To protect vital information and essential services from cyber attacks the Government is to introduce a new ‘Cyber Security Bill’ . According to the drafted Bill, a new ‘Cyber Security Agency’ will be established to identify and designate computers or computer systems which are necessary for the continuous delivery of essential services of the country as “Critical Information Infrastructure” (CII).
The CII will include all computers or computer systems necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace. Any other computer system of which the disruption or destruction would likely to have serious impact on the effective functioning of the government could be added to the list of CII.
The designated CIIs owned by the government and other sectors would be monitored by a ‘National Cyber Security Operations Centre’ in order to detect, investigate, and respond to potential cyber threats. Digital Infrastructure and Information Technology Non Cabinet Minister Ajith P. Perera said the draft Bill will be presented for Cabinet approval and thereafter to Parliament. Addressing a press conference at his Ministry Auditorium yesterday, he said a public consultation forum on the proposed Cyber Security Bill would be held on June 6. He added the comments of all interested parties are welcome on the proposed law, adding that the draft Bill could be downloaded either from the Ministry official website (www.mdiit.gov.lk) or the Sri Lanka CERT website (www.cert.gov.lk).The new Bill also provides for the implementation of the National Cyber Security Strategy of Sri Lanka and empowerment of the Sri Lanka Computer Emergency Readiness Team (SLCRET).
According to the Bill an ‘Information Security Officer’ will be appointed to each public institution to ensure the compliance with prescribed standards relating to cyber security.
Upon the designation of a computer or computer system as CII, the owner of the CII shall be responsible for its protection. If the CII spreads across multiple organizations or multiple sectors, all the Heads of such organizations or sectors shall become jointly and severally responsible for protection of the CII.
Any CII owner, who fails to report cyber security incidents to the Agency and CERT, commits an offence, and shall on conviction be liable to a fine not exceeding Rs 200,000 or to imprisonment for a term not exceeding two years or to both such fine and imprisonment.
The Minister said the draft of another new Bill titled ‘Data Protection Bill’ has also been completed and that it would be presented to Parliament towards the end of June.