Coming just in time on the backdrop of a series of cyber bullying instances in the country, the strategy hopes to โsafeguard the nationโs cyberspace, risks and threats that come with it to protect the general populationโ
Launched this week, the National Cybersecurity Strategy (NCS) represents Bhutanโs inaugural effort to establish a comprehensive approach to cybersecurity, according to GovTech Agency and the Bhutan Computer Incident Response Team (BtCIRT). Its primary objective is to safeguard the nationโs cyberspace and equip the country to effectively address various cybersecurity risks and threats that could negatively impact individuals, businesses, and government operations.
The Information Communication and Media Act of 2018 includes a dedicated chapter on cybersecurity, while the 2019 eGovernment Policy statement emphasizes โInformation Privacy and Securityโ and mandates the development of a national cybersecurity strategy aimed at securing the online environment.
Bhutan is experiencing rapid digital transformation, as evidenced by the increasing availability of online services and innovative technologies, such as the national digital identity system. The health and education sectors are transitioning to online platforms, and the use of electronic media and the internet has surged, particularly following the COVID-19 pandemic. This digital evolution lays a robust foundation for enhanced digital trade and better integration into the global digital economy. However, it also raises the nationโs vulnerability to digital economy risks, particularly concerning cross-border data sharing. Rising cyber threats, including phishing, identity theft, and privacy breaches, put critical systems and data at risk. Consequently, a strategic and holistic approach to cybersecurity preparedness is both timely and essential.
The NCS envisions โa safe, secure, and resilient cyberspace for Bhutanโ and is guided by three core principles: inclusiveness, the CIA triad (Confidentiality, Integrity, and Availability) of information, and alignment with international and national best practices.
The strategy outlines four key goals: Establishing a Cybersecurity Institutional Framework for governance and coordination; Enhancing the Cybersecurity Legislative Framework; Protecting National Critical Information Infrastructure; Strengthening Cybersecurity Incident Management; and Achieving these goals over the next five years (2024-2029) will support the overarching vision of the NCS.
Implementing the cybersecurity governance framework is vital for the effective execution of cybersecurity initiatives. This governance structure will involve oversight by the GovTech Commission and cross-sectoral coordination among various ministries.
Currently, Bhutan relies on the Information, Communication, and Media Act 2018 (ICMA) to address all aspects of ICT. However, as technology advances, gaps within the ICMA have become apparent. A comprehensive study conducted in 2023 identified these gaps and recommended enhancements to the cybersecurity legislative framework. The NCS aims to address these deficiencies and bolster Bhutanโs response to cybersecurity threats.
The strategy places significant emphasis on protecting Bhutanโs Critical Information Infrastructures, particularly in the Health, Energy, Transportation, Trade, Food, Financial, and Telecommunications sectors, all of which rely heavily on ICT. Disruptions in these areas could have severe consequences for the nation.
The newly created GovTech Commission will be leveraged to govern the NCS lifecycle and the action plans along with any other issues related to cybersecurity. The commission was established as the highest advisory body for the GovTech to provide policy advice to the Royal Government of Bhutan (RGOB) to champion the development and implementation of Whole of Nation/Government ICT and emerging technology policies and programmes. The GovTech Commission will also serve as the highest technical advisory body to manage and guide the GovTech Agency in the implementation of all major technology programs, including Cybersecurity programs of the RGOB. Its functions include reviewing and approving policies relevant to ICTs and emerging technologies, and provide strategic oversight and guidance to GovTech Agency, including the cybersecurity mandate, among other functions.
The commission is chaired by the Prime Minister with four permanent members: Coordinating Secretary, Governance Cluster; Representatives from the office of Gyalpoi Zimpon/HMS; Secretary, GovTech; and Chief Technology Officer, Druk Holding and Investment (DHI).
The member secretary of the GovTech Commission is the Director of GovTech. The commission will monitor the implementations of NCS, approve any major deflections of the NCS Action Plan and advise in case of any unforeseen circumstances that might arise during the period of implementation. The Commission will appoint GovTech as the lead Project Authority for NCS. GovTech is also mandated by the ICMA 2018 and as per the recommendations from the โPerformance Audit of Cybersecurity Preparedness of the countryโ to coordinate the development of national strategy.
The Advisors are the stakeholders from a spectrum of agencies to support, advice, and assist the Cybersecurity division within the GovTech Agency. The support expertise shall be in the areas of legal advice, government procurement, critical infrastructure regulations, and human resource availability.
They will provide recommendations to the GovTech Commission for making necessary decisions. The Cybersecurity Division under the GovTech Agency will take up the responsibility of planning, stocktaking, risk profiling, and consolidation of the NCS Action Plan, and half-yearly reporting to the GovTech Commission. Three years after the NCS approval, the GovTech in consultation with the Advisory Panel will lead the development of the next cybersecurity strategy.
The BtCIRT, established in 2016, has been responsible for managing cybersecurity incidents. However, many incidents went unreported due to a lack of awareness regarding the CIRTโs role as the national coordinator for incident response. The NCS outlines strategies to enhance incident management through collaboration among stakeholders, improved information-sharing mechanisms, and increased public awareness. Additionally, establishing dedicated Security Operations Centers (SOCs) and sector-specific CIRTs in critical sectors is expected to bolster protective measures.
The implementation of the National Cybersecurity Strategy (2024-2029) will involve various ministries, agencies, corporations, and private sector entities, all aimed at improving the nationโs cybersecurity maturity and culture. Furthermore, the NCS will lay the groundwork for the development of a more comprehensive Cybersecurity Strategy in the future.
Since its inception, the BtCIRT has managed 1,198 cybersecurity incidents up to 2023, serving a diverse range of stakeholders, including government agencies, corporations, private sector, general public, and international organizations operating within Bhutan.
Tashi Namgyal from Thimphu