Skip to main content

Invitation for comments on the Cyber Security Bill



Ministry of Digital Infrastructure and Information Technology and Sri Lanka CERT|CC invite the publicto comment on the proposed Cyber Security Bill. Comments regarding the bill shall be submitted in the comment section below or by post Sri Lanka CERT|CC Room 4-112, BMICH, Boudhdhaloka Mawatha, Colombo 07. Comments must be received by 5th of June 2019.


 
SHA256 hash of the bill: f4a6188cd25fa9c061d3be438949e43ad5801ce6b0a3880b86d9ee211f8d1a87
Title of the bill: 

                    AN ACT TO PROVIDE FOR THE IMPLEMENTATION OF THE NATIONAL CYBER SECURITY STRATEGY OF SRI LANKA, TO PROVIDE FOR THE ESTABLISHMENT OF THE CYBER SECURITY AGENCY OF SRI LANKA, TO PROVIDE FOR THE EMPOWERMENT OF THE SRI LANKA COMPUTER EMERGENCY READINESS TEAM AND NATIONAL CYBER SECURITY
 

Objectives of the bill:

(a)  to ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka;
(b)  to prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently;
(c)   to establish the Cyber Security Agency of Sri Lanka and to empower other institutional framework to provide for a safe and secure cyber security environment; and
(d)  to protect the Critical Information Infrastructure.

Comments

  1. Can you please fix the download link?

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. This shall not be granted as cyber security system. Because this will limit all the privacy of a social media user

    ReplyDelete
  4. there's no clear outlining of the relationship between Ministry of Defense and the Cyber Security Agency.

    4.3. While Appointing Information Security Officers from various departments is a very good idea, without a outlining where they sit in the hierarchy will lead to confusions.

    5.1.b. it needs to be clear that the members should be from each of area of expertise at a given time. it's ineffective to have all the tree members from finance, telco, Law or IT.

    5.4. shouldn't this be "Minister shall do due diligence" instead "satisfy himself"

    12.9. shouldn't all the clauses in section 6 (applicable to member of the board) reflected on Director General as well? also, any individual who has been convicted under Computer misuse, locally or internationally should not hold any position in the Agency

    15.3. Shouldn't the CERT or the Agency be given the power to demand reports/logs related to security incidents and a time window specified?

    17. this is very vague and reads like an open clause to get external parties involved. The recommendation of the Agency and the CERT should be put to the vote by the board of each entity before external entities get involved.

    18.3. CERT and/or Agency should have some level of control over the CII owned or operated by other institutions

    19.1.b. i. owner should be responsible for implementing "adequate" protection plans for securing the CII. "adequate" need to be defined.

    ReplyDelete
  5. Can you please fix the download link?. can't view the doc

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Process

    The consultation process on the draft Bill is commendable. It’s important to recognize that the Minister/Ministry does not have a legal obligation to consult the public at this time. We hope this process becomes the norm in the future and that the general public will get an opportunity to provide input into the legislative process at the earliest opportunity.

    Cyber Security Strategy

    S4 (1) (a) empowers the Agency to take all necessary steps to implement the National Cyber Security Strategy of Sri Lanka. The Strategy is not defined in the draft Bill. It must be defined in legislation. I.e. which strategy is the official one? Who is authorized to make it? What is the scope for making the strategy?

    Concern – any future government could manipulate the strategy, which would empower the agency to do everything needed to implement all policies within it.

    Requiring CERT to assist

    S15 (2) is it correct to compel a company/a commercial entity (technically) to assist a government agency through legislation? Does it not set a bad precedent in government interference into a commercial entity? Should it not be upto leaders of the company to work with the Agency if it is profitable for them? Is it not better to require the Agency to work with CERT.

    15 (3) Why are the functions being added to CERT through this law? Can’t you amend the articles of association? Are any of these functions that a company could not do without additional legislative authority?

