The forthcoming Cyber Security Bill has stirred concerns among local IT experts due to the frequent reference to the Defence Cyber Command Act of 2023 throughout the document, the details of which remain undisclosed to the public.
Section 2(e) of the draft bill, which has yet to be officially gazetted, outlines one of the objectives as ensuring effective coordination and collaboration with the Defence Cyber Command of Sri Lanka, established under the Defence Cyber Command Act of 2023 to address cyber security matters pertaining to national security.
Additionally, in Section 4 concerning the powers, duties, and functions of the authority, section 4(b) stipulates that the authority may conduct security assessments for the national defence infrastructure as necessary, upon request by the Defence Cyber Command established under the Defence Cyber Command Act of 2023.
As reported by The Sunday Morning last week, the Ministry of Technology is finalising the National Cyber Security Bill, which is set to be submitted to the Cabinet by the end of the month.
As highlighted by State Minister of Technology Kanaka Herath, the importance of the new bill is its role in implementing regulations, policies, and enforcing laws in Sri Lanka’s digital landscape. According to the Minister, the bill aims to safeguard users given the country’s extensive social media presence and address cyber security in the context of Artificial Intelligence (AI).
IT expert concerns
Nevertheless, IT experts have raised concerns about the lack of clear provisions outlining the accountability of the Cyber Security Regulatory Authority of Sri Lanka (CSRASL), which is to be established under the bill.
According to the assertions made by IT experts, it is imperative that explicit accountability mechanisms be outlined to ensure transparency and responsible governance. To remedy this concern, they propose the inclusion of specific clauses within the bill detailing the accountability framework for the board.
This framework should encompass provisions related to reporting mechanisms, transparency in decision-making processes, regular audits, and measures to address conflicts of interest. By clearly articulating the accountability structure, the bill can establish a robust foundation for the board’s responsible and effective functioning, thereby fostering trust among stakeholders and the public.
When contacted by The Sunday Morning, cyber security advisor Asela Waidyalankara said: “Most of us in the industry are yet to see a draft. We had a session in August, during which we worked on that particular draft and gave our suggestions and feedback. We hope the comments we made in August have been incorporated into the draft.
“In a Cabinet decision made in 2021, the decision was taken to break cyber security into two spheres – civilian and defence. It is understood that such a break is possible,” he added.
Provisions of the bill
As outlined in Section 3(1)(a) and (b) of the draft bill, which has yet to be gazetted as reported by The Sunday Morning, there shall be established an authority known as the Cyber Security Regulatory Authority of Sri Lanka for the purposes of this act. The authority shall serve as the apex executive body responsible for overseeing all matters pertaining to civilian aspects of cyber security in Sri Lanka.
It will be tasked with implementing national information and cyber security strategies and policies, safeguarding critical national information infrastructure to counter cyber security threats facing Sri Lanka, and addressing related matters.
Additionally, as per section 3(2), the authority shall be constituted as a body corporate, possessing perpetual succession, a common seal, and the capacity to sue and be sued in its corporate name.
Section 6(1) of the draft bill outlines the composition of the authority’s Board of Directors, which includes the Director General of the Defence Cyber Command established under the Defence Cyber Command Act of 2023, along with other members.
These members comprise ex-officio officials such as the secretary to the ministry overseeing information and cyber security, or an appointed representative, the secretary to the Treasury, the director general of the Telecommunications Regulatory Commission under the Sri Lanka Telecommunications Act No.25 of 1991, and the chairperson of the Information and Communication Technology Agency (ICTA) registered under the Companies Act No.7 of 2007.
Additionally, the Board includes four appointed members nominated by the President, each possessing a minimum of 15 years of expertise and demonstrated excellence in fields such as cyber security, Information Technology, public or corporate administration, management, law, or finance.
Need to remain a civilian bill
In such a backdrop, when contacted by The Sunday Morning, Information Systems Audit and Control Association (ISACA) – Sri Lanka Chapter President Lakmal Embuldeniya remarked on the draft bill being attached to the Defence Cyber Command Act, raising significant concerns.
“We have strictly noted that the bill has to be a civilian bill and it cannot and should not be attached with defence cyber security. For the first draft we have sent our recommendations and we saw another intermediary draft, but none of the recommendations we have made had been included in the bill,” he stressed.
“One of the main objectives of the Cyber Security Bill is to create an authority,” he said, emphasising on their intention to establish an authority responsible for cyber security matters within Sri Lanka.
“Currently, we have the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT), but it only has an emergency response component. However, through the Cyber Security Bill, they are planning to accredit vendors and suppliers in the market as a Sri Lankan authority,” he emphasised.
Winding-up of CERT
According to Section 18(1) of the draft Cyber Security Bill, the CERT, currently operating as a company under the Companies Act No.7 of 2007, will be dissolved upon the bill’s enactment into law.
Under the provisions outlined, upon dissolution, CERT will merge with the authority, primarily focusing on incident response, and will be rebranded as the Sri Lanka Computer Emergency Response Team. Additionally, all assets, liabilities, powers, and functions of CERT will be transferred to the authority, with winding-up procedures to be carried out in accordance with the Companies Act No.7 of 2007.
Critical National Information Infrastructure
Section 20 of the draft Cyber Security Bill delineates procedures for designating Critical National Information Infrastructure (CNII). The authority, in collaboration with pertinent authorities, will identify any computer, programme, system, or related device within Sri Lanka as CNII.
Subsequently, upon identification, the authority will inform both the owner of the CNII and the relevant regulatory authority. Additionally, the authority has the discretion to seek the owner’s input on the designation and may publish it in the gazette as necessary.
Furthermore, the ISACA – Sri Lanka Chapter in its feedback on the draft bill expressed concerns regarding the repeated reference to the Defence Cyber Command Act of 2023, without public access to its contents. It also flagged Clauses 18 and 19 of the National Digital Trust Authority Act, related to the winding up of CERT as being redundant due to existing coverage in the Companies Act.
ISACA suggested removing these clauses to maintain the act’s impartiality and prevent potential conflicts. Additionally, it recommended revising the definition of Critical National Information Infrastructure to align with international standards, proposing the definition from NIST SP 800-53, which focuses on the critical systems and assets vital to national security, economic prosperity, public health, and safety.
No reference to Defence Cyber Command Act
When contacted by The Sunday Morning, State Minister of Technology Kanaka Herath said a new draft of the Cyber Security Bill would not contain any reference to the Defence Cyber Command Act, as it had been removed from the new draft which was to be submitted to the Cabinet by the end of this month.
“The new draft will not contain any citation referring to the Defence Cyber Command Act. We are not going to proceed with that; we are going to have a separate bill. This was drafted by us, then the Defence Ministry wanted to have it together. This won’t happen now. It is going to be separate,” the State Minister clarified.
Nevertheless, IT experts have claimed that the latest draft sent to them for their comments still contained references to the Defence Cyber Command Act and that there were no major changes in the latest amended version. They confirmed that they were yet to see any new amended versions of the Cyber Security Bill.