Digitization has eased our life in many ways. Meanwhile, as everything is connected to the internet, today, privacy threats are more than ever.
A vast amount of data is gathering in both the public and private domain as the institutions shift all their activities to the digital. All nations have been facing data security issues on large scales. Consequently, governments worldwide including Nepal are working to implement relevant cybersecurity policies to curb cyberattacks and cybercrimes.
Govt to introduce new cybersecurity laws in Nepal
The statistics of Nepal Police show that the number of cyberbullies had surged since 2014. Data breach cases of FoodMandu, Vianet, Ministry of Agriculture and Central Library, several cases of ATM hacks and social media cyberbullying have been reported for the last few years due to the loopholes in the cybersecurity system in Nepal.
The cases of cybercrimes are handled under the Electronic Transaction Act 2008. Currently, an expert group named Computer Emergency Response Team (CERT) under the Department of Information Technology deals with cybersecurity threats like hacking and phishing. The team also collaborates with security operations center teams to establish detection rules and coordinate responses.
Although the cybercrimes issues are handled under the Electronic Transaction Act 2008, this act does not address the changing dynamics and challenges of cyberspace. Hence, the Ministry of Communication and Information Technology has drafted a new policy draft named ‘National Cyber Security Policy 2021’ with the purpose to govern and address cybersecurity issues.
“Gradually people have started paying online and every critical document like citizenship, passport and banking transactions are coming to the online space, so we required a guideline according to the need of time,” says Indra Mainali, deputy secretary, cybersecurity department of Ministry of Communication and Information Technology.
Experts appreciate the government’s initiation
Cybersecurity experts and lawyers have lauded the government’s move.
Advocate Prabin Subedi and Advocate Hempal Shrestha, Chairperson at Event and Project Development Committee at Computer Association of Nepal and consulting researcher specializing in IT and law have also welcomed the government’s step to draft a policy. They share that a proper policy can provide direction to the existing frameworks.
The new National Cyber Security Policy 2021 draft begins with background information on the need for cybersecurity policy, the need for the new law, challenges, objective, strategy, work plan and organizational structure. The draft also includes the responsibility of the stakeholders. It also mentions the formation of the direction committee and coordination committee for inter-agency coordination and collaboration.
Also, it has included the formation of the National Cyber Security Strategy Working Group, National Information Technology Emergency Response Team and Female and Child Online Protection Working Group. However, it fails to deliver the most crucial part in any policy document that is the policy approach. Therefore, it leaves ample space to doubt whether the document itself is a policy paper or just a program.
The policy draft has mentioned objectives and action items. “The draft includes around 58 program activities under the strategies. These initiatives give an impressive outlook, but the direction needed to achieve the impact of cybersecurity seems to be missing while going through this set of the work plan,” says Shrestha.
Objective, Strategies and Work Procedure
The strategies focus on framing laws for cyberspace, developing skilled human resources and organizing public awareness programs. There are altogether 58 programs under eight strategies. Below, we have a brief on significant action items in the draft with experts’ remarks on a few of the points.
#Strategy 1: To Frame the laws and guidelines for secured and resilient cyberspace
- This strategy aims to amend the existing laws on cybersecurity according to the need of time. Nevertheless, there is no clarity on which specific laws need amendment.
“It would be better if the policy draft could identify the specific acts or laws it intends to amend or enact mentioning the guiding thoughts for these amendments and enactment,” says Shrestha.
- Mandatory cybersecurity audit for private and public organizations
- Protection of intellectual property rights and copyright
- Designing a work plan for preparedness, protection, detection, response and recovery of cybersecurity threats
- Develop technical guidelines for the National Cyber Security Strategy
#Strategy 2: Develop institutional and organizational structure based on international guidelines to secure information and Information technology system
- Develop a National Cyber Security Centre as a focal point and also as a digital forensic research facility
- Aims at capacity building of institutions working on cybersecurity and cybercrimes
- Building the digital infrastructure for sharing information about cyberattacks
- Building National Contingency Plan and also aims to develop National Cyber Security Strategic Work Committee
#Strategy 3: Build infrastructure and technology to strengthen cybersecurity
- Protecting National Critical Infrastructures
- Mandatory use of digital signatures in email and application software
- According to the strategy, arrangements will be made to examine and provide certification to the institution which has been doing good cybersecurity practice according to the criteria ( like ISO 27001).
