State agencies broadcast cyberbill concerns to PM
The National Cybersecurity Committee and Thailand Information Security Association (TISA) plan to announce their concerns about the Cybersecurity Act and urge the prime minister and National Legislative Assembly (NLA) to amend the controversial bill that has already been passed by the Council of State and is heading to the NLA.
The Cyber Security Agency (CSA), to be set up under the bill, grants the state the power to search, penetrate, and seize computer systems without a court warrant.
Gen Bunjerd Tientongdee, a member of National Cybersecurity Committee (a temporary committee before the Cybersecurity Act goes into effect), said there are serious concerns about the bill that are expected to be approved by the cabinet this month before proceeding to the NLA.
“We are worried the bill has serious problems and want to tell the prime minister and NLA it needs to be amended,” said Gen Bunjerd.
The law is important and should cause the least harm possible to people if passed, he said.
Gen Bunjerd said there are three points of concern under the bill. Firstly, excessive power for the secretary-general of the National Cybersecurity Committee in commanding search and access to other computer systems as it can cause impact to business confidentiality.
Second, the CSA has the right to form a joint venture and request financial loans for operations, acting as both regulator and operator.
Lastly, there is no appeal process for defendants, and those who violate the law will be jailed for three years and fined 300,000 baht.
NO COURT WARRANT
Pol Col Yanapol Yangyuen, a member of the National Cybersecurity Committee, said during the drafting process the Electronic Transactions Development Agency (ETDA) did not allow the committee to check and comment on the bill.
The law has no court warrant process as it empowers the CSA to access and seize information systems.
“Even in a serious national cybersecurity case, a court warrant is required to access and seize others’ systems, or be accepted by the National Cybersecurity Committee,” said Pol Col Yanapol.
The bill states that civil courts will be involved only if the CSA holds seized computers or assets for over 30 days.
BUSINESS CONFIDENCE EFFECT
Paiboon Amonpinyokeat, member of National Cybersecurity Committee, said the cybersecurity law has good intentions and is in line with Singapore’s National Cybersecurity Act but the excessive authority of the CSA is cause for serious concern.
Section 58 allows the CSA to seize computers of others that are privy to reasonably suspicious cybersecurity threats.
“How we can ensure what is reasonably suspicious?” he asked.
The bill is vague and too broad as it states that any threat that affects national security allows the CSA to ask state agencies and businesses to disclose information or content that might impact foreign business confidence.
“The law should clearly define critical information infrastructure for computers and systems,” said Mr Paiboon.
Mr Paiboon said ETDA is also involved in preparing for the establishment of both the CSA and the Data Protection Agency as well as the digital national ID.
This is too much power and responsibility for a single agency to handle, without checks and balances, and creates conflicts of interest.
The ETDA is holding the public hearing online until Oct 12.