The Sri Lankan government has drafted a Cyber Security Bill to shield critical records and essential services from cyber-attacks reviews Daily News. The invoice gives the authorities the strength to set up a Cyber Security Agency, the Sri Lanka Computer Emergency Readiness Team, and the National Cyber Security Operations Centre to protect “important data infrastructure” vital for the non-stop shipping of important offerings. The draft bill is awaiting cupboard approval and might be offered thereafter to the Parliament, according to the non-cupboard Minister of Digital Infrastructure and Information Technology Ajith P Perera. He delivered that a public consultation on the invoice could be held on June 6. What is ‘Critical Information Infrastructure’?
Critical Information Infrastructure (CII) consists of all computer systems or pc structures positioned totally or in part in Sri Lanka which can be essential for the continuous shipping of critical offerings for public health and safety, privateness, economic balance, countrywide security, international stability, and for the sustainability and recovery of essential our on-line world. It additionally includes any pc system that, if disrupted, could have an extreme effect on the functioning of the authorities.
Cyber Security Agency of Sri Lanka
Establishing a new Cyber Security Agency: The Bill proposes the established order of a Cyber Security Agency as the “Apex and Executive frame” for all subjects regarding cyber safety policy in Sri Lanka. It might be chargeable for the implementation of the National Cyber Security Strategy, “consisting of coaching and execution of operational techniques, rules, movement plans, applications, and tasks”.
Management and management of the employer lie with a board of administrators inclusive of:
secretaries of ministries of protection and public management,
a member-nominated SL-CERT board,
secretary to the ministry liable for the implementation of the proposed act, and
three professional members appointed by using the minister.
Powers and functions: One of its predominant capabilities is to perceive and advise the Minister responsible for designating a laptop or computer gadget as CII and growth strategies to defend it. The Agency will act because of the principal factor of touch for all government establishments and other relevant sectors for cybersecurity measures. It will make sure compliance with the aid of soliciting for compliance reviews from specified CIIs and other authorities institutions, in order to include cyber safety assessment and facts approximately the stairs taken to protect CII. The Agency or any officer legal by way of it’s going to, on affordable grounds, have the strength to enter, investigate and seek the premises of special CIIs, and look at any files, data and men and women touching on them.
Information Security Officer (“ISO”): The Bill affords for the appointment of an “Information Security Officer” to each public institution or department. Every ISO will ensure the compliance of these establishments and departments with the prescribed requirements.
An institutional framework to assist the employer
The new Bill also proposes to empower the Sri Lanka Computer Emergency Readiness Team (SL-CERT) and National Cyber Security Operations Centre to implement the National Cyber Security Strategy of Sri Lanka (NCSOC). It says the CERT might be “the countrywide factor of touch for managing cyber safety incidents in Sri Lanka” and could assist the organization by way of imparting country wide-stage cyber hazard intelligence and undertaking reactive cyber protection services to prevent or mitigate the harm from cybersecurity incidents.
Further, the concerned minister, with the concurrence of the Agency, can also designate the CERT or any institution mounted through the Agency as the new NCSOC. The NCSOC will monitor the targeted CIIs, perceive ability cyber safety incidents, accumulate cyber threat intelligence and provide such information to law enforcement authorities, CERT and the Agency. It will assist the Agency to facilitate a coordinated response to prevent, locate, and check out cyber protection incidents.
The owner of CII
The CII may be in public or non-public institutions. The head of the enterprise might be deemed the “owner” of the CII, and may be responsible for taking all essential steps to defend it as prescribed within the Bill. This includes undertaking security exams, enforcing a protection plan and notifying the Agency and CERT about any cyber protection incidents. If the CII is spread throughout multiple groups or sectors, the heads of all such companies or sectors will be at the same time answerable for shielding it.
Offenses and Penalties
Every CII proprietor who fails to fulfill his or her obligations below the proposed Act without any affordable reason, inclusive of failing to document cyber safety incidents to the Agency and CERT, will have devoted an offense. If convicted, he or she will be able to face up to two years in prison, a quality of as much as two hundred,000 Sri Lankan rupees (approx Rs seventy-nine,000), or each. An ISO who fails to carry out his or her obligations can be charged with an offense, the bill says. It also says that the pinnacle of any group who fails to facilitate an ISO will have committed an offense. If an offense is committed by means of an organization, every director or officer could be accountable, and if devoted through a firm, every accomplice may be accountable.
However, it provides that no character can be responsible for an offense if he can prove it changed into devoted without his know-how or that he exercised all due diligence to save you it. Prosecution beneath the proposed Act can best be instituted through the Agency or an official legal by way of it, the Bill says.