Thursday, 29 January 2015

Thailand's Cybersecurity Bill - What's All the Fuss About?

In the past weeks, there have been many comments, complaints and fears about the draft of the National Cybersecurity Act or the Thailand's Cybersecurity Bill. The draft was approved by the cabinet on the 6th January 2015. Since then the press and "experts" have been having field days.

I, no expert by any means, have just had a chance to take a good look at the draft (28th January 2015). I think I do have some comments of my own.

The Bill consists of six chapters and forty-three sections. I will only discuss the sections that I think are interesting and may raise some eyebrow.

Personally, I think Section 5 in Chapter 1 sets the tone of the entire Bill to lead me to understand that this particular Bill is more concerned with national security rather than personal security. I think anyone who reads this draft must set their mind set in this direction before having negative thoughts on other sections of the Bill.

Section 6 in Chapter 2 states that a committee known as "The National Cybersecurity Committee" or "NCSC" shall be established. As a part of the committee seven "qualified members" shall be appointed. It will be interesting to see who will be appointed and, especially how they will be selected. I wonder what the criteria will be and how they will end up with seven members. Bear in mind that there are so many people who claim or are said to be "qualified" and "expert" in the field.

The duties and responsibilities of the NCSC are stated in Section 7. Things like making action plans, giving advice to relevant ministries and monitoring the execution of this Bill are all here. I don't think I have a problem with this.

The rest of Chapter 2 is quite boring. Let us go on to Chapter 3 - The Office of National Cybersecurity Committee. At first glimpse, I thanked them for finally seeing the importance of cybersecurity and knowing the necessity for having an office dedicated to cybersecurity. As a part of this Office, the "National Computer Emergency Response Team" or "National CERT" will also be established. Wow! I like it a lot. Other developed countries such as the USA, Canada and many in Europe have had their own national CERT for a long time now. Finally, it looks like we will have one.

One of the duties of the Office of National Cybersecurity Committee that caught my eye is the one stated in Section 17 (8). They will have to "conduct studies and research on the information necessary for the maintenance of cybersecurity for the purpose of making recommendations on measures on cybersecurity." This is something I totally agree with. Nothing will come good without research. I just hope that the government will provide sufficient funding and, of course, research funds should be available to other sectors, too. I am looking forward to having some research grants in the future. haha!

There is one concern here in this Chapter 3. Section 21 states that "there shall be a secretary who is directly accountable to the chairperson of the NCSC as regards the operation of the Office and supervises the officials and employees of the Office." Why am I concerned? Well, from what I have seen in the draft, it looks like the secretary would have a lot of power even though the actions and performance would be judged by the Committee. At this moment, it sounds OK because we are being governed mainly by military. However, in the future, the people in power will be politicians. Will they pick their own people? Will the chosen secretary do things to serve the politicians? I will just leave this to your imagination, knowing what Thai politicians are like. haha! (At least it is good to see that no politicians will be allowed to take this position - see Section 23.)

Chapter 4 - Operation and Tackling of Cyber Threats - does not really leave me anything to comment, except if you are a sort of person who really thinks too much. Why do I say this? Take a look at Sections 33 and 34, which give the power to the Office of NCSC to order any agencies to perform any required actions if the Office see that a cyber threat affecting national security is occurring. In the draft, where everything is still vaguely define, these two sections appear to have no boundary or threshold of when the Office is allowed to use their power in Sections 33 and 34. I think this is something that needs to be clarified.

We now go to Chapter 5 - Officials. I think this is the chapter that has caused a lot of concerns and critiques. Section 35 is the main reason, especially (3) which states that the officials are allowed to gain access to information that is communicated via mail, telegram (which is now obsolete in Thailand), fax, phone, computing and other electronic devices for the benefit of national security.

What does it mean? Does it mean that any officials have the rights to access all information that belongs to other people without even asking for permission? Reading it word for word, I think it that it does. A lot of other people seem to think so, too. People have been saying that this section would violate human right and personal privacy. I have to say that they are right in saying this.

Do I care? Section 36 states that "officials are prohibited from disclosing or passing on the information obtained under Section 35 to any person." This actually makes Section 35 sound a little better. However, this does not really stop anyone from violating Section 36, knowing what Thai laws and law keepers are like.

Having said that, do not forget what the main objective of this Cybersecurity Bill is. Yes ... it is written for the purpose of national security. Without having access to information, how do you expect anyone to keep the nation secure?

The main problem with this section is, I think, when politicians come into power again. I have to go back to my earlier comment on our current military government. At the moment, I think I can trust them. However, when the power goes back to politicians, this is where the "fun" begins.

I am sure that they will definitely abuse their power. They will definitely try to access everyone's information. They will definitely try to gain access to anything that they are not really supposed to. All they have to do is they have to just say that it is allowed by this Act.

This does not sound good, does it?

From this, I don't think the Bill is the problem. The problem is the people/politicians (who will be) in power (after this government) are not trustworthy.

Maybe, we can stop thinking about changing the Bill for the sake of the nation's security, but start thinking about choosing the right people to come into power instead.

The rest of the Bill is just some formality, which is not worth commenting really.

On the whole, the draft Cybersecurity Bill has good intention in ensuring national security. With several changes, it would be even better. However, there must be a way of making sure that suitable and appropriate people are appointed to make this work. (Knowing Thai politicians, this will never happen. This is why people have expressed their concern on this Bill, especially Section 35.)