The Sri Lankan government has drafted a Cyber Security Bill to shield critical records and essential services from cyberattacks, according to the Daily News. The invoice gives the authorities the strength to set up a Cyber Security Agency, the Sri Lanka Computer Emergency Readiness Team, and the National Cyber Security Operations Centre to protect “important data infrastructure” vital for the non-stop shipping of important offerings. The draft bill is awaiting cabinet approval and might be offered thereafter to the Parliament, according to the non-cabinet Minister of Digital Infrastructure and Information Technology, Ajith P Perera. He announced that a public consultation on the invoice could be held on June 6. What is ‘Critical Information Infrastructure’?
Critical Information Infrastructure (CII) consists of all computer systems or pc structures positioned totally or in part in Sri Lanka, which can be essential for the continuous shipping of critical offerings for public health and safety, privateness, economic balance, countrywide security, international stability, and for the sustainability and recovery of essential our on-line world. It additionally includes any pc system that, if disrupted, could have an extreme effect on the functioning of the authorities.
Cyber Security Agency of Sri Lanka
Establishing a new Cyber Security Agency: The Bill proposes the establishment of a Cyber Security Agency as the “Apex and Executive frame” for all subjects regarding cyber safety policy in Sri Lanka. It might be chargeable for implementing the National Cyber Security Strategy, “consisting of coaching and execution of operational techniques, rules, movement plans, applications, and tasks.”
Management and management of the employer lie with a board of administrators, including:
secretaries of the ministries of protection and public management,
a member-nominated SL-CERT board,
Secretary to the Ministry is liable for the implementation of the proposed act, and
Three professional members were appointed by the minister.
Powers and functions: One of its predominant capabilities is perceiving and advising the Minister responsible for designating a laptop or computer gadget as CII and growth strategies to defend it. The Agency will act because of the principal factor of touch for all government establishments and other relevant sectors for cybersecurity measures. It will ensure compliance with the aid of soliciting compliance reviews from specified CIIs and other authorities, institutions, including cyber safety assessments and facts approximately the steps taken to protect CIIs. The Agency or any officer legally by way of its going to, on affordable grounds, have the strength to enter, investigate, and seek the premises of special CIIs, and look at any files, data, and men and women touching on them. Information Security Officer (“ISO”): The Bill provides for the appointment of an “Information Security Officer” to each public institution or department. Every ISO will ensure the compliance of these establishments and departments with the prescribed requirements.
An institutional framework to assist the employer
The new Bill also proposes to empower the Sri Lanka Computer Emergency Readiness Team (SL-CERT) and National Cyber Security Operations Centre to implement the National Cyber Security Strategy of Sri Lanka (NCSOC). It says the CERT might be “the countrywide factor of touch for managing cyber safety incidents in Sri Lanka” and could assist the organization by imparting country-wide cyber hazard intelligence and undertaking reactive cyber protection services to prevent or mitigate the risk harm from cybersecurity incidents.
Further, with the Agency’s concurrence, the concerned minister can also designate the CER, T, or any institution mounted through the Agency as the new NCSOC. The NCSOC will monitor the targeted CIIs, perceive cyber safety incidents, accumulate cyber threat intelligence, and provide such information to law enforcement authorities, CERT, and the Agency. It will assist the Agency in facilitating a coordinated response to prevent, locate, and investigate cyber protection incidents.
The owner of CII
The CII may be in public or non-public institutions. The head of the enterprise might be deemed the “owner” of the CII and may be responsible for taking all essential steps to defend it as prescribed within the Bill. This includes undertaking security exams, enforcing a protection plan, and notifying the Agency and CERT about any cyber protection incidents. If the CII is spread throughout multiple groups or sectors, the heads of all such companies or sectors will be at the same time answerable for shielding it.
Offenses and Penalties
Every CII proprietor who fails to fulfill their obligations under the proposed Act without any reasonable excuse, including failing to document cyber safety incidents to the Agency and CERT, will be committed for an offense. If convicted, they will be able to face up to two years in prison, a fine of as much as two hundred 000 Sri Lankan rupees (approx Rs seventy-nine 000), or each. An ISO who fails to carry out their obligations can be charged with an offense, the bill says. It also says that the pinnacle of any group that fails to facilitate an ISO will have committed an offense. If an offense is committed using an organization, every director or officer could be accountable, and if committed through a firm, every accomplice may be accountable.
However, it provides that no character can be responsible for an offense if he can prove it changed into devoted without his knowledge or that he exercised all due diligence to prevent it. Prosecution under the proposed Act can best be instituted through the Agency or an official legal by way of it, the Bill says.