Political stalemate hits cybersecurity bill
Next government must carry out law
The new cybersecurity bill may be delayed because many of the important posts and committees critical to the law's effectiveness will have to be appointed by the new government, whose formation date is uncertain, says a legal expert.
"We expect the cybersecurity bill to receive royal endorsement and take immediate effect by this May," Paiboon Amonpinyokeat, who is on the interim cybersecurity preparedness committee, said at Thursday's seminar held by the Thailand Internet Service Provider Association (Tispa).
But the cybersecurity bill also requires the prime minister to appoint a National Cyber Security Committee (NCSC) to oversee policy and the master plan, as well as a chairman of the committee.
Moreover, the law assigns the new government and new digital economy and society (DE) minister to establish the Cyber Security Agency (CSA) to handle national cybersecurity incidents.
The Thailand Computer Emergency Response Team (ThaiCert), currently under the Electronic Transactions Development Agency, will have to transfer staff and budget to come under the CSA as well.
The bill mandates that within one year of enforcement, the DE Ministry must issue a draft of regulation details such as a set of minimum cybersecurity standards to enforce the bill more practically.
Mr Paiboon said the cabinet previously approved a budget of 350 million baht to establish the CSA and 150 million baht to train personnel in cybersecurity.
Under the bill, there are seven critical information infrastructures (CII): state security, critical government services, finance and banks, information technology and telecommunications, transport and logistics, energy and utilities, and healthcare.
Mr Paiboon said each vertical CII should prepare before the bill is fully enforced, as the process takes time and each CII needs to set up its own cybersecurity guidelines under different regulators. Telecoms, for instance, will work with the National Broadcasting and Telecommunications Commission.
Moreover, CII needs to have a Security Operations Centre (SOC) to prevent and deal with cyber incidents, as well as share information with others.
Prinya Hom-anake, a member of the special committee overseeing the Cybersecurity Act and a cybersecurity expert, said there are three levels of cybersecurity incidents covered under the bill: not severe, severe and critical.
Only critical cases do not require a court order to seize computer systems or assets.
Tispa president Morragot Kulatumyotin said the majority of the group's 20 members already have security standards of ISO/IEC 27001, but they need to brainstorm a "code of conduct" in order to self-regulate and assist members in complying with the new law.
Mrs Morragot said the bill will help raise awareness of cybersecurity among executives.