    National Cyber Security Operations Centre

    S16 – This provision is very wide in scope. The overall scope of the provision should be restrained to prevent it from being abused. Particularly the powers under ss(5) (a) and (c) are extremely wide and unrestrained. i.e.The power to proactively identify potential incidents, gather threat intelligence information from local and international sources can be interpreted widely and can lead to abuses of power.

    These powers could and should be restricted / made conditional, for example:
    • when personal information is collected they are collected for the purposes of the Act only and can only be used for that purpose
    • the people carrying out the powers of the Act should be restricted from using those powers for any other purpose than those of the Act
    • make it an offences to misuse powers in the Act

    Regulation making powers

    S32(1) seems to be a very wide regulation making provision. Regulation making powers should be limited to those matters specifically authorized i.e. only for ss(2) (a)-(n)

    Interpretation

    Definition of “Cyber Security”. The provisions of this Act seem to be addressing matters dealing with unauthorized access or attacks on critical computer infrastructure. Making the ‘cyber space’ safe and secure does not seem to accurately capture the meaning of the term (without further defining what’s being meant by cyber space).

    ReplyDelete
  8. the term "Cyber Security" is very poorly defined. the current definition can imply this bill is about "controlling cyber space".

    ReplyDelete
  9. Given the short response time allocated to public input, LIRNEasia, a digital-policy think-tank, submitted comments on the proposed Cyber Security Bill today. The comments can be accessed at: https://lirneasia.net/2019/06/comments-on-the-cyber-security-bill-sri-lanka-2019/

    ReplyDelete
  10. From: IT and Computer Engineering Sectional Committee of the Institution of Engineers, Sri Lanka (IESL)

    Feedback 01/03

    GENERAL COMMENTS

    1. Given the overarching powers proposed for the Cyber Security Agency, it is important to explicitly provide for the appeals process against decisions/directives/orders/etc of this agency. It is a total folly to assume that this government agency will be led by qualified and experienced domain specialists who are capable of making right decisions every time.

    2. The proposed Act seems to have been developed to create entities that operate in isolation of national entities entrusted with security. In contrast, as an example, the Security of Critical Infrastructure Act of Australia uses the Ministerial directions power in clearly defined situations of imminent security risk, CI provider inability to mitigate identified risks, or the absence of a regulatory framework for enforcing mitigation. Even in these scenarios the Minister's primary advice is sourced from the Australian Security Intelligence Organization (ASIO). It would be appropriate to adopt similar mechanisms to link the established security and intelligence arms of the state in the protection of CII for Sri Lanka.

    3. This Act primarily focuses on Cyber Security Agency (CSA) than Cyber Security itself. While there can be a CSA, it should perform a coordinating task and should not be the sole authority. All key stakeholders should be part of the process.

    4. It is not clear that how the proposed Agency liaise with other related institutions such as ICTA and TRCSL.

    5. We are in the view that Ministry of Digital Infrastructure and Information Technology and Sri Lanka CERT|CC Should get the inputs directly from professional bodies.

    6. It is not clear that how this act work with the following existing acts without any conflict.

    • Information and Communication Technology Act No.27 of 2003
    • Intellectual Property Act No. 36 of 2003
    • Electronic Transactions Act No. 19 of 2006
    • Computer Crimes Act No. 24 of 2007
    • Payment And Settlement Systems Act, No. 28 of 2005
    • Payment Devices Frauds Act No.30 of 2006


    PART IV: INSTITUTIONAL FRAMEWORK TO ASSIST THE AGENCY

    1. There must be clarity on the role of new government agencies being setup (Cyber Security Agency) as well as conferring of new powers on existing government agencies (SLCERT) with respect to the private sector provides of security capabilities for protection of CII. For example, the Cybersecurity Act of Singapore (2018) deals with the licensing of two types of security service providers: Penetration Testers and Managed Security Service Providers operating SOCs. This makes it clear what the private sector does and what the agencies empowered by the legislation can do. For example, while they can do licensing, they cannot run Pen Test or SOC operations as that is clear cut case of conflict of interest.