#Strategy 4: Develop skilled human resource in the cybersecurity sector
- Establish a finishing school in collaboration with IT institutions for students who have completed their graduation in Information Technology. The purpose of the school is to train the students for their career in IT.
- IT courses will be included in the school-level curriculum
- Identifying and training the IT professionals from time to time and establishing a cyber-security professionals committee in the civil service
#Strategy 5: To do public awareness campaigns on issues of cybersecurity
- The strategy aims to organize public awareness programs for education and awareness on data security.
- Forming Community Emergency Response Team
- Issuing an advisory to the public on any contemporary issues related to cybersecurity
#Strategy 6: To collaborate with public entities and the private sector for secure cyberspace
- Am of this strategy is public-private collaboration in the field of cybersecurity. It writes about encouraging more cybersecurity-related institutions in the nation.
#Strategy 7: Collaborate with international organizations for secured cyberspace
- Establish a focal point for collaboration regarding cybersecurity issues
- Understanding will be done for cybercrime control at bilateral and multilateral levels
- Operating reliable global cybersecurity according to the International Telecommunication Union (ITU)
#Strategy 8: To build a safe online space
- Controlling the flow of fake news through the internet
- Controlling cyberbullying and preventing children’s access to harmful content
Limitation and gaps to be fulfilled
Advocate Subedi says that the policy draft needs to add detail on what kind of challenges and vulnerabilities led the government to introduce the policy.
“As this policy will be a guiding principle for the forthcoming years, the youths must understand the reason behind the policy formation when they go through it,” Subedi opines.
Though both cyber safety and cybersecurity are related to online protection these two have completely different meanings. “The policy attempts to address both the cyber safety and cybersecurity, which at some places creates confusion to the reader about the priority of the policy ” shares Shrestha.
Similarly, Advocate Subedi shares that few work plans in the strategies focus on controlling media. Action item 11.56 of the eighth strategy writes about monitoring the fake news published on the internet and social media. “Policy should ensure that the information communication is secure. It should not regulate the media,” he says.
According to Prabin Subedi, the policy should just be taken as the initiation of work. However, he views that cybersecurity and information security are two different aspects. “Both issues of information security and cybersecurity have been covered in the draft. This is just my concern on why the name of the policy is ‘Cybersecurity policy’ when it covers both the aspects,” says Subedi.
“It would be very aptly suited if the policy draft could define its scope and limitations, in the pretext itself, which could have given this policy document a direction and would have prevented it from overstepping on other domains and issues associated with the ICTs in general”, says Shrestha.
Shrestha also shares that the government must evaluate the existing policies before introducing new policies within the domain of ICT.
Information Technology Policy (2010) which was revised later as Information and Communication Technology Policy (2015) is yet to be reviewed and fully implemented.“We should first undertake a periodic review of the policies and their implementation. We must work on implementing the existing policies while introducing new policies in regular intervals of 3-4 years,”says Shrestha.
The draft includes various terminologies including National Critical Infrastructures, National Cyber Security Maturity, National Contingency Plan and many others; but it has failed to define those terms.
“It should have set a benchmark from a policy aspect for protecting these national critical infrastructure. In the absence of these founding guidelines, the acts and regulations drafted following this policy, might have a high chance of either being diluted or enacting a feeble regulation while its aims to protect these critical infrastructures,” says Shrestha.
The proposal of establishing IT Authority is a welcome step in Action item 11.20, however, “how does it define its scope and jurisdiction in the present policy document is missing. This might raise a situation where the inter-agency conflict among different government institutions is going to hamper effectively ensuring the cybersecurity of the nation” says Shrestha.
Mainali from MOCIT says that the ministry is preparing to pass the policy by the end of this fiscal year 2077/78.
Shrestha and Subedi believe that though the policy draft is a good beginning, however, it fails to give the required direction needed to steer these pertinent issues and address the above-mentioned gaps.
According to them, the draft lacks clarity in its policy approach and only succeeds partially in addressing the gravity of the issue of Cyber Security hovering the socio-economic dynamics of Nepal. Hence, they view that the draft must be consulted with different stakeholders for refinement, before adopting it.
Also, they suggest the Ministry get feedback from stakeholders including the technical community, educational institutions, private sector, public sector and the public representatives to fulfil the gaps in the draft.
They insisted on extending the deadline for the suggestion. The Ministry made the draft accessible to the public only a few days ago and only around 12 days were allocated to receive feedback from various sectors. Hence, to reach the true extent of the necessity of cybersecurity policy a wider stakeholder mapping and consultation would be the way forward.