In October last year, a cooling system issue at a data centre knocked out a range of customer services for DBS Bank and Citibank in Singapore, making it impossible for people to pay with their credit cards and banking apps, or withdraw money from an ATM machine.
The widespread outage, the latest in a series dating back to 2021 for DBS, eventually led to punitive measures by government regulators. DBS CEO Piyush Gupta also had his pay cut.
As digital transactions become crucial to everyday life, so is the infocomm backbone needed for them.
Imagine your online store freezing mid-checkout, deliveries grinding to a halt and customer calls going unanswered. All because a data centre powering your business suddenly went dark. A nightmare.
This is the reality businesses face when digital infrastructure crumbles. Disruptions can stem from technical glitches, physical hazards or even leaky water or gas valves overseas. The impact: Lost revenue, frustrated customers and a serious dent in reputation.
These concerns are what Singapore’s proposed Digital Infrastructure Act (DIA) aims to address, by setting up legal mandates for the digital ecosystem.
The DIA is a key work item for the Republic’s Ministry of Communications and Information this year and it was brought up in Parliament last month during the ministry’s budget debate.
The regulator for the DIA is the Infocomm Media Development Authority (IMDA), which is still consulting with stakeholders on this issue.
The proposed law will impact the operators and providers of data centre and cloud services and their suppliers like energy, water, cooling systems and communications companies.
It will have to consider the complexities of the digital infrastructure which has a labyrinthine supply chain with various layers of suppliers and sub-contractors based in Singapore and across the region and world.
Working on the proposed legislation will offer the regulator better visibility on how it all interconnects. Thus it can be in a better position to mandate service uptime by enforcing best practices and standards of operations.
There are several challenges here. To start, it will have to decide how wide a net to cast, given the complex supply chain.
For accountability, there must be clarity in defining parameters for the proposed law to prevent confusion and facilitate effective enforcement.
This means clearly defining the responsible incumbents who will be answerable for the outages and to ensure swift resolution and minimise downtime.
Another priority is data restoration capabilities. Rapid data restoration is crucial for business continuity, particularly in essential services like emergency response and healthcare, where delays can have life-threatening consequences.
Important questions need to be answered. How far down the supply chain will the proposed legislation govern? How will overseas digital infrastructure providers be held accountable if the disruptions are linked to their services?
For example, what if overseas gas providers suffer an outage due to a leaky valve in the pipeline, affecting energy suppliers in the Republic. Can the overseas gas provider be held accountable?
The devil is in the details, so a clear definition will avoid confusion, said Matthew Oostveen, chief technology officer and vice-president for Asia-Pacific and Japan for Pure Storage, which provides storage drives to data centres.
He said the new rules should place greater priority on data restoration capabilities, adding that enterprises have always focused on secure data storage but done little to ensure that the data can be restored quickly.
To this effect, he hoped that the law will also mandate regular data restoration drills.
However, regulatory compliance should not be overly onerous, he argued. Larger providers with significant customer bases and broader reach will initially come under the proposed new law, he added.
Medium-sized suppliers and infrastructure providers, he said, should not be similarly burdened by regulations as compliance is costly.
Notably, Singapore lags the European Union and other countries like Australia and United Kingdom which have implemented such regulations governing best practices of digital infrastructure.
Some countries have combined cybersecurity with key digital infrastructure into one law while Singapore has opted to separate them.
The DIA will complement the current Cybersecurity Act and the Telecoms Act and other telecom-related laws, which among other things, mandate standards of performance and codes of practice. The Cybersecurity Act is expected to be amended this year.
Oostveen said the DIA is a nod to the fact that it is timely to demand accountability given that digitalisation is ubiquitous.
Best practices and standards are needed to ensure that the digital infrastructure will operate smoothly and in the event of a disruption, service resumption and data restoration can kick in speedily, he added.