    2. Protection of CII requires a strong on-going R&D capability. The proposed Act seems to assume that Sri Lanka is in possession of required capability for CII protection or the establishment of proposed agencies would somehow cause for these capabilities to materialize. We find it particularly troubling that an entity which is tasked with incident response (SLCERT) is being anointed as an authority for a complex and demanding task of developing, deploying, managing and continuously improving a national level cyber security defense strategy and offensive posture.

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. From: IT and Computer Engineering Sectional Committee of the Institution of Engineers, Sri Lanka (IESL)

    Feedback 02/03

    PART V: CRITICAL INFORMATION INFRASTRUCTURE

    1. The proposed Act should explicitly name the sectors recognized for Critical Information Infrastructure. That gives clarity to the legislation. For example, the Cybersecurity Act of Singapore (2018) says: "The CII sectors are: Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government."

    2. The Security of Critical Infrastructure Act (2018) of Australia also has explicit identification of assets for CI protection (nearly 165 at the time of legislation) and provision for change (through an assets registry). It should be noted that this CI act is broader than the proposed CII in coverage.

    3. The act fails to identify critical infrastructure and related cyber security requirements. Cyber security requirements of identified organisations and their systems need to be based on how critical are the information they process and host. For this purpose, information classification is a requirement. This needs to be addressed through a "Data Protection Act" or similar, or else, it should be part of this Act. In case the Data Protection Act is a separate Act, it should also be presented together with this Cyber Security Act or prior to this, and the Cyber Security Act needs to refer to Data Protection Act when defining the security measures to be taken by responsible organisations or designated persons.
    One possibility is to look at how other countries have done the information classification. For example, USA has 12 broader information categories (some of which are not relevant to us), and the required security levels are defined as high, medium & low. Further they also define impact factor for security levels as moderately serious, serious and catastrophic, and then say, if a system processes or hosts such information, the responsible parties should ensure the necessary security levels.
    Some intelligence agencies and CERTs, for identified categories of information, use something called TLP (Traffic Light Protocol) or military agencies have top secret, secret, confidential, restricted, & unclassified. These are mostly to address information sharing concerns, however, that is also a classification for the purpose of implementing information security.

    4. As per the act for a system to be classified as Critical Information Infrastructure, computer system has to be necessary for the continuous delivery of essential service and it has to be located wholly or partly in Sri Lanka as per Part V 18. (1). Getting classified as Critical Information Infrastructure and need to comply with this act could be easily bypassed by locating the system completely offshore. Therefore, the location of the system is immaterial in classifying it as a Critical Information Infrastructure. Rather what is important is it's importance to the delivery of essential service and damage that can be caused by a failure of such a system. Hence, we would suggest removing the clause in part V 18. 1 (b) "the computer or computer system is located wholly or partly in Sri Lanka;"

    ReplyDelete
  13. From: IT and Computer Engineering Sectional Committee of the Institution of Engineers, Sri Lanka (IESL)

    Feedback 03/03

    PART IX: MISCELLANEOUS

    1. The Clause 32 (2) should be changed as follows,

    “the Minister may make regulations with the concurrence of the Agency for and in respect of all or any of the following matters specifying:-“

    CLAUSES

    Clause 5(1)b: Members for the board will be appointed by the Minister who are possessing exposure in IT, Low, Finance or Public private sector Management. This might lead a possibility where Subject matter experts are not assigned to the so called Äpex body”of Cyber security in the country. Hence, it should be suggested to include qualified cyber security professionals to the board.

    Clause 12(4)d: Director General position of the agency has been assigned as Secretary to the Board with No voting rights, which would limit the authority level of the position as CEO

    Clause 16(1): Proposed act refers to a NCSOC, which has no reference to an act incorporated same in Sri Lanka. It should be clearly defined whether NCSOC is a legal entity. Also governance structure between the Agency, CERT and NCSOC has not been defined anywhere in the document.

