmentagencies should also share their knowledge about best practices with theprivate sector, especially for small businesses which may not have thecybersecurity expertise of larger organisations. For example, governmentagencies can release their own security assessments of the IT serviceproviders and products they use, so that others can leverage this knowledgewhen making purchasing decisions.Regulators can also play a greater role in promoting cybersecurity innovation.In particular, enforcement actions should use penalties to ensure thatcompanies have an incentive to protect consumers from harm. For example, acompany that suffers a data breach but has taken steps to encrypt customerdata so that no personally identifiable information is exposed would notsuffer a penalty whereas a company that did not take this step to protect itscustomers would face one. The goal with regulatory policy should be to shiftcompany resources so that they are not merely trying to meet a compliancethreshold, but rather are actually making consumers better off.Finally, we need structural change in how governments develop cybersecuritypolicy. Senior government officials need to stop ignoring the economicconsequences of cybersecurity policy decisions. Bringing the businesscommunity and trade policy specialists into cybersecurity policy decisionswill provide a more balanced debate so that decisions are not made thatput the needs of law enforcement and the intelligence community above allothers or that allow protectionist policies to stand unchallenged.For example, policymakers need to create rules for a well-functioning globalmarket for IT that encourages countries to come together to establish acommon hardware and software certification process. Achieving this willrequire setting up strong accountability measures and creating strongmechanisms to discourage cheating. For example, countries could agree to8

international, rather than national, security testing standards and establish aprinciple that if a company’s products are later discovered to have backdoorsin it, then this company will be blacklisted.ConclusionIn short, addressing the cybersecurity threats of tomorrow will require afundamental realignment of how government has approached this problemuntil now, as well as strong leadership to overcome existing market andgovernment failures and navigate the barriers that have impeded progressin the past.Given the importance of cybersecurity to the digital economy, countriesshould come together to face these challenges and create a new paradigmfor building secure and resilient systems.9

10

Should We Rein inthe Powers of theState by Restrictingits SurveillancePowers, or DoSome of our OwnMonitoring byExpanding ThosePowers Still Further?11

Should We Rein in the Powers of the State byRestricting its Surveillance Powers, or Do Some ofour Own Monitoring by Expanding Those PowersStill Further?1Simon Chesterman, Dean, Faculty of Law, National University ofSingaporeIn early 2015, it was announced that officers from Singapore’s Bukit MerahWest Neighbourhood Police Centre (NPC) would begin trials of body-worncameras. The aim is to have cameras in use at half a dozen NPCs in 2015and island-wide by June 2016.The cameras are worn visibly and have an indicator that shows when theyare recording. Data cannot be downloaded without proper authorisationand, in the absence of an on-going investigation, will be deleted after 31days. During the 2015 budget debate, Second Minister for Home Affairs SIswaran memorably described the cameras as “light, compact and not toosinister-looking”.How do we evaluate the decision to use such devices?2Under an on-going European Union project (“Surveille”) that examinesthe ethical, legal, and practical issues involved in the use of surveillancetechnologies for the prevention, investigation and prosecution of terroristactivities and serious crime, two basic aims have been explored: 1) To mapthe surveillance technology that is currently being deployed in Europe andelsewhere; and 2) To assess the costs and benefits of using that technology.In essence, this project has aimed to get a picture of what is happeningand why.12

Neither is simple, but it turns out that the “what” is easier to answer thanthe “why”. Surveillance is now a multibillion dollar industry. Publicly availablefigures show tens of billions of dollars being spent annually on videosurveillance and interception of emails, telephone calls, and other messages.Forbes magazine has predicted a tenfold growth in the IT security industry overthe next ten years. Such investments represent a cost in terms of dollars aswell as in terms of lost privacy, but how do we assess the asserted benefits?Security vs liberty?Unfortunately, this is not an area in which decisions are always rational. Thedebate is often framed as the need to balance a supposed tension betweensecurity and liberty. The problem is that, when framed like this, liberty —privacy in particular — always loses.This is partly because the side of liberty is often reduced to platitudes. Soonafter the September 11 attacks in the United States, for example, senatorswere debating the USA Patriot Act’s surveillance powers. One of the senatorsinvoked a founding father: “As Ben Franklin once noted, ‘if we surrender ourliberty in the name of security, we shall have neither.’” But he misquotedFranklin, who was more nuanced. What Franklin actually said was: “Thosewho would give up essential Liberty to purchase a little temporary Safetydeserve neither Liberty nor Safety.”The costs and the benefits of surveillanceIt is hoped that debates within Europe and elsewhere about surveillancetechnology will be better informed by a matrix produced by the SurveilleProject that quantifies the effectiveness, ethics, and legality of surveillancetechnology.13

