Proposed cybersecurity law to designate 25 state-owned CIIS
The government plans to designate 25 state-owned critical information infrastructures (CIIS) initially with a view to strengthen the country’s cybersecurity ecosystem, under the provisions of the proposed Cybersecurity Act.
The Federation of Information Technology Sri Lanka last week organised a public consultation to seek industry and stakeholder observation to enhance the draft bill, which is awaiting the Cabinet approval.
Elaborating a crucial objective of the draft bill, Sri Lanka Computer Emergency Readiness Team (SLCERT) Director Operations Rohana Palliyaguru said that the proposed Sri Lanka Cyber Security Agency, under the draft bill, plans to designate 25 state-owned CIIS in the initial stages, which would be monitored by the proposed National Cyber Security Operations Centre (NCSOC).
“Initially, we plan to connect six Critical Information Infrastructure providers to the National Cyber Security Operations Centre for continuous monitoring of their information systems and to proactively identify any cybersecurity threats.
Depending on the capacity and expansion that we have planned for the NCSOC, we plan to connect 25 already identified CII providers,” he said.
According to him, the information systems of the Immigration and Emigration Department, Airport & Aviation Services (Sri Lanka) Limited, Sri Lanka Customs, Motor Traffic Department, Central Bank, Colombo Stock Exchange (CSE) and several other stateowned information systems are to be designated as CIIS.
Palliyaguru noted that SL CERT is on the process of conducting a survey to identify the security level or the information security readiness of the existing CIIS in both state and private sectors, which will be later utilised to designate more CIIS from both state and private sectors.
“Once the survey is completed, we will be able to identify security issues in CIIS and based on the outcome of the survey, we will develop criteria to identify CIIS among CII providers,” he said.
SL CERT plans to complete the survey within four months.
According to the Cybersecurity draft bill, following the designation of a computer or computer system as a CII, the owner of the CII would be responsible for the protection of CII and required to take all necessary steps to protect it.
Further, the draft bill also proposed offences and penalties for owners of these designated CIIS in an event of failing to employ the required measures to protect the CIIS.
The proposed NCSOC, along with SL CERT, is to provide the necessary intuitional framework to assist the Sri Lanka Cyber Security Agency to exercise its powers and discharge its functions under the proposed act.
However, the IT industry stakeholders raised concerns over some provisions, which contained vague and broad definitions. They pointed out some of these provisions could lead to political appointments and increase bureaucracy.
Some stakeholders in particular were concerned on the wide scope of the bill, which could potentially be abused.
However, Palliyaguru said that SL CERT would make the necessary amendments to the draft bill based on public comments.
He stressed that the proposed act would only address the issues related to cybersecurity and wouldn’t address any matter-related content, such as social media.
The public will also have another opportunity to submit their comments once the draft version of the bill is gazetted to table in Parliament.
Digital Infrastructure and Information Technology Non-cabinet Minister Ajith Perera earlier said that the draft bill would be legislated within six weeks.