By Sandaran Rubatheesan
The IT industry is concerned about transparency, intrusiveness and lag-time in responding to cyber attacks in the provisions of the draft cybersecurity bill and personal data protection framework, and the government says it is willing to listen and review the legislation before parliament receives the bill in July.
A major worry involves the broad mandatory powers vested in two new proposed agencies, the Cyber Security Agency of Sri Lanka (CSASL) and the National Cyber Security Operations Centre (NCSOC), in addition to the existing Sri Lanka Computer Emergency Readiness Team (CERT).
IT experts also warned that having three bodies dealing with cyber-security could result in systemic delays when reacting to threats to computer systems.
Another concern is that the definition of what constitutes Critical Information Infrastructure (CII) – or computer systems – is too broad, inviting unnecessary scrutiny of private systems by the new watchdog agencies.
LIRNEasia , a regional ICT policy and regulation think-tank, warned of regulatory overreach, saying, “Designating a computer system as a CII could even be used as a method of control”.
Early this month, the Federation of IT Industry of Sri Lanka organised a seminar to brief industry specialists and professionals on the proposed bill. Feedback from the seminar is being studied by a committee of representatives of leading IT institutions which was convened this week. The committee will report back to the Ministry of Digital Infrastructure and Information Technology so that flaws in the proposed law could be fixed.
The ministry has initiated a simultaneous process of drafting a Data Protection Bill in keeping up with the five-year-long Information and Cyber Security Strategy of Sri Lanka (2019-2023).
With government agencies, banks, telecoms, internet service providers and private companies collecting personal data off the internet, data protection has become an important public policy consideration, the ministry noted.
The bill seeks to establish parameters for data-processing, data retention, and cross border flow of data. Public feedback is invited and will be reviewed by an Independent Review Committee co-chaired by Justice K.T. Chitrasiri and Prof Savithri Goonesekera.
The bill will create a single platform, the National Cyber Security Operations Centre (NCSOC), to seek and hold data that can be used by government agencies such as the police, Customs, Immigration Department.
“We are not going to pool everything in one single platform, but the new platform will facilitate an ‘interoperability’ feature which will enable different digital systems to exchange data among themselves,” Minister Perera said.
He explained that currently there was a lack of coordination among state agencies in sharing information.
Mr. Perera said the bill sought to emulate some of the best digital data and cybersecurity practices in EU countries, particularly the highly-regarded e-governance policies of the Estonian government.
The agency engaged in countering and protecting Sri Lankan institutions against cyber attacks, the Sri Lanka Computer Emergency Readiness Team | Coordination Centre (Sri Lanka CERT), says it is hampered by playing a mainly reactive role and hopes the new legislation would give it more powers.
“We are hopeful that [with new laws] we will be able to track the potential cyber attacks or malware or even hacking of websites in advance and take adequate steps to prevent serious damage to our digital systems,” Dr. Kanishka Karunasena, Research and Policy Development Specialist at CERT, said.
Dr. Karunasena said concerns expressed about the setting up of two new cyber security bodies as well as the existing CERT were being taken seriously.
“Many commented that separate three agencies on cybersecurity is unnecessary and it will cause systematic delays. They suggested we bring NCSOC as a separate unit under CERT. We are considering that very positively,” he said.