PAC report raises questions on cyber security

Bhutan still does not have legal provisions defining cybercrimeBhutan still does not have legal provisions defining cybercrime

One of the reports of the Public Accounts Committee (PAC) to the Tenth Session of the Third Parliament comprises a Review Report on Performance Audit Report on Preparedness for Cyber security. While the report does not specifically mention the limitations, it unveils that in a technology-driven world, where cyber security is vital, Bhutan has a lot to do. The PAC Report states that the Information, Communications, and Media Act (ICM Act) did not cover all the required provisions for cyber security. Lack of adequate legal frameworks and mechanisms to address cybercrime has been highlighted, with the report stating that there are no legal provisions defining cybercrime. Additionally, it points out that there is no specific agency taking a lead role in regulating cyber security and that in the absence of protocols for cyber incident reporting, there is a lack of common understanding among the agencies to report cyber incidents, and in the process, many cases would go unreported.

The main legal document for cyber security or anything related to ICT is the Information, Communications and Media Act (ICM Act) which was enacted in 2018. For cyber security, in particular, the act has provisions for the protection of online and offline privacy, cyber security and data protection, and offenses including grading and penalties of computer offenses. But, the ICM Act 2018 did not cover all the required provisions for cyber security. This led to referring to other Acts such as the Penal Code of Bhutan 2004 (amended 2021), Civil and Criminal Procedure Code of Bhutan (CCPC) 2001 (amended 2021) and Evidence Act, 2005, the report states.

On Cybercrime, the PAC report says there is a lack of adequate legal frameworks and mechanisms to address cybercrime. There are no legal provisions defining cybercrime. Bhutan also does not have agreements for cross-border and multi-judicial investigation of cybercrime, with other countries besides India, which would not only pose challenges to law enforcement agencies to combat and criminalize cybercrimes including cross-border investigations but also would make the country’s cyber-security more vulnerable to cyber attacks.

It is further pointed out that although there are adequate legal provisions for data privacy and data protection, the inadequacies in the enforcement mechanisms had inhibited the effective enforcement of the intent of, and compliance with, the ICM Act.

The report also mentions that there is no specific agency taking a lead role to regulate cyber security, due to which there is no assurance that the Critical Information Infrastructure (CII) is properly identified and secured. For instance, regulating agencies like Royal Monetary Authority (RMA), Bhutan Electricity Authority (BEA) and Bhutan InfoComm and Media Authority (BICMA) are identifying and monitoring their respective CIIs of those organizations that function under their jurisdiction. “Such a disintegrated approach may lead to a diffusion of responsibilities in ensuring the implementation and enforcement of cyber security requirements and thus, exposing the CIIs to perpetual vulnerabilities and threats.”

Further, in the absence of protocols for cyber incident reporting, there is a lack of common understanding among the agencies to report cyber incidents. In the process, many cases would go unreported, and at the national level, it would be difficult to assess the country’s threat environment and design strategic responses to cyber attacks.

The report also states that as Google Workspace is on the cloud, there is a risk to data security and privacy as government agencies are storing information in Google Workspace. Since there is no data classification at the national as well as agency levels, the confidentiality of sensitive information may not be ensured as agencies use Google Workspace for processing, storing, and communicating all official information. “The cyber security initiatives undertaken in the country lack strategic visions and directions, defined principles, and set priorities in managing cyber security risks with the National Cyber security Strategy (NCS) still in its draft stage.

The RAA also noted that a risk assessment of the draft NCS had not been conducted, a monitoring and evaluation framework was not developed, Key Performance Indicators were inadequately set, coordination mechanisms were not defined and there is no dedicated budget for implementing the action plans identified in the draft NCS,” the PAC report asserts. 

Lack of adequate attention and focus given to cyber security programs due to the absence of a coordinated higher authority for cyber security, the cyber security governance committee is cited. Additionally, it is stated that the national agency for cyber security, the GovTech (BtCIRT), is also not equipped with sufficient resources leading to its ineffectiveness in delivering their functions. The inadequate capacity assessment framework to identify the cyber security capabilities both at the strategic and operational levels has resulted in the lack of capacity of the GovTech (BtCIRT).

While noting the initiatives taken by GovTech (BtCIRT), the report says there is no proper information-sharing mechanism to institute a collective approach in information-sharing practices like involving IT professionals from all the essential sectors and proper identification of types of information to be shared.

Inadequacy of cyber security capacity building and awareness to enable digital economy and ensure cyber security in the country and incident handling mechanism are also part of the report. “Incident handling is crucial for organizations to manage and enhance cyber security. An incident handling mechanism is a system that constitutes plans, procedures, tools and resources to prevent, protect, mitigate, detect, respond, recover and lesson learned from the incident. However, there is no proper monitoring mechanism instituted to ensure appropriate security measures implemented to remedy the security vulnerabilities identified in the Government Data Centre (GDC).”

As such the PAC has recommended establishing a coordinating leadership to provide strategic direction and empower the nodal agency for cyber security and to form institutional linkages amongst the policymakers, regulators, and implementors including SoEs and government agencies. “Further, GovTech as a national authority needs to expand the role of existing regulators. These regulators