In terms of effectiveness, the matrix scores a given technology based on itsability to achieve its stated goal, cost, design features that limit intrusionsto privacy, and overall excellence as demonstrated in the field. Ethicalconsiderations go beyond the strict letter of the law and include the nature ofthe harm to be prevented, the reliability of evidence, and the imminence of thethreat. The criterion of legality includes the justification for surveillance, thenecessity of using intrusive methods if less intrusive methods are available,and the proportionality of the action relative to the harm to be prevented.These factors are intended to help policy-makers engage in a genuine costbenefit analysis that does not rely on vague concepts of liberty and security.The approach also recognises that liberty and security are not mutuallyexclusive. Some things that might seem to increase security in the shortterm — such as profiling certain classes of individuals — can actually createthe problem they intend to address, as when profiled groups become moremarginalised as a result of being targeted.Two types of problem still linger, however. The first is that agents of thestate, like everyone else, often suffer from cognitive biases. It is not hardto imagine how a bureaucrat, for example, when faced with a proposal touse an intrusive new technology against a severe but remote threat, mightprefer to allow it. Would you prefer to be criticised for some vague intrusionon privacy rights, or for letting the next shoe-bomber on an airplane? Forthis reason, many such decisions are referred to judges in the hope thatthey will be more detached in their assessment. Secondly, even when theviolation of rights is considered as a factor, the limitation of that violation toa certain class of persons means that the decision-maker — and often themajority of the public — do not worry that it will affect them directly. Thiscould be seen, for example, in the American public’s blasé attitude towardssurveillance of potential terrorists — until Edward Snowden revealed that theAmerican government had expanded that set to include almost everyone.14

More surveillance, more accountability?Moving forward, it seems unlikely that the surveillance technologies thathave already been deployed will be removed. However, if the power of thestate to watch over us cannot be reduced, there is an alternative approachto reining it in: increase that power further.In the United States, for example, a series of police killings of unarmed blackmen over the past year have led to calls for greater oversight. After MichaelBrown was killed in Ferguson, Missouri, in August 2014 there were disputedaccounts as to the circumstances of his death. In December, PresidentObama sought funds to pay for more than 50,000 body-worn cameras tobe used across the United States. And a US 20m pilot programme wasannounced by the new Attorney General in 2015.The funding came three weeks after another man, 50-year-old Walter Scott,was filmed being shot in the back as he ran away from officer MichaelSlager — who had pulled Scott over for a broken tail light. That video wastaken by a passer-by on a handphone, but it led to widespread outrage andshowed the potential benefit of more cameras. In the face of such evidence,the officer was sacked and charged with murder.It is possible, then, that such technology can do more than serve theinterests of the state in helping to keep the public safe. It can also play arole in ensuring that the powers of the state are exercised properly and withgreater transparency. However this will only happen if there are safeguardsto prevent selective use of that technology.In Singapore, for example, greater use of cameras by police might haveoffered more clarity on controversial incidents such as the riots in LittleIndia in December 2013, or the death of Dinesh Raman while in custody inSeptember 2010.15

If the body-worn cameras are successful, it might also lead to a reconsiderationof video-recording statements to police. As MPs Hri Kumar and Sylvia Limhave both argued in Parliament, this could reduce the need for the courtsto spend time evaluating whether statements by the accused and witnesseswere accurately recorded — a particular concern given several high-profilecases in which defendants alleged that they were coerced by the police.In the absence of such recording, as Professor Ho Hock Lai explainedin the Singapore Journal of Legal Studies, it is all the more important tostrengthen the right of an accused to have access to a lawyer.A further concern is ensuring that such surveillance devices are not misusedby third parties. The security firm iPower recently warned that it had foundthe Conficker computer virus on police body cameras in Florida. The dangersof body cameras being infected with malware range from casting doubt ontheir veracity as evidence in criminal trials to the possible redirection ofsurveillance data to unauthorised individuals.“Not Too Sinister”When opening the new Police Operations Command Centre in early 2015,the Prime Minister of Singapore, Lee Hsien Loong, posted a photo of himselfon Facebook holding one of the new body-worn cameras — “No more ‘I say/you say’ disputes over what happened” he wrote, adding a smiley face emoji.The Prime Minister is right, of course. But as we prepare for the deploymentof yet more surveillance technology, it will be important to ensure that thosecameras keep an eye on the state as well as on us.12This article draws heavily upon an article first published in the Straits Times on 6 May 2015as “To Monitor Citizens and the Surveillance State”.For the past four years, the author was an external adviser to a European Union project thatexamines the ethical, legal, and practical issues involved in the use of surveillance technologiesfor the prevention, investigation and prosecution of terrorist activities and serious crime. Thekey findings were presented at the European University Institute’s State of the Union event inFlorence, Italy in 2015. Entitled “Surveille”, the author explains that this is not some attemptby a radical organisation to derail the surveillance state. On the contrary, the project takes16

surveillance seriously and is intended to help analyse it like any other government policy. Noris it an ivory tower enterprise by academics: one of the consortium partners is MerseysidePolice Federation and there has been extensive outreach to other police and intelligenceservice personnel.17

