Outcry over draft Cybersecurity Bill
Cybersecurity experts, lawyers and mobile operators are slamming the forthcoming Cybersecurity Bill as an abuse of power by the Cybesecurity Agency that violates citizens' rights.
The Thailand Information Security Association (TISA) and the Telecommunications Associations of Thailand will voice their concerns about the Bill, which is expected to go into effect in the near future, to the National Legislative Assembly (NLA).
The bill was passed by the Council of State and is being vetted by the cabinet before it is submitted to the NLA for consideration.
"We still have many serious concerns about the Bill, and we urge the NLA to delay its implementation as it is not transparent and the Cybersecurity Agency that will be formed has been given too much power," said Sutee Tuvirat, a committee member of TISA.
Montri Stapornkul, data protection officer at Total Access Communication Plc, is concerned the definition of the cybersecurity law is too broad as it covers infrastructure, network and information.
The law should not include "information or content" as cybersecurity can overlap with personal data, which already falls under the scope of an existing data protection law, he said.
Moreover, the procedure is impractical for dealing with international practices as it allows for the seizure of computer servers or other assets without a court order, said Mr Montri.
TISA is concerned with good governance, transparency and efficiency, as separate agencies should take care of policy, enforcement and regulation, instead of letting the Electronic Transactions Development Agency (ETDA) oversee all critical functions.
A Cybersecurity Agency would be formed under the Cybersecurity Bill, just as a Data Protection Agency was formed under the Data Protection Act.
The Bill bestows superpowers to the secretary of the Cybersecurity Agency. For example, Section 58 allows the agency to seize the computers of others that are privy to reasonably suspicious cybersecurity threats, said TISA.
Wira Ratanasangsathien, chairman of cybersecurity for the Telecommunication Association of Thailand, said the definition under this law should not cover "information assets" as cybersecurity should not be involved with content.
If the law allows officers to access or seize equipment for a critical incident, a court order should be required, he said.
"The law also mandates organisations must report any incidents. Normally telecom or network providers experience 10,000-100,000 cyber-attack attempts per day. Having to report all of these to the Cybersecurity Agency will create a big burden," said Mr Wira.
Keepers of critical information infrastructure such as system administrators and board members face jail sentences if any breaches occur or they cannot prevent cybersecurity threats, he said.
"If the law is passed without a grace period by early 2019, operators will be hard-pressed to comply," said Mr Wira.