It appears that after a long deliberation period, the Ministry of Digital Infrastructure and Information Security, together with Sri Lanka Computer Emergency Readiness Team | Co-ordination Centre (SL CERT|CC), is ready to propose the draft of the National Cyber Security Bill, 2019 to the Sri Lankan Parliament for its actions. It was available for public comment on SL CERT|CC website however, we at Meta Defence Labs, a cybersecurity and Infrastructure service provider in Sri Lanka, believe that it requires more discussion and public awareness for one to have a basic understanding of the true essence and flavour of this Bill. Below we discuss our views and perspectives of this proposed Bill.
Cybersecurity obligations – why Sri Lanka needs to implement a cybersecurity bill
In view of recent security challenges, and inability to disseminate critical security information to the public and growing threats to the nation’s critical infrastructure, along with disinformation campaigns to divide societies and create public unrest, have raised the need for a more systematic approach to the country’s overall security requirement. Technology is rapidly evolving, and it provides great opportunities for people to connect, enhance processes and achieve growth. As technological dependence rises, so do the security threats that constantly hang over society. Therefore, it is necessary to take more advanced security measures to protect against threats to critical national infrastructure, broader protection from criminals, extremist terrorists and cybercriminals who gain unauthorised access to computer systems.
The challenge is that techniques for compromising computer systems is growing more rapidly than the creation and implementation of national policies and regulatory standards. The tools and tactics used by these criminals are intangibly large and can leave our country in anarchy, if not identified properly, reported and proper action taken.
In general, Sri Lanka already have four cybercrime prevention Acts. The first act was implemented in 1997 called the Computer Crime Act which defined all crimes frauds that are connected or related to a computer and information technology. Intellectual Property Act 36 of 2003 and subsequent Penal Code Amendment in 2006 also enhances the scope of intellectual property provisions and protect children from illegal internet activity. In addition, the Information Communication and Technology Act and Electronic Transactions Acts also facilitate cybercrime prevention. However, an appropriate balance between the needs of those investigating and prosecuting such crimes and the rights of the users of such networks, need skilled resources and more coordination. Overall the Sri Lankan legal system needs reform to overcome possible future threats and to adopt cybersecurity. Therefore, as the first step in developing an appropriate regulatory framework for securing individuals and organisations and to strengthen the prosecution support for modern cyber offences, establishment of a high-level security agency is proposed through this Act. We believe that this independent agency would be much more focused, capable and empowered than current government initiatives. It’s now or never.
Objectives of the proposed Act
The objectives in the draft bill outline four main areas such as;
(i) ensure effective implementation of the National Cybersecurity Strategy,
(ii) act effectively and efficiently to prevent, mitigate and respond to cybersecurity threats, empower other institutional framework to provide a safer,
(iii) secure cyber security environment through cybersecurity agency, and
(iv) to protect critical information infrastructure.
This in our view, serves as a general outline to establish a cybersecurity agency with more emphasis on protecting critical information infrastructure (CII) and excludes a number of critical elements such as personal data protection, coordinated response, performance-based strategy, disaster recovery and transparency.
Cyber Security Agency of Sri Lanka – Objectives, powers, duties and functions
Establishment of the Agency
Recently reported cyberattacks on thirteen websites on .LK and .COM domains, including the website of the Embassy of Kuwait, should have created a substantial wakeup call among computer system owners. Our most critical infrastructure systems are vulnerable for cyberthreats and are managed by both public and private sector. Despite considerable efforts, the collective response has been inadequate to achieve a collaborative cybersecurity strategy. The new Cybersecurity Bill proposes to establish a Cyber Security Agency to act as the executive governing body for cybersecurity in Sri Lanka and it will be responsible for the implementation of National Cybersecurity Strategy “including preparation and execution of operational strategies, policies, action plans, programs and projects.” It will also be granted power to act as the central point of contact.
The executive board which manage and administer the Agency consist of seven personnel including three ministerial secretaries from ministry of defence, public administration and from the ministry assigned for implementation of the Cybersecurity Act, a member nominated by the board of SL CERT and three professionals with more than 25 years of experience in the fields of Information Technology, public or private sector management, law or finance.
Powers, duties and functions
Apart from implementing the National Cybersecurity Strategy, the Bill proposes this agency holds the authority to “identify and designate Critical Information Infrastructure (CII) both in government and other relevant sectors.” CII can consist of a computer or computer systems and the Agency will develop plans and strategies for the protection of such information systems. The Agency will also be granted authority to enter, inspect, search, examine or suggest security measures, request compliance reports and conduct cybersecurity drills of designated CIIs.
