With cyber-attacks becoming more frequent, sophisticated and severe globally, foreign investors now more than ever are seeking countries with strong cybersecurity frameworks to ensure the safety of their investments.
It will thus be crucial for the new Thai government to recognise the significance of cybersecurity and implement effective strategies for cyber resilience to prevent potential threats that can harm the country's economic progress.
Failure to prioritise strong cybersecurity policies and frameworks can result in severe consequences, from compromising personal data to crippling entire cities with power grid failures. And this will not just affect investments, but also public safety, economic stability and national security.
Thailand has always been attractive to foreign direct investment (FDI). However, despite efforts by some sectors, like banking and finance, with frameworks to assess cybersecurity and related initiatives, there is still a pressing need from these investors for stronger actions and more efficient measures on the part of the government in particular.
The priority is to strengthen the country's cyber resilience, promote cybersecurity awareness and cyber capability among the public and boost collaboration across related sectors to create a secure and resilient cybersecurity environment and protect the country's digital infrastructure.
In this case, critical information infrastructure (CII) systems play a vital role in the country's growth prospects and investment appeal. To successfully execute the Thailand 4.0 development strategy, it is essential that the government and CII agencies, as well relevant stakeholders comprehensively implement and adopt the Cybersecurity Regulating Committee's Code of Practice and Minimum Standards. Incorporating a multi-layered approach that encompasses technology, personnel and organisational culture will be necessary to ensure a progressive and effective cyber-resilience strategy.
POLICY PRIORITIES
An effective and risk-based policy that aligns with international standards can boost security and increase confidence among international partners, investors and tourists. However, the existing policies and regulatory frameworks in Thailand may need adjustments and should provide clarity to enable IT providers to provide cutting-edge cybersecurity solutions.
While the government has enacted the Cybersecurity Act, Computer-related Crimes Act and Personal Data Protection Act (PDPA), there are concerns about the implementation of these laws, leading to a need for greater clarity and certainty in enforcement.
Additionally, there is a need to carefully design laws that incentivise cybersecurity while ensuring a strong and independent system of checks and balances to prevent any potential abuse of authority.
This is why the new government should prioritise addressing regulatory gaps in open data policy, industry data sharing and cross-border data transfer under the PDPA to ensure the protection of personal data.
Necessary cybersecurity measures outlined in the Code of Practice and Minimum Standards must also be effectively implemented with appropriate policies and approaches such as the "monitoring, evaluating and auditing" approach.
It is necessary to provide clear guidelines to improve consistency in law enforcement for IT service providers. The regulatory environment should also be able to develop, and related legislation to be continually assessed and evaluated.
TOOLS AND FRAMEWORKS
To improve their cybersecurity posture, Thai authorities can benefit from incorporating international best practices. This can help avoid past mistakes, enhance the effectiveness of frameworks, establish a global standard and facilitate collaboration with other nations.
A framework such as the NIST Cybersecurity Framework (CSF), developed by the US National Institute of Standards and Technology, exemplifies effective tools and approaches. It is flexible and allows organisations to select the most helpful and impactful requirements for their unique risks and apply them in different contexts.
Aligning the framework with cyber-related requirements or standards, such as the European Union's General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive, can provide a consistent way for Thai public authorities to evaluate their cyber resilience and identify problematic issues.
The framework should also address a strategy to combat foreign cyber influence operations, such as the Detect-Defend-Disrupt-Deter strategy, and deploy the power of cloud infrastructure to detect such operations. The framework should also include self-assessment tools to support the public sector in implementing it.
It is also important that reliable technology providers who can enhance government security and protect critical infrastructure are available to meet market demand.
The government should consult with market players to determine suitable rules and actions to defend against future cyber-attacks, including dispersing digital infrastructure, improving threat intelligence and endpoint protection.
Effective coordination among different government entities and ministries is essential to ensure consistent rules across sectors and jurisdictions. International cooperation is also necessary, as IT providers often operate cross-border, and threats are not limited by geographical boundaries. Collaboration among like-minded countries and organisations is crucial to mitigating cyberthreats.
CYBER LITERACY ESSENTIAL
Thailand has tremendous potential in the field of cybersecurity, and a key factor in achieving success is the development of digital skills and cyber literacy among its workforce.
With a well-designed and efficient cybersecurity skilling programme, policymakers can address the shortage of skilled personnel in the field and attract more investments. Encouraging more women to enter computer science studies and providing mid-career transition opportunities can also increase the size of the workforce.
To attain these goals, enhancing the IT workforce's maturity across all government and CII agencies through training and development, as well as collaborating with third-party service providers, should be prioritised. Moreover, sharing knowledge and expertise among relevant agencies is crucial to fostering digital skills and improving cyber literacy.
To effectively achieve the desired cybersecurity objectives, the government may need to allocate funding to key tasks, such as expanding the cybersecurity workforce, enhancing data science and intelligence capabilities within the public sector, and establishing a dedicated organisation or defence body to combat cyber-attacks.
Prioritising investments in cybersecurity measures is critical. To ensure effectiveness, the government may also need to review its public procurement policy and provide authorities with greater flexibility to pursue development programmes, while also providing clear guidelines to improve consistency in law enforcement for IT service providers.
Pawee Jenweeranon is a lecturer in law at the Faculty of Law of Thammasat University and is a research affiliate at Cambridge Centre for Alternative Finance, Judge Business School, University of Cambridge. He is also a regulatory specialist for the digital economy (Thailand) at the World Bank Group.