Long overdue, or a step too far?
The Cybersecurity Act aims to tackle a growing menace, but experts say it lacks oversight.
Thailand faces unique threats from cyber-attacks that will only increase as the economy becomes more digitised. With the passage of the Cybersecurity Act, the government seeks to aggressively confront the problem with enforcement power, but some experts fear that such power could be abused and lacks proper oversight.
Thailand ranks 34th out of 60 countries (ranked from the worst to best) in preparedness for cybersecurity threats, according to a study by Comparitech.
The country is also the fourth-largest source of DDoS attacks, a common cybersecurity threat in Asia-Pacific, with 3.63% of DDoS attacks originating here in the last quarter of 2018, according to Nexusguard.
While the recently passed act seeks to address Thailand's digital vulnerabilities, the new law could be a step too far.
Prinya Hom-anek, head of the special committee overseeing the Cybersecurity Act, said the law will come into immediate effect after publication in the Royal Gazette.
The act will allow the prime minister, who chairs the National Cybersecurity Committee (NCSC), to oversee and respond to cyber-attacks on critical infrastructure in the public and private sectors like utilities and hospitals.
The law allows authorities to access computer systems without a court order, leading some to criticise the law as an overstep of power. There are three levels of incidents under the law. The first level is not severe, the second is severe and the third is critical cyber incident. Only cases of critical cyber incident do not require a court order to seize a computer system or assets.
Paiboon Amonpinyokeat, interim head of the Cybersecurity Committee, said the latest version of the law requires a cyber-attack to be on a "critical" target and considered an "emergency" in order to minimise abuse of power by the authorities to avoid violating citizens' rights.
The law defines a critical cyber-attack as one that could cost lives or disrupt important public or private computer networks. The courts can audit the process later to see if the right approach was taken in executing the authority.
Dhiraphol Suwanprateep, partner for technology and intellectual property at Baker McKenzie, said the most contentious part of the law is Section 67, which gives authority to the secretary of the NCSC to carry out any "necessary action" to deal with critical cyberthreats.
While the Cybersecurity Act does not specify the scope and details, the term "necessary action" could be interpreted very broadly and include the secretary's order to gain access to computer data or a computer system or seize a computer from individuals or private companies.
In this case, the secretary can proceed without any judicial oversight or court order and is required only to notify a competent court of the details of the actions taken after the fact.
The main concern, of course, is the adequacy of the checks and balances from the court.
Mr Dhiraphol said that under the Cybersecurity Act there is no section allowing the court to check the legality of the proposed action to be taken by the secretary in case of a critical cyberthreat. Therefore, the mere post-notification to the court by the secretary in the event of critical cyberthreats does not have a sufficient level of judicial oversight.
Another area of concern is the likelihood of abuse. Although Section 69 criminalises the "disclosure" by the official of data acquired in accordance with the Cybersecurity Act, it does not extend to cover an action that is itself not "disclosure" but may cause damage to another person -- such as the misuse of commercially sensitive data or trade secrets acquired in the course of official duties to the official's own advantage, without disclosure.
In addition, Section 69 does not specifically include the secretary, who is practically allowed to take any necessary action in the event of a critical cyberthreat.
As such, in the event of any action falling outside the scope of Section 69, one may have to rely on Section 157 of the Criminal Code for wrongful acts of officials, which would be hard to prove and take many years before a final judgement is rendered.
By that time, the affected party (the person whose sensitive data/trade secret was abused by the secretary) may suffer a severe impact, such as financial loss or even going out of business.
"If we are lucky and have a good and trustworthy government, this Cybersecurity Act will not pose as many problems as we fear," Mr Dhiraphol said. "Governments come and go, but the law will still be there."
For example, since there is no prohibition under the law for a person who owns a business to be appointed secretary, what if the secretary who secretly owns or is connected to a business exercises his/her authority to intrusively gain access to commercially sensitive information or trade secrets of a business competitor by making a false claim of a critical cyberthreat? It would hypothetically be an easy way to get rid of the competitor.
In 2018 there were 2,520 cyberthreat incidents reported, according to the Thailand Computer Emergency Response Team. All it takes is for one cyberthreat to be exploited by those in power to their own personal advantage.
The Software Alliance (BSA), a Microsoft-backed advocacy group, proposed recommendations for Thailand's Cybersecurity Act that any court order should be served on critical infrastructure agencies, which can then instruct third-party vendors to take necessary action or provide access to information as requested by the NCSC.
Moreover, any exception to obtaining a court order should be precisely worded. The BSA recommends that the "urgency" exception for incidents with a "critical level of impact" (Section 59, Paragraph 3) should be clearly limited to situations where there is a probable cause of harm to national security.
In this regard, where the urgency exception applies, the legal system should provide a corresponding document such as a warrant or a "temporary emergency document" that would define the requirements of the provision or seizure of information.
The BSA also suggested that the right to appeal an authoritative instruction should be extended to all cyber-attacks, regardless of level of impact. All compelled actions and information provisions (including seizures) should be obtained under an instrument of the law to ensure that there is a record of the event and an explanation of its scope, purpose, context and timescale.
A corresponding right to appeal should be provided in all cases. In this regard, any exceptions, including the urgency exception, should be well-defined and narrow.
Providing the right to appeal only to cyber-attacks with a "general level of impact" (Section 60) is disproportionate and does not provide sufficient levels of due process safeguards.
Without adequate due process safeguards and avenues for appeals, requests for information can amount to an invasion of privacy that would undermine consumer trust, as businesses cannot guarantee that personal data or confidential information will be protected from unauthorised access.
Likewise, other compelled actions, such as requiring the monitoring of computer systems or deactivating functioning computers, could be overly prescriptive and onerous for businesses or technically infeasible. Providing an avenue for appeal in such situations is thus essential.
Furthermore, imposition of such requirements without due process would result in a conflict of laws with other countries' regulatory regimes and create significant compliance challenges for international companies.
An independent body should have oversight over the NCSC's powers, the BSA says. The group reiterated that an independent body be given the authority to monitor the NCSC's exercise of its powers to access private agency information, in order to ensure that privacy interests are adequately balanced with the need for surveillance.
Thailand should align any practices and standards it issues with industry-backed approaches to risk management, such as the ISO/IEC 27000 family of information security management system standards or the National Institute of Standards and Technology framework for improving critical infrastructure cybersecurity.
Allowing operators to combat evolving cyberthreats with evolving best practices and standards permits a more flexible, current and risk-based approach to cybersecurity. This will also help realise economies of scale and promote readiness.
Nakrob Niamgamtham, founder of nForce Secure Co, a cybersecurity distributor, said the act will stimulate demand to train a cybersecurity workforce in mission-critical events, which will benefit a country currently suffering from a shortage of cybersecurity experts.
"We might have the money to procure the latest advanced technologies for protection, but we cannot optimise the technology without good experts," he said. "It's like buying a supercar without a good driver."
Mr Nakrob said an uptick in security spending might spur double-digit growth, and the trend will shift to security provisioning to all fragmented IT systems to enable organisations to manage and control security policy from end-users' computers through to data centres and cloud providers.