    Clause 18(1)a: As mentioned in the proposed act, the Agency” has the powers to designate Critical Information Infrastructure both in Government and other relevant sectors. It is necessary to designate clearly these sectors which might be currently own/ operate by Private sector. (For example whether Energy, Banking or Telco sectors are defined under these sectors)

    Clause 19(1)c,f: Proposed act has mentioned risk assessment, Vulnerability assessments and Incident response mechanisms will be defined as rules under the act. It should be suggested to consult IESL and other professional bodies on Info Security in defining those procedures mechanisms and standards.

    Clause 24: The Act has suggested authority to the Agency to enter, inspect, and examine any entity or premises holding Critical Info Infrastructure. Hence, this clause need to be further clarified, in terms of the CII as well as the nature of the interrogation suggested. This clarity is important as penalty and offences have been defined in the act itself for mishandling the CII.

    Clause 32(d)(e)(f): It should be suggested to consult IESL and other professional bodies in defining standards for Security Trainings and NCSOC procedures, setting standards for the Cyber security auditors etc.

    ReplyDelete
  14. TechCERT Comments on the Proposed Draft Cyber Security Bill 2019 - Part I
    -----------------------------------------------------------------------

    General Comments
    ------------------

    1. The proposed Act uses the term “National level Cyber Security Incident”. It should clearly define as to what will be considered as a National level Cyber Security Incident?

    2. Cyber security is a vast field. The Agency should be formed to address the national interest. But this addresses only CIIs. As an example, if a coordinated attack hitting 100 websites (which is not owned by any of the CIIs) takes place in Sri Lanka and if most of the website owners are the general public, will this be considered as a national cyber security threat? In such scenario, who will be the main coordination body to resolve the issue? In summary, how to address a national level cyber security incident that does not involve CIIs?

    3. The involvement/role of sectoral CERTs / other CERTS and bodies that provide cyber security services should be clearly mentioned. It is extremely important to state how the proposed Agency will liaise with these bodies that are key stakeholders.

    4. The proposed Act should clearly define the roles and responsibilities of the proposed Cyber Security Agency, Sri Lanka CERT|CC and National SOC with respect to the private sector institutions that provide cyber security services for CIIs and other related organizations.

    5. The proposed Act does not address the vital role of the Agency, which is coordination between the proposed Agency and the Government Threat Intelligence Units that operate under National Security Council.

    6. The necessary provisions have not been incorporated in the proposed Act to safeguard the rights and business interests of affected parties due to the erroneous decisions made by the proposed Agency.


    Section-wise Comments
    -----------------------
    1. Section 4 (1) – (j) - establish or designate institutions, units or any other entity to assist the Agency in the performance and discharge of the duties and functions of the Agency ;
    - does the above mentioned “institutions, units or any other entity” include the related private sector organizations?

    2. Section 5 (1) – (b) - three members appointed by the Minister; - it is mandatory for one of the appointed members to be an IT security domain specialist.

    3. Both sections Part II - Section 4 (1): The powers, duties and functions of the Agency and Part IV – Section 15 (3): Powers and functions of SLCERT, show that both bodies seem to be performing some similar duties.

    4. Under Part II - Section 4 (1) the coordination between Agency and other related non-government sector bodies, who are key stakeholders, has not been addressed.

    5. Part IV – Section (16) – (1) It mentions about forming a National Cyber Security Operations Centre (NCSOC). The integration between the NCSOC and the existing banking sector SOCs (that have been formed as per the guidelines of Central Bank of Sri Lanka) is not incorporated.

    6. Section 16 (5) – (d) It is mentioned that one of the Powers and functions of the NCSOC is to provide cyber threat intelligence information to law enforcement authorities, CERT and to the Agency to prevent cyber security incidents.
    – Please look into the possibility of including a section on sharing cyber threat intelligence information that is relevant to private sector organizations that are providing CERT and other cyber security services to CIIs, on need to know basis.

