New committee plans broad strokes
The newly appointed National Cybersecurity Committee (NCSC) is expected to hold its first meeting this month to map out guidelines for the protection of the Critical Information Infrastructure (CII) in response to the Cybersecurity Act.
The act was published in the Royal Gazette in May last year. It will be fully enforced starting in May following a one-year grace period, Paiboon Amonpinyokeat, an NCSC member, told the Bangkok Post.
Mr Paiboon is among seven members appointed to the NCSC on Jan 3.
The other six are Col Mano Nuchkasem for ICT; Prinya Hom-anek for cybersecurity; Pol Col Yanapol Yungyuen for engineering; Bordin Sapsomboon for healthcare; Panitan Wattanayagorn for international relations; and Vichet Tantivanij for finance.
The NCSC is chaired by the prime minister. Its members also comprise the defence minister, digital economy and society minister, police chief, secretary-general of the National Security Council as well as permanent secretaries for justice and finance.
The legislation enables the prime minister to oversee and respond to cyber-attacks on critical infrastructure in the public and private sectors such as utilities and hospitals.
"I expect the first NCSC meeting will be held this month, chaired by the prime minister or his representative," said Mr Paiboon.
Three levels of cybersecurity threats are laid out under the act: non-severe, severe and critical. Only critical levels allow seizure of the computer system or assets without a court order.
The act also ushers in two sub- committees.
The first will be responsible for overseeing the national cybersecurity agency (CSA) and promoting national information technology, including proposing tax incentives for organisations to improve cybersecurity measures. Another panel will pivot towards actions to guard against cyberthreats.
"The NCSC will appoint members of these two subcommittees and expedite the roll-out of regulations required under the act," he said.
The CSA, which must be established under the act, will have employees transferred from the Thailand Computer Emergency Response Team.
Under the law, the NCSC needs to define the characteristics of organisations whose operations could be termed as CII.
They need to be associated with one of these segments: national security, banking and finance, public service, information technology and telecommunication, transport and logistics, energy and utilities, public health, or other segments defined by the NCSC.
These organisations have various obligations under the act.
Mr Paiboon said he was most concerned about the public health sector, particularly small and medium-sized health service units in provinces that may need assistance to comply with the law.
"The unprepared groups, especially small financial and public health service providers, may need a grace period of 1-2 years," he said.