The cybersecurity balancing act
A draft law is positioned to give the state unprecedented power over the digital arena
published : 22 Oct 2018 at 04:30
newspaper section: Business
The draft cybersecurity bill, which is yet to be completed, is being promoted as an attempt to expand Thailand's cybersecurity infrastructure, protect national security interests and crack down on cybercrime.
Growing public backlash against the bill is causing tremors both online and offline because of concerns over the abuse of power and data privacy breaches.
The bill has been condemned as too far-reaching, impossible to implement and potentially infringing on individual and juristic person rights.
Currently undergoing a public hearing process, the bill calls for the formation of a Cybersecurity Agency (CSA), which critics say will be granted too much power. The agency would be allowed to seize computer servers or other assets without a court order.
There are concerns that the scope of the cybersecurity law is too broad because it covers infrastructure, networks and information.
'JUST A DRAFT'
Cybersecurity threats in Thailand are intensifying, with the country's ranking dropping last year to 18th-worst from 25th in 2016, and cryptojacking in particular on the rise, according to information security firm Symantec.
- See also, Sanitsuda's comment: Help Big Brother to watch you
The findings have probably stoked fears among state officials. Prime Minister Prayut Chan-o-cha has said the law is needed to protect the public from cybersecurity threats.
On the other hand, some of the most strongly worded criticisms of the law reason that it will be used against the public by potentially hindering freedom of speech and expression on social media ahead of the long-awaited general election scheduled for February.
In response to the public outcry, Gen Prayut ordered a review of the bill this week.
The CSA would be formed under the cybersecurity bill, just as a data protection agency was formed under the Data Protection Act.
The law bestows far-reaching powers to the secretary of the CSA. The working panel established to revise the cybersecurity bill will begin its review today, with the goal of ensuring that the law is well-balanced, is clear of conflicts of interest and provides optimal benefits for the public.
"The working group will start by considering and discussing all related opinions to the draft bill, including comments and suggestions from several hearing forums held over a year through hearings, focus group discussions and online platforms," said Pichet Durongkaveroj, the digital economy and society minister. His ministry is ultimately in charge of reviewing the bill.
The panel will encompass three core parties: state agencies, the private sector and civil society. Civil society representatives may be academics and researchers from the Thailand Development Research Institute.
"The draft bill is just a draft," Mr Pichet said. "It needs to be approved by the cabinet before going to the NLA to be voted on."
He did not comment on whether the working panel will complete the review by the end of this year.
Mr Pichet said that if the working group suggests more hearings for the draft bill, the government will hold additional public hearings to ensure the best outcome of the law.
He insisted that the bill is not party to a political agenda and that the government is aware of growing public concerns.
But at the same time, criticisms may obfuscate the real benefits the draft bill provides for the public and businesses, the minister said.
Gen Bunjerd Tientongdee, a member of the National Cybersecurity Committee, an interim committee overseeing the Cybersecurity Act, said there are serious concerns about the version of the bill that is expected to be approved by the cabinet this month before proceeding to the NLA.
"We are worried, as the bill has serious flaws and we want to tell the prime minister and the NLA that it needs to be amended," Gen Bunjerd said.
While the law is important, it should cause the least harm possible to citizens if passed, he said.
Gen Bunjerd said the bill has three areas of concern. First, the potential overreach of the law that allows authorities the absolute right to search and seize businesses' computer systems without a warrant, creating apprehension regarding confidential trade secrets.
Second, the CSA has the right to form a joint venture and request financial loans for its operations, which results in the agency acting as both regulator and operator.
Third, there is no appeal process for defendants, and those who violate the law will be jailed for three years and fined 300,000 baht.
The bill states that civil courts will be involved only if the CSA holds seized computers or assets for over 30 days.
Paiboon Amonpinyokeat, another member of the National Cybersecurity Committee, said the cybersecurity bill has good intentions and is in line with Singapore's National Cybersecurity Act, but excessive authority of the CSA remains a cause for concern.
For instance, Section 58 of the bill allows the CSA to seize the computers of others who are deemed "reasonably suspicious" cybersecurity threats.
"How can we ensure what is reasonably suspicious?" Mr Paiboon asked.
