This year, the world has been looking out for evolving and more sophisticated cyber attacks, such as ransomware in the cloud and the weaponisation of artificial intelligence.
Thailand's cybersecurity bill should have been designed as a tool to prevent and handle these and other imminent threats against computer networks, telecommunications systems and infrastructure.
But the bill in its current form extends the mission beyond that territory, covering information deemed a threat to security.
Worse still, it grants excessive power to state authorities, paving the way for abuse while compromising the confidentiality and privacy of individuals and businesses.
Proposed under the military regime since 2015, the bill has previously drawn much criticism. As a result, it has been revised and was proposed for public hearings early this year. But its content remains controversial.
First of all, its content is too vague and broad when it comes to defining cybersecurity. Under the bill, authorities would be allowed to use their own discretion to determine what can be considered cyber threats.
The bill defines cybersecurity as measures and actions implemented to prevent, handle and reduce risks of any cyber attack that affects national security, economic security, military security and domestic peace and order.
In addition, its definition of "cyber" covers computer networks, systems and information. This means content used and stored on computers and online would be subject to this bill if authorities consider it a "cyber threat".
This has prompted concern from netizens and activists who worry that the bill could be used as a tool by authorities to crack down on freedom of expression on the internet. In fact, the bill should not cover information and content which has already been covered by the data protection law. Without a revision to this provision, the bill will be misused in the same way as the Computer Crime Act, which has been wrongly used by security agencies to target political dissent, not computer crime.
This is worrying, especially given that the bill will establish a national cybersecurity committee, the majority of whose members hail from security agencies. Chaired by the prime minister, the committee includes the defence minister as first deputy chair and the minister of digital economy and society as second deputy chair. Other key members are the national police chief and the secretary-general of the National Security Council.
In addition to the committee, a cybersecurity agency will also be established with excessive authority. The agency can grant authorities the power to search, access and seize computer systems of individuals and companies without a court warrant. A civil court order will be needed only if the agency holds seized computers for more than 30 days.
Under such a provision, the bill risks compromising data confidentiality and privacy on the part of individuals and private organisations.
The devil is also in the details, or lack thereof.
The bill does not specify what level or type of cyber threats would command authorities to act. It only gives a broad definition that authorities can search, access and seize computer systems based on the "reasonable suspicion" that they constitute a cybersecurity threat.
This would allow state agencies to use their own discretion and interpretation of the law and creates too much room for abuse.
The bill needs a major overhaul and its revision must be transparent and open to the public.
Prime Minister Prayut Chan-o-cha and his cabinet must not submit the bill in its current form to the National Legislative Assembly, which is known for being a rubber stamp of the military regime, for further vetting and approval.
The country needs a cybersecurity law that can handle certain threats. But it does not need a law that paves the way for abuse and the disproportionate use of power by security agencies.