The Agency have the power to define a criterion to appoint an “Information Security Officer” for each government institution or department to ensure cybersecurity compliance. The Director General (DG) of the Agency will be appointed in consultation with the minister and DG is solely responsible for other staff recruitment, operational and administration controls of the Agency. If the Agency decides to match, recruiting and retaining top professionals in the field it could prove to be challenging due to an inability to compete with private sector salaries. This Bill does not propose this Agency be an independent Agency to be much more capable, focused and to be empowered than current cybersecurity arrangements. In our view, the director general of the Agency should report directly to the President of the country and should have authority to express their view to the members of parliament to achieve much needed legislation to build a cybersecurity resilient society. We recommend to recognise equality when writing about people to be more accurate and respectful. Legal drafts that exclude references to the female gender neglect half the population and do not promote gender equality.
Talent acquisition and retaining
We embrace the steps proposed in this Bill for strengthening cybersecurity skills, as education and awareness is key to building a cyber resilient society. There is a global cybersecurity skills shortfall and the workforce gap is widening, as there is a persistent lack of gender diversity. Many organisations globally have initiated programs to address gaps identified in the field of cybersecurity. In contributing, Meta Defence Labs initiated the SHe CISO Exec. program to attract more women and empower them with cybersecurity, leadership and emotional intelligence elements. The program was recently recognised at the (ISC)2 Awards in The Hague, Netherlands. We hope that the Agency will have a suitable strategy to identify and retain skilled talent in the field of cybersecurity.
Institutional Framework to assist the Agency
The Bill proposes that SL CERT assist the Agency in performing, exercising and discharge of its powers. SL CERT is designated as the “national point of contact” for handling cybersecurity complaints, threats, responses and provide threat intelligence and conduct reactive and proactive measurements to mitigate cyberattacks.
Additionally, there will be a National Cyber Security Operations Centre (NCSOC) designated by the minister to identify potential cybersecurity incidents, monitor designated government CIIs, to gather information about cyber threat intelligence and to liaise with law enforcement authorities and CERT. NCSOC is expected to facilitate a coordinated response. However, it shows no links with the authority to convene companies and government agencies at all levels. Though the minister who is responsible for the implementation of this Act will sit above all levels of hierarchy in allotting directions, making and changing regulations, rules, as to “exercise and performance of powers and functions” to ensure proper functioning of the government policy.
Funds of the Agency
The agency will initially be funded by parliament out of the consolidated fund and grants, gifts or donation from any source. When in action, the Agency can accept money as may be received in the exercise, performance and discharge of its powers, duties and functions under this Act. It is our understanding that total global cybersecurity spending is estimated to be around 0.1% of GDP. It is difficult at this time to gain an understanding of the comprehensive picture of the investments required without reliable statistics and an understanding of which gaps to close. Overall this Bill does not provide a clear picture of what money goes where. We believe that the Agency will do a detailed study to determine actual financial needs in order to carry out their tasks effectively with adequate resources.
Offences and penalties
The bill calls out for penalties for every CII owner who fails to fulfil the obligations imposed under this Act or fails to report cyber security incidents to the Agency & CERT which will be identified as an offence committed. A conviction can draw fines up to Rs. 200,000 and/or imprisonment for a term not exceeding two years. An Information Security Officer (ISO)’s failing to perform cybersecurity duties and responsibilities, or a head of an institution fails to facilitate an ISO, will also commit an offence and prosecution will be done by an officer authorised by the agency. In an event where the offences are committed by a corporate body or firm, every director and partner will be responsible. Further it added that no person will be considered guilty if proven that the offence was committed without their knowledge or exercised due diligence to prevent the directives of such offence.
There is no clear definition in the act for the minimum level of cybersecurity and trust to be achieved or a desired level of resilience for the country. The Agency’s objectives aren’t broadly defined and do not extend to evaluating and monitoring cybersecurity and readiness. Therefore, we believe that a modification is needed towards a performance-based culture with embedded evaluation practices and standardized reporting before imposing penalties and imprisonment.
Global cyber analysis's believe that the latest cyber weapons could be just as dangerous as nuclear bombs. A successful attack on our nation’s Critical Infrastructure systems such as power & water supply, transportation (ground, sea and air), healthcare, finance & banking, communication systems and defence network, could leave us in devastation and lead to cyber war. It could also cause social order destruction by tampering with election systems and spreading disinformation. Aiming to create a trusted and resilient cybersecurity ecosystem in 2018, Sri Lanka introduced its first Information and Cybersecurity Strategy to be implemented over a period of five years from 2019 – 2023. We at Meta Defence Labs appreciate the opportunity given to comment on the publicly available Cybersecurity Bill. We feel that the Agency have such a vast portfolio of responsibilities that it can’t possibly give the attention and resources required to achieve cyber resilience.
We hope that the Agency will act as an independent National Cybersecurity Agency to take the lead in protecting Critical Information Infrastructure while focusing on strengthening necessary legislation policies, information sharing, developing a skilled talent pool and create public awareness. We also believe that this Act will put more emphasis on the possible abuse of power by the Agency and related authorities and will not provide opportunities for any government to manipulate the cybersecurity strategy, the Agency and the related legislative process.