The Sri Lankan government has drafted a ‘Cyber Security Bill’ to protect vital information and essential services from cyber attacks, reports Daily News. The bill vests the government with powers to establish a ‘Cyber Security Agency’ and is meant to ‘empower’ the Sri Lanka Computer Emergency Readiness Team and National Cyber Security Operations Centre, which aim to protect “Critical Information Infrastructure”, necessary for the continuous delivery of essential services of the country. The draft bill awaits cabinet approval and will be presented thereafter to the Parliament, according to the non-cabinet minister of Digital Infrastructure and Information Technology Ajith P. Perera. PThe minister said that public consultation will be carried out foron the bill on June 6th. The minister also disclosed that the data protection bill is completed and will be legislated in parliament within the next three months.

Understanding Sri Lanka’s Cyber Security Bill

The objective of “Cyber Security Bill”

The Bill has been proposed to:

  1. ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka
  2. prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently
  3. establish the Cyber Security Agency to strengthen the institutional framework for cyber security and
  4. protect critical information infrastructure.

In November 2018, the Government of Sri Lanka introduced the country’s first Information and Cyber Security Strategy, to be implemented over a period of five years starting 2019.

What is ‘Critical Information Infrastructure’?

“Critical Information Infrastructure” (CII) includes all computers or computer systems located wholly or partly in Sri Lanka, those necessary for continuous delivery of essential services for public health and safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace. It also includes the computer system of which the disruption or destruction would have a serious impact on the functioning of the government.

Cyber Security Agency of Sri Lanka

  1. Establishing a new Cyber Security agency: The Bill proposes an agency which will be the “Apex and Executive body” for all matters relating to cyber security policy in Sri Lanka. It will be responsible for the implementation of the National Cyber Security Strategy “including preparation and execution of operational strategies, policies, action plans, programs and projects”.
  2. Management and administration of the agency lies with a board of directors consisting of:
    • secretaries of ministries of defense and public administration,
    • a member nominated SL-CERT board,
    • secretary to the ministry responsible for implementation of the proposed act, and
    • three expert members appointed by the minister.
  3. Powers and functions: One of the agency’s main functions is to identify and recommend which computer or computer systems are CII. The agency will also develop strategies and plans for protection of CII; it wil be the central point of contact for all government institutions and other relevant sectors of the country with respect tocyber security measures. The Agency will ensure
    • Seek submission of compliance reports from designated CIIs and other government institutions; this will include cyber security assessment and steps taken to protect CIIs
    • The agency or any other authorized officer has “on reasonable grounds” the power to enter, inspect, and search the premises of CIIs.
  4. Information Security Officer (“ISO”): The Bill provides for appointment of an “Information Security Officer” at each public institution or department. Every ISO will ensure compliance as per prescribed standards on cyber security.

Institutional framework to assist the agency

Steps to empower CERT and cybersecurity operations center: The new Bill proposes empower both existing agencies so that the National Cyber Security Strategy of Sri Lanka (NCSOC) can be properly implemented.

  1. The CERT, it says, will be the “national point of contact” for handling cyber security incidents in the country and will assist the agency by providing intelligence on cyberthreats and conducting reactive cyber security services to prevent and mitigate the damages of cyber security incidents.
  2. The responsible minister (with concurrence of the Agency)will designate CERT or any institution as the new NCSOC.It will monitor the CIIs, identify potential cyber security incidents, gather cyber threat intelligence, and provide this information to law enforcement, CERT and to the Agency. It will also assist the Agency in coordinated response to prevent, detect, and investigate cyber security incidents.

The ‘owner’ of Critical Information Infrastructure

The head of the organization of the CII will be deemed as its “owner”; who will be responsible for taking steps to protect the CII. Such steps would include security assessments, implementation of the protection plan,and notifying the Agency and CERT of cyber security incident. If the CII is constituted by multiple organization or multiple sectors, all the heads of such organizations or sectors shall become jointly and severally responsible for the protection of the CII.

Offences and Penalties

For the CII owner: Every CII owner, who fails to fulfil obligations as prescribed under the proposed Act, without any reasonable cause, and fails to report cyber security incidents to the Agency and CERT, will commit an offence and shall on conviction may face a fine of upto Rs 200,000 or a jail term of upto 2 years, or both.

Information security officers: ISOs held guilty if they fail to perform their duties and responsibilities under the proposed Act. The bill also counts as an offence the failure of every head of institution’s failure to facilitate ISO’s functions. ISOs will not be held guilty if he/she did not have knowledge of the offence, or if he exercised all due diligence to prevent the commission of such offence.Prosecution under the proposed Act can only be instituted by the Agency or an officer authorized by the Agency.

Other powers of the Minister

“Minister”, as referred to in the proposed Act, means “the Minister assigned the subjects and functions relating to cyber security”. The Minister has the power to give general or special directions to the Agency to ensure effective compliance. He has the power to make regulations, with the concurrence of the Agency, in respect of the matters prescribed in the Act.

Edit: The post has been updated to reflect the correct author.