    7. Recommends necessary amendments to the section Part V – Section 18 (1) – (b) there can be critical systems entirely setup outside of Sri Lanka. Requires more attention on storing/ processing and transmitting sensitive data that are related to national interests, irrespective of the location of the computer system.

    ReplyDelete
  15. TechCERT Comments on the Proposed Draft Cyber Security Bill 2019 - Part II
    ------------------------------------------------------------------------

    Definitions that need to be incorporated in the proposed Act:

    The below mentioned terms need to be clearly defined:
    1. The term “Other relevant sectors”, which is included multiple times in the document
    2. The term “other sectors”, which is included in the document, is vague. Does it refer to private sector bodies?
    3. “National Cyber Security Incident” not clearly defined.

    ReplyDelete
  16. Meta Defence Labs Decoding the National Cyber Security Act 2019

    It appears that after a long deliberation period, the Ministry of Digital Infrastructure and Information Security, together with Sri Lanka Computer Emergency Readiness Team | Co-ordination Centre (SL CERT|CC), is ready to propose the draft of the National Cyber Security Bill, 2019 to the Sri Lankan Parliament for its actions. It was available for public comment on SL CERT|CC website however, we at Meta Defence Labs, a cybersecurity and Infrastructure service provider in Sri Lanka, believe that it requires more discussion and public awareness for one to have a basic understanding of the true essence and flavour of this Bill. Below we discuss our views and perspectives of this proposed Bill.

    Cybersecurity obligations – why Sri Lanka needs to implement a cybersecurity bill
    In view of recent security challenges, and inability to disseminate critical security information to the public and growing threats to the nation’s critical infrastructure, along with disinformation campaigns to divide societies and create public unrest, have raised the need for a more systematic approach to the country’s overall security requirement. Technology is rapidly evolving, and it provides great opportunities for people to connect, enhance processes and achieve growth. As technological dependence rises, so do the security threats that constantly hang over society. Therefore, it is necessary to take more advanced security measures to protect against threats to critical national infrastructure, broader protection from criminals, extremist terrorists and cybercriminals who gain unauthorised access to computer systems.

    The challenge is that techniques for compromising computer systems is growing more rapidly than the creation and implementation of national policies and regulatory standards. The tools and tactics used by these criminals are intangibly large and can leave our country in anarchy, if not identified properly, reported and proper action taken.

    In general, Sri Lanka already have four cybercrime prevention Acts. The first act was implemented in 1997 called the Computer Crime Act which defined all crimes frauds that are connected or related to a computer and information technology. Intellectual Property Act 36 of 2003 and subsequent Penal Code Amendment in 2006 also enhances the scope of intellectual property provisions and protect children from illegal internet activity. In addition, the Information Communication and Technology Act and Electronic Transactions Acts also facilitate cybercrime prevention. However, an appropriate balance between the needs of those investigating and prosecuting such crimes and the rights of the users of such networks, need skilled resources and more coordination. Overall the Sri Lankan legal system needs reform to overcome possible future threats and to adopt cybersecurity. Therefore, as the first step in developing an appropriate regulatory framework for securing individuals and organisations and to strengthen the prosecution support for modern cyber offences, establishment of a high-level security agency is proposed through this Act. We believe that this independent agency would be much more focused, capable and empowered than current government initiatives. It’s now or never.

    ReplyDelete
  17. Meta Defence Labs Decoding the National Cyber Security Act 2019 Cont..

    Objectives of the proposed Act

    The objectives in the draft bill outline four main areas such as;
    (i) ensure effective implementation of the National Cybersecurity Strategy,
    (ii) act effectively and efficiently to prevent, mitigate and respond to cybersecurity threats, empower other institutional framework to provide a safer,
    (iii) secure cyber security environment through cybersecurity agency, and
    (iv) to protect critical information infrastructure.
    This in our view, serves as a general outline to establish a cybersecurity agency with more emphasis on protecting critical information infrastructure (CII) and excludes a number of critical elements such as personal data protection, coordinated response, performance-based strategy, disaster recovery and transparency.
    Cyber Security Agency of Sri Lanka – Objectives, powers, duties and functions

    Establishment of the Agency
    Recently reported cyberattacks on thirteen websites on .LK and .COM domains, including the website of the Embassy of Kuwait, should have created a substantial wakeup call among computer system owners. Our most critical infrastructure systems are vulnerable for cyberthreats and are managed by both public and private sector. Despite considerable efforts, the collective response has been inadequate to achieve a collaborative cybersecurity strategy. The new Cybersecurity Bill proposes to establish a Cyber Security Agency to act as the executive governing body for cybersecurity in Sri Lanka and it will be responsible for the implementation of National Cybersecurity Strategy “including preparation and execution of operational strategies, policies, action plans, programs and projects.” It will also be granted power to act as the central point of contact.

    ReplyDelete
  18. Meta Defence Labs Decoding the National Cyber Security Act 2019 Cont..

    Executive Board
    The executive board which manage and administer the Agency consist of seven personnel including three ministerial secretaries from ministry of defence, public administration and from the ministry assigned for implementation of the Cybersecurity Act, a member nominated by the board of SL CERT and three professionals with more than 25 years of experience in the fields of Information Technology, public or private sector management, law or finance.
    Powers, duties and functions
    Apart from implementing the National Cybersecurity Strategy, the Bill proposes this agency holds the authority to “identify and designate Critical Information Infrastructure (CII) both in government and other relevant sectors.” CII can consist of a computer or computer systems and the Agency will develop plans and strategies for the protection of such information systems. The Agency will also be granted authority to enter, inspect, search, examine or suggest security measures, request compliance reports and conduct cybersecurity drills of designated CIIs.
    Executive appointments
    The Agency have the power to define a criterion to appoint an “Information Security Officer” for each government institution or department to ensure cybersecurity compliance. The Director General of the Agency will be appointed in consultation with the minister and he or she may be solely responsible for other staff recruitments, operational and administration controls of the Agency. If the Agency decides to match, recruiting and retaining top professionals in the field it could prove to be challenging due to an inability to compete with private sector salaries. This Bill does not propose this Agency be an independent Agency to be much more capable, focused and to be empowered than current cybersecurity arrangements. In our view, the director general of the Agency should report directly to the President of the country and should have authority to express their view to the members of parliament to achieve much needed legislation to build a cybersecurity resilient society.
    Talent acquisition and retaining
    We embrace the steps proposed in this Bill for strengthening cybersecurity skills, as education and awareness is key to building a cyber resilient society. There is a global cybersecurity skills shortfall and the workforce gap is widening, as there is a persistent lack of gender diversity. Many organisations globally have initiated programs to address gaps identified in the field of cybersecurity. In contributing, Meta Defence Labs initiated the SHe CISO Exec. program to attract more women and empower them with cybersecurity, leadership and emotional intelligence elements. The program was recently recognised at the (ISC)2 Awards in The Hague, Netherlands. We hope that the Agency will have a suitable strategy to identify and retain skilled talent in the field of cybersecurity.
    Institutional Framework to assist the Agency
    The Bill proposes that SL CERT assist the Agency in performing, exercising and discharge of its powers. SL CERT is designated as the “national point of contact” for handling cybersecurity complaints, threats, responses and provide threat intelligence and conduct reactive and proactive measurements to mitigate cyberattacks.
    Additionally, there will be a National Cyber Security Operations Centre (NCSOC) designated by the minister to identify potential cybersecurity incidents, monitor designated government CIIs, to gather information about cyber threat intelligence and to liaise with law enforcement authorities and CERT. NCSOC is expected to facilitate a coordinated response. However, it shows no links with the authority to convene companies and government agencies at all levels. Though the minister who is responsible for the implementation of this Act will sit above all levels of hierarchy in allotting directions, making and changing regulations, rules, as to “exercise and performance of powers and functions” to ensure proper functioning of the government policy.