"The bill is vague and too broad," he said, noting that it says any threat deemed to affect national security allows the CSA to ask state agencies and businesses to disclose information or content that might impact foreign business confidence.
"The law should clearly define critical information infrastructure for computers and systems," Mr Paiboon said. "Content should not be covered, as this might allow officers acting under this law to censor content if they decide to interpret an impact on national security."
The law has jurisdiction over everyone who uses mobile phones and computers, not just state and critical infrastructure. Any mobile phone or computer suspected to be a threat to national cybersecurity can be confiscated and accessed.
Morakot Thienmontree, president of the Thai Internet Service Provider Association, said the law lacks checks and balances. There are no repercussions if the secretary-general and authorised officers fail to properly protect data they acquire from businesses and state agencies.
The law does not set up an auditing organisation that would ensure that the CSA and its secretary-general exercise their power legitimately.
"Under the existing computer-related crime law, if an officer does not store data properly, he is found guilty of dereliction of duty," Mr Morakot said. "Under this [new cybersecurity] law, officers are allowed to request network topology or layouts. Why do we need to share such sensitive information or other internal data?"
The law also allows officers to access other critical information that could get businesses in trouble. Service providers need to protect customer data that may involve trade secrets, contain software programmes or protection against copyright law violations. Providers could face criminal suits and prison sentences if information is leaked.
Legislators are being urged to remove imposing a sentence on private firms that cannot comply with the law, as this would violate corporate sovereignty while doling out punishment in broad strokes.
Critics say prison sentences should be handed to those who threaten national cybersecurity in a manner that impacts people's lives and assets.
"This is an important law that is necessary, but has tectonic impacts to telecoms and internet service providers, who should be allowed a longer grace period after the law comes into effect," said Sutee Tuvirat, a committee member of the Thailand Information Security Association and member of Thai Medical Informatics Association.
"We still have many serious concerns about the bill," he said, "and we urge the NLA to delay implementation, given the lack of transparency and the near-omnipotency handed to the potential CSA."
In 2017, Thailand was 20th in global cybersecurity rankings, while Singapore landed the top spot with a near-perfect approach to cybersecurity.
The country was grouped in the "maturing" stage in the Global Security Index 2017 report by the UN International Telecommunication Union. The grouping covers 77 countries that have developed complex commitments and engage in cybersecurity programmes and initiatives.
According to Frost & Sullivan, IDC and Gartner, Thailand spent US$212 million (6.91 billion baht) on cybersecurity last year and is expected to spend $243 million this year.
Thailand's cybersecurity expenditure in 2025 is projected to be $511 million or 0.07% of GDP.
Dhiraphol Suwanprateep, partner for technology and intellectual property at Baker & McKenzie, said that under the new cybersecurity bill private entities may be subject to the supremacy of authorised officials in the event of a cyberthreat or potential cyberthreat.
For example, officials could issue a request for a person to provide relevant information, documents or copies of information and documents that are in the possession of others, for the purpose of gathering information, analysing the situation and assessing the effect of a cyberthreat.
Although there is a definition of cyberthreat in the draft bill, it is still broad and subject to various interpretations, which could be used or misused to trigger the broad authority of officials under the bill, Mr Dhiraphol said.
If rules and regulations are left wide open for subjective interpretation, private entities are left sceptical as to whether officials will always exercise their power in a straight-forward manner in all cases, he said.
Bob Fox, chairman of the digital economy and ICT group of the Joint Foreign Chambers of Commerce, said the draft law has good intentions but overreaches in several respects.
Criminal penalties should only apply in cases of demonstrated criminal intent, he said, and the law has sweeping consequences, concentrations of power and several terms that are not defined.
Somkid Jiranantarat, chairman of Kasikorn Business Technology Group, a tech subsidiary of Kasikornbank, said related technology laws should be drafted with a balance between legislative control and business opportunity, so that they work under a good understanding of technology.
For instance, the data privacy law could be a barrier to the adoption of artificial intelligence, which operates using customer data to respond to the actual needs of clients, Mr Somkid said.
Any mobile phone or computer suspected to be a threat to national cybersecurity can be confiscated and accessed, according to the draft law. PATTANAPONG HIRUNARD