Jun 14, Kathmandu: The draft bill on cyber security has been made public. The Nepal Telecommunication Authority (TAN) on Monday made the draft public through a discussion and negotiation program on the bill.

Experts and stakeholders have responded that the draft Bill has failed to maintain cyber security and legal norms. While the bill only focuses on computer systems, it is not able to cover cyber attacks in today’s world and cyber insecurity on the Internet.

The definition defines “cyber security as a situation that protects a computer or computer system from unauthorized access or attack.” Stakeholders commented that the definition was incomplete and meaningless for the current cyber world.

Former DIG of Nepal Police Rajiv Subba said that this bill is not a cyber security bill. “The draft bill is not drawn up in such a detailed manner. If we want to hold local companies accountable, the existing laws are enough,” he said. There is no need for a separate bill.”

“Cyber ​​attacks are the subject of the Internet. So it should cover issues ranging from external aggression and international litigation.” Communications and Information Technology Minister Gyanendra Bahadur Karki said that the development of information technology has turned the world into a village and cyber security cannot be ignored.

“It’s more about cyber attacks than bombings,” he said. Similarly, Kalpana Kumari Khatiwada, Deputy Secretary in the Defense Ministry, remarked that the bill was not even in the basic structure of the law. “It does not appear that the bill has been drafted by law-abiding people,” he said. IT expert Vivek Rana said that making a license mandatory to work in the field of cyber security is not appropriate.

“Cyber ​​security auditing is a profession. “If you want to do it as a business, you have to get a license for that,” he said, “but it is not right to be licensed for a profession.” They worry that making the license mandatory could cause problems with the use of internationally renowned and popular software and tools in Nepal.

Setting up of Cyber ​​Security Center:

The Bill proposes to set up a National Cyber ​​Security Center to provide cyber security to computers or computer systems in the country. As per the Bill, such an autonomous body shall oversee and monitor cyber security, cyber defense, formulation of cyber security standards, the establishment of computer hardware and software standards, and raising public awareness.

Constitution of the National Cyber ​​Security Committee under the Chairmanship of the Information Minister has to achieve the objectives of the National Cyber ​​Security Centre, a National Cyber ​​Security Committee under the Chairmanship of the Minister of Communications and Information Technology has been proposed. and to conduct, supervise and manage the overall work of the Centre.

The arrangement to be chaired by the Minister, the Steering Committee of the Centre, which is supposed to be autonomous, is contradictory in itself. The nine-member committee will be nominated by the government from among eight ex-officio and three cyber security service providers.

One should complete 40 years to become the CEO of the Centre.

The area of ​​cyber security is an area of ​​youth participation and expertise. However, only those who have completed 40 years of age are eligible for Chief Executive Officer (CEO) of the National Cyber ​​Security Center.

Dr. Rajiv Subba, former DIG and COO of Info Developers said that the qualifications of the CEO and members of the center have been determined in such a way that retired secretaries and joint secretaries can be provided jobs. “If it is for cyber security, the age limit should be 30, not 40,” he said.

A compulsory license for providing cyber security services

The Bill provides that for providing cyber security services, it is necessary to obtain a license from the National Cyber ​​Security Centre. Accordingly, an unlicensed person shall not be able to obtain, identify or scan or monitor what is stored, processed, or transmitted on another person’s computer or computer system for the purpose of detecting cyber security risks.

In addition, licensing has been made mandatory for auditing services provided to determine, test, or evaluate cyber security vulnerabilities of computers or computer systems.

Is cybercrime just a breach of sensitive information infrastructure?

The draft bill lists sensitive information infrastructure and classifies them as serious cyber crimes. These include energy, information, and communications, drinking water, health, banking and finance, security and emergency services, civil aviation, government operations, media, and data centers.

The draft bill states that such essential computers or computer systems are required to provide uninterrupted services and if they are damaged or compromised, the availability of essential services may be affected. The owners of such sensitive information infrastructure are required to comply with the conditions and norms laid down by the Centre, provide the necessary information, report cyber security incidents, and conduct cyber security audits and risk assessments.

The provisions relating to cyber security risks and incidents are covered in a separate paragraph. Wherein, if any information is received about a cyber security risk or incident, the center may appoint a cyber security officer to review or evaluate it and a senior cyber security officer to handle serious cyber security incidents Responsible for investigation and investigation.

Further, critical issues such as user security, user data protection, phishing, data theft, character assassination through social media, and prevention of unauthorized access to personal devices have not been covered in the bill.

Nepal Telecom Authority Director Bijay Kumar Roy, while delivering the welcome address at the discussion and interaction program on the Bill, said that there has been an increase in incidents like spam, phishing, social engineering, and character assassination through social media, hate speech, etc. World.

However, the draft Bill does not address such incidents. Director Roy said that discussions and suggestions have been started for the purpose of covering the missing. “Not everything can be covered by the bill alone,” he said.