18

Balancing NationalSecurity Needswith Data Privacyand Freedom ofExpression Concerns:Singapore’sPerspective19

Balancing National Security Needs with DataPrivacy and Freedom of Expression Concerns:Singapore’s PerspectiveBryan Tan, Partner, Pinsent Masons MPillay LLP, SingaporeNational security developments in SingaporeThe traditional conception of national security has changed in recent years.Traditionally, national security was focused on physical infrastructure anddefending against specified enemies or combatants that are visible. However,the threats to national security have now changed rapidly because of therapid evolution of technology.The threats are no longer confined to just the physical realm, but also extend tothe financial system as well as to networks that now maintain communications.There is also an emergence of “submarine” threats. Submarine threats referto the planting of devices that remain hidden over a period of time beforesurfacing later to wreak havoc. Examples of submarine threats would be theDuku malware and the modus operandi for the February 2015 Carbanakmalware attacks against banks globally. The significance is that the effectof the threat is now free from the constraints of time – and anything couldbe perceived as a “ticking time bomb”.The changing state of national security has also led to the introduction ofthe term “Critical Information Infrastructure” (CII). This refers to systemswhich are necessary for the delivery of essential services to the public invarious key sectors. These sectors generally include energy, water, financeand banking, government, healthcare, information communications, security,emergency services, and transportation.Cyber attacks on CII often occur with little warning and have tremendouspotential for contagion. These cyber attacks can disrupt daily lives and20

threaten a nation’s security, economy, public health, and safety, possiblyeven bringing a country to a standstill. It is precisely because of this that CIIare now increasingly becoming prime targets of cyber attacks.The Singapore Computer Misuse and Cybersecurity ActThe Computer Misuse and Cybersecurity Act (CMCA) was first passed in1993 and its primary objective was to curb hacking, unauthorised use, andunauthorised access activities. Then in 1998, amendments were made tothe Act, which was then known as the Computer Misuse Act, to curb otheractivities such as unauthorised modification of computer material, interceptionof computer services, and to introduce the notion that certain computers willbe considered protected computers. Most recently, in 2013, the cybersecurityportion was added to CMCA thus resulting in the change of the title. Withthe added objective of cybersecurity, CMCA then provided for measures tobe taken to harden the security of certain CII such as specific servers andnetworks. Moreover, it includes provision for an even more drastic step - forthe Government to take over the operation of the CII, if required.The evolution of CMCA should be of no surprise. The rapid evolution oftechnology and the accompanying sophistication of cyber criminals has meantthat the Act would have to be modified. The rapid evolution of technologyand the sophistication of cyber actors cannot be overstated. In July 2010,Stuxnet, a sophisticated form of malware, was discovered and reportedlyresponsible for affecting 45,000 industrial computers worldwide. Many ofthese systems were integral to a country’s critical infrastructures such asenergy, water, and communication networks. The more recent emphasis oncybersecurity is therefore not surprising - the Government now has to takeeffective and timely measures to prevent, detect, and counter cyber attacksthat may threaten the nation’s security or national interests.The approach to cybersecurity is no different to how other national securitythreats in the physical realm are dealt with. For example, if there is credible21

intelligence of a potential terrorist threat to an aviation system, the authoritieswould immediately take pre-emptive steps to enhance security measures forthe airports and the carriers in response to that threat. Likewise, in cyberspaceproactive and pre-emptive action against a threat must be taken before suchthreat materialises to cause harm.Data protectionA related development in Singapore is the development of its data protectionframework. For many years leading up to 2012, Singapore addressed dataprotection issues with industry-specific legislation and regulation. However,in 2012, general data protection legislation was enacted in Singapore whichintroduced nationwide legislation that required organisations which collectpersonal data to undertake steps to protect that personal data.The move for such legislation is important for two reasons. First, it signalsthe increasing importance of data, especially personal data, and the use ofdatabases in this era. Organisations have been notified that their treatment ofpersonal data would now be required to adhere to certain minimum standards.While this personal data legislation covers personal data only, the fact thatpersonal data is often collected with other data now means a much moreconsidered approach is required in the collection and ensuing usage andtreatment of the data. Organisations are now required to consider how theycollect, use, retain, and dispose of personal data.Second, in a broader context, such treatment of personal data in databasesalso increases the awareness of data protection issues, specifically relatingto breaches of security. This significantly helps cybersecurity efforts as vastamounts of collected data could represent attractive targets for cybercriminals.Since such databases could be maintained by several parties, it would onlytake the weakest link to be exploited to cause significant damage.22

Freedom of expressionIn Singapore, freedom of speech is

for National Security workshop on " Cybersecurity: Emerging Issues, Trends, Technologies and Threats in 2015 and Beyond" on 20-21 July 2015. The workshop focused on the possible implications of these debates on countries like Singapore and the wider Southeast Asia/Asia Pacific region, particularly