The second pillar of the strategy:
Thrust # 2: Legislation, Polices, and Standards
The number of reported incidents involving cybercrimes against individuals and organization in Sri Lanka is increasing day by day. These include cybercrimes against individuals such as credit card fraud, revenge porn, crimes again property such as worm attacks, hacking, and intellectual property theft, and crimes against governmental and other organizations such as cyber terrorism, hacking of websites, processing of unauthorized information, and hacking into sensitive financial data. To battle cybercrimes against individuals and organizations effectively, it is necessary to enact and formulate appropriate legislation, policies, and standards for ensuring protection of sensitive data, digital transactions, electronic communications, privacy, and freedom of expression in the cyber space.
The government of Sri Lanka has taken a number of steps in this regard such as the introduction of the government security policy (2009) based on ISO 27000, and data sharing policy, and the enactment of relevant legislation such as the Electronic Transactions Act No. 19 of 2006, Payment Devices Frauds Act No 30 of 2006, the Intellectual Property Rights Acts, and Computer Crimes Act No 24 of 2007. Sri Lanka ratified the Budapest Convention on Cybercrime in 2015 and became the first country in South Asia to join this convention. Moreover, a Computer Crimes Division was established in the Criminal Investigation Department of Sri Lanka Police in line with the enactment of Computer Crimes Act.
To further strengthen our regulatory framework to effectively battle emerging cybercrimes, gaps in the existing policies and laws will be identified, and new legislation, policies, and standards will be drafted and implemented to create a secure cyberspace for individuals and organizations.
2.1. Introduce a New Cyber Security Act
2.1.1. The government will introduce a new Cybersecurity Act for the establishment of the NICSA and for equipping the agency with the necessary powers to effectively address increasingly sophisticated threats to the nation 2007. The existing Computer Crimes Act is inadequate for addressing modern day cybercrimes.
2.2. Data Protection and Privacy Laws, and Data Sharing Policy
2.2.1. Currently, the number of cases on stealing customer data is on the rise. However, Sri Lanka lacks appropriate laws to protect customer data. We will, therefore, introduce a data privacy and protection law which governs the collection, use, and disclosure of citizens’ personal data by government and private sector organizations.
2.2.2. Through this act, we will ensure that all government organizations and private sector firms which maintain citizens’ data have adequate security controls in place and make them liable for privacy violations.
2.2.3. We will also introduce a data sharing policy for government organizations
2.3. Baseline Security Standards We will facilitate the Sri Lanka Standards Institute to develop baseline information and cyber security standards for information systems, hardware, and software applications.
2.4. Critical Infrastructure Protection PolicyWe will introduce Critical Infrastructure Protection Policy which will identify and declare infrastructure as critical infrastructure and provide measures necessary for protecting, safeguarding and increasing resilience of critical infrastructure.
2.5. Information Security Policy We will facilitate organizations to develop security policies based on the maturity of their information systems. The information security policy of each organization shall be developed aligning with international standards.
To be continued.....
Dr. Kanishka Karunasena,
Research and Policy Development Specialist, Sri Lanka CERT