As I mentioned in my previous article, the Thai government is currently scrutinizing and reviewing the so called “Thailand Digital Economy Policy” under which 8 bills are being drafted to support the implementation of the policy. Those 8 bills are currently being reviewed and considered by the Council of State before submitting for approval from the National Legislative Assembly.
In this article, let us put our focus on one of the bills called “the Cybersecurity Bill”. This bill has been under public spotlight where it has been heavily criticized by Medias and public entities on the excessive use of governmental power to access to private information.
Conceptually, the bill was drafted with an intension to issue relevant measures to prevent or deal with cyber-attacks and crimes that may affect or pose risk to services or the application of computer networks, Internet, telecommunication networks, or normal services of satellites, compromising national security in various ways, including military security, national order, and economic stability, through prompt and unified action. By recognizing that, the government is aiming to establish a committee to determine efficient and effective cybersecurity measures.
There are highlights that can be summarized as follow:
1. Definition: “Cybersecurity” means measures and actions that are specified for the purpose of national cybersecurity, in order to protect, prevent and deal with cyber-attacks that affect, or may pose risks, to services or the application of computer networks, Internet, telecommunications networks, or normal services of satellites, compromising national security in various ways, including military security, national order, and economic stability
2. Establishment of “National Cybersecurity Committee” (NCSC): The committee will be chaired by the Minister of the Ministry of Digital Economy and Society with four members by position and seven members by appointment of Cabinet. The four members by position will consists of the secretary-general of the National Security Council, permanent-secretary of the Ministry for Digital Economy and Society, permanent-secretary of the Ministry of Defense, and the commander of the Technology Crime Suppression Division, the Royal Thai Police;
3. Actions and Responses to Cyber-Attacks: In the case of emergency and need of urgent action, NCSC will have an authority to order any of government and/or private entity to take any necessary and appropriate action to prevent and solve cyber-attacks.
4. Authority of designated officials: To ensure compliance with this Act, the officials assigned in writing by the secretary-general shall have the following authority:
a. to send a letter to demand clarification, or call in any government agency or person to give a statement, send a written explanation, or send any account, document, or evidence, for inspection or as information, in order to comply with this Act;
b. to send a letter requesting that a government agency or private agency take any action necessary to facilitate the actions of the NCSC; and
c. to access communication information communicated by post, telegraph, telephone, facsimile, computer, or electronic tool or equipment, or any information technology media, for the benefit of operations to secure cybersecurity.
Points of Observation
Industry has been working together to ensure the draft is in compliance with international standards and best practices. There are some points of observation to this bill as follow:
1. The members of NCSC are primarily consist of representative from national security and defense. To balance out the perspectives of the NCSC and ensure that concerns regarding personal privacy and civil liberties are considered, the NCSC should also include members from the National Human Rights Commission and the Office of the Ombudsman. Having members with various backgrounds will ensure that the rights of individuals are not be inappropriately impacted.
2. Under the authority of designated officials, it is deemed appropriate to ensure that these broad powers are not potentially abused, it is essential for the Thai government to set out a framework that specifically defines the type and scope of information the officials can request, and the circumstances under which the Office of the NCSC can compel a private sector actor to perform a specific action. Moreover, exercise of these broad authorities should be strictly limited to circumstances where there is a specific and credible cybersecurity risk.
3. The most criticized section under this bill is on section 35 (3) where designated officials are empowered to gain access to any private owed or government owed data without having any kind of legal approval. This has created significant concerns on the privacy issue. It is recommended to the council of state that any authorized official “must” have legal approved document, for instance, court warrant, to gain access to any private or personal information.
Latest update from the government is that the draft is being reviewed by the council of state before submitting it to the National Legislative Assembly. It is expected to be enacted by Q3 of this year.