What you need to know about the cybersecurity bill

Neville Lahiru
5 Min Read

The Cabinet of Ministers has approved a proposal on the formation of cybersecurity-specific legislature. Thereby, a cybersecurity bill is to be drafted as the “Defense Cyber Commands Act”. According to the Department of Government Information, the emphasis for the Defense Cyber Commands Act is on formulating new laws that covers “all sectors for ensuring national security including the required provisions so that the operations performed by cyber protection units are established at the institutional level at present by the three – armed forces, Police, and other agencies.”

The cabinet also announced the formulation of a draft bill on protecting cyber laws that includes,

  • Formulation of new laws with the aim of creating a regulatory framework for implementing national information
  • To establish a Sri Lanka Cyber Protection Agency to act with other cooperating agencies for the fulfillment of the purpose
  • Introduction of legal provisions required for protecting infrastructure facilities related to decisive and essential information within the country
  • Prevention of risk activities that affect the cyber security as well as creating a formal cyber protected environment within the country

You can find the full announcement here.

Here’s what that means

Despite the somewhat vague wording, there are two components to this announcement. The first is the military-led component which is the Defense Cyber Commands Act. The other, is the civilian-led component which comprises of the Cyber Protection Agency and the overall regulatory framework around cybersecurity.

One major area of focus with the cybersecurity legislature is the minimization of cybercrimes. As the Ministry of Defense puts it, this includes “credit card fraud, revenge pornography, crimes against property, crimes against hacking and intellectual property theft,” as well as “crimes against the government and other organisations such as cyber-terrorism, hacking of websites, processing of unauthorised information, and hacking into sensitive financial data.”

Cybersecurity has seldom been Sri Lanka’s forte

The other highlight would be the establishment of the cybersecurity agency, or rather the Sri Lanka Cyber Protection Agency*. This agency would ideally comprise of a team of experts who will oversee all matters regarding cyber-security threats as well as develop standards and offer policy support.

This cybersecurity bill has been in the works for several years with the aim of introducing it as part of the “National Cyber Security Strategy of Sri Lanka”. Its first draft was released back in December 2019 and it’s being helmed by the ICTA, together with SLCERT and the Ministry of Defense.

You can find the latest draft of the cybersecurity bill here.

A long time coming

Cybersecurity protection mechanisms have been lacking in Sri Lanka for the past few years, both in terms of legislature as well as active protection strategies. We’ve already seen the extent to which cybersecurity threats can go in Sri Lanka, ranging from massive-scale YouTube channels getting hacked to country-level domains getting compromised. Proper cybersecurity protection has become even more pertinent in a situation where the country is increasingly pushing more digital projects at a national level.

lk domain registry hack
A glimpse of the LK Domain Registry hack in February 2021

Back in September, ICTA Chairman Oshada Senanayake indicated that the cybersecurity bill will come in parallel with the Defense Cyber Commands Act. Commenting on the current landscape he stated that “We are at a very, very bad situation in terms of our cybersecurity readiness. We only have a Computer Emergency Readiness Team – SLCERT. That’s typically the first step a country would take on cybersecurity readiness.”

On a positive note, the announcement comes in the midst of the much-anticipiated data protection bill. This was recently given Cabinet approval and is now looking to be passed as law.

It’s a glimpse of an indication that cybersecurity might finally be taking the spotlight at a national level. Though it remains to be seen what the actual implications of the cybersecurity bill will be.

*The actual name varies depending on where you read it from. The cabinet announcement calls it the Sri Lanka Cyber Protection Agency, while the draft bill refers to it as the Digital Infrastructure Protection Agency. Both refer to the same idea as far as we know.

TAGGED:
Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings