IT industry wants more say in Cyber Security Bill

Monday, 10 June 2019 01:09 -     - {{hitsCtrl.values.hits}}

Digital Infrastructure and Information Technology Ministry Secretary D.C. Dissanayake

Sri Lanka CERT Research and Policy Development Specialist Kanishka Karunasena– Pix by Pic by Ruwan Walpola

  • Concerned over transparency and appointments to new Cyber Security Agency and National Cyber Security Operations Centre to be established under new bill
  • Stakeholders worried new agencies will overlap with CERT
  • Ministry Secy. says Data Protection Bill to be drafted alongside Cyber Security Bill 
  • Social media issues, surveillance and monitoring media not covered under bill

By Ruwandi Gamage

IT industry stakeholders have called for more Government engagement on the proposed Cyber Security Bill, citing lack of transparency, clarity in legal definitions and problems within the institutional frameworks to establish a Cyber Security Agency under the legislation.   

The first round of consultations was held last week to obtain industry and stakeholder views to further improve the bill. 

Making the opening remarks at the session on Thursday, Ministry of Digital Infrastructure and Information Technology Secretary D. C. Dissanayake said it was the ministry’s vision to create a resilient and trusted cyber security eco-system. He further added that the Data Protection Bill would also be drafted alongside the Cyber Security Bill and would be available for public consultation during the next few months.

A summary of the comments received by the stakeholders was presented by Sri Lanka CERT Research and Policy Development Specialist Kanishka Karunasena. He stated that the response received was significant and came from various industry professionals, including Mobitel, Dialog, SLIIT, IT firms and professional individuals.

Most industry professionals have raised concerns regarding the transparency of the composition, appointment and experience of the board of members of the Cyber Security Agency of Sri Lanka, as well as the appointment of the Director General of the Agency, as mentioned in part two and three of the bill.

“Some stakeholders have questioned the appointing of former officials of certain ministries such as Defence, Public Administration, and Infrastructure and Information Technology as board members of the agency, while others have questioned the reasons behind restricting the selection of directors to the fields of ICT, private sector management, law and finance. There were suggestions to include key stakeholders from fields such as the banking sector and telecommunications and also civil society,” he added.

The appointment of the board members by the subject minister has been flagged by industry professionals, questioning whether they could be political appointments. Reservations about the mandating that a person with a minimum experience of 25 years can become a member of the Board of Directors of the Agency had been pointed out as restricting opportunity to young capable individuals to be appointed to the board. Some suggested that any individual who has been convicted for computer misuse locally or internationally should not hold any post in the Agency. 

The provision in the bill under subsection 12(2-a), where qualifications for the post of a Director General in the Agency include possessing a post graduate degree in the field of science or engineering, was pointed out by stakeholders as a concern. 

“There are a lot of questions about the institutional framework. Through this Act there are a couple of organisations that will be created, such as the Cyber Security Agency and National Cyber Security Operations Centre. There are some concerns about whether these separate institutions are necessary. We believe that these separate legal entities are necessary, given the breadth of the functions.”

While there were some who questioned possible overlapping functions between CERT and the Agency, some raised questions about Section 4(2) of the bill, which says: ‘In the discharge of its powers and functions, the Agency shall at all times consult Sri Lanka Computer Emergency Readiness Team and ensure the said powers are carried out through the institutions established under Part IV of this Act’. 

The stakeholders questioned why the Agency had to consult Sri Lanka CERT at all times.

In subsection 15(2), which says, ‘The CERT shall at all times assist the Agency in the exercise, performance and discharge of its powers and functions under this Act,’ it was argued whether it was appropriate to connect a commercial entity to assist a Government Agency through this legislation.

There were questions raised on whether it was recommended to have the National Cyber Security Operations Centre established by the Agency and whether it was answerable to the board of the Agency. There were also concerns about the powers and functions of the Operations Centre as mentioned in subsection 16(5). Some stakeholders mentioned that provisions under 16(5-a) and 16(5-c) were wide in scope and should be restricted to prevent them from being abused. 

In addition, it was stated as unclear to some whether the subject minister could designate more than one entity to discharge the powers and functions under section 16. 

“There are also concerns regarding the definitions we have given in the Act. The interpretation of cyber security is ‘a set of activities intended to make cyber space safe and secure’ and it is pointed out that this is a vague definition and does not cover the infrastructures and processes, but only cyber space. Some suggest the definition must be more detailed and clear,” Karunasena added. 

Many suggestions were given to broaden the definition of the Critical Information Infrastructure as there is restriction of the definition with regard to the sectors and some suggested that more sectors should be added such as synergy, transportation and logistics. 

As mentioned in subsection 4(1), ‘The powers, duties and functions of the Agency shall be to (a) take all necessary steps to implement the National Cyber Security Strategy’, whereas stakeholders pointed out that the strategy was neither defined nor linked to a different document in the bill.

The objectives specified in the bill are: (a) to ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka; (b) to prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently; (c) to establish the Cyber Security Agency of Sri Lanka and to empower other institutional framework to provide for a safe and secure cyber security environment; and (d) to protect the Critical Information Infrastructure.

Explaining the technical aspect of the bill, Sri Lanka CERT Acting Chairman and ICTA Legal Advisor Jayantha Fernando detailed the aspects not covered by the bill, and said that surveillance, interception of communications and monitoring of media and social media related issues were not covered under the Cyber Security Bill. 

“Although the connotation of cyber and security will give you the impression that those areas are covered, those are specific areas that have been left out because they’re covered through other processes. They are intelligence and national security related activities which are not covered under this bill.”