    ReplyDelete
  19. Meta Defence Labs Decoding the National Cyber Security Act 2019 Cont..

    Funds of the Agency
    The agency will initially be funded by parliament out of the consolidated fund and grants, gifts or donation from any source. When in action, the Agency can accept money as may be received in the exercise, performance and discharge of its powers, duties and functions under this Act. It is our understanding that total global cybersecurity spending is estimated to be around 0.1% of GDP. It is difficult at this time to gain an understanding of the comprehensive picture of the investments required without reliable statistics and an understanding of which gaps to close. Overall this Bill does not provide a clear picture of what money goes where. We believe that the Agency will do a detailed study to determine actual financial needs in order to carry out their tasks effectively with adequate resources.

    Offences and penalties
    The bill calls out for penalties for every CII owner who fails to fulfil the obligations imposed under this Act or fails to report cyber security incidents to the Agency & CERT which will be identified as an offence committed. A conviction can draw fines up to Rs. 200,000 and/or imprisonment for a term not exceeding two years. An Information Security Officer (ISO)’s failing to perform cybersecurity duties and responsibilities, or a head of an institution fails to facilitate an ISO, will also commit an offence and prosecution will be done by an officer authorised by the agency. In an event where the offences are committed by a corporate body or firm, every director and partner will be responsible. Further it added that no person will be considered guilty if proven that the offence was committed without their knowledge or exercised due diligence to prevent the directives of such offence.

    There is no clear definition in the act for the minimum level of cybersecurity and trust to be achieved or a desired level of resilience for the country. The Agency’s objectives aren’t broadly defined and do not extend to evaluating and monitoring cybersecurity and readiness. Therefore, we believe that a modification is needed towards a performance-based culture with embedded evaluation practices and standardised reporting before imposing penalties and imprisonment.

    Summary
    Global cyber analysists believe that the latest cyber weapons could be just as dangerous as nuclear bombs. A successful attack on our nation’s Critical Infrastructure systems such as power & water supply, transportation (ground, sea and air), healthcare, finance & banking, communication systems and defence network, could leave us in devastation and lead to cyber war. It could also cause social order destruction by tampering with election systems and spreading disinformation. Aiming to create a trusted and resilient cybersecurity ecosystem in 2018, Sri Lanka introduced its first Information and Cybersecurity Strategy to be implemented over a period of five years from 2019 – 2023. We at Meta Defence Labs appreciate the opportunity given to comment on the publicly available Cybersecurity Bill. We feel that the Agency have such a vast portfolio of responsibilities that it can’t possibly give the attention and resources required to achieve cyber resilience. We hope that the Agency will act as an independent National Cybersecurity Agency to take the lead in protecting Critical Information Infrastructure while focusing on strengthening necessary legislation policies, information sharing, developing a skilled talent pool and create public awareness. We also believe that this Act will put more emphasis on the possible abuse of power by the Agency and related authorities and will not provide opportunities for any government to manipulate the cybersecurity strategy, the Agency and the related legislative process.

    ReplyDelete
  20. The CERT and the other proposed organisations should report to the Parliament and "NOT' the minister. It should report to a bi-partisan Parliamentary Committee on Cyber Security and 'NOT' the sitting minister.

    I do not trust the government or any government not to abuse the extraordinary powers that this bill grants to the minister.

    ReplyDelete
  21. Hope this CyberSecurity bill would be good fit for Sri Lanka

    Trending CyberSecurity Issues

    ReplyDelete
  22. I like your blog post. Keep on writing this type of great stuff. I'll make sure to follow up on your blog in the future.
    Cybex Technologies - Unified Communication and Security Solutions Provider

    ReplyDelete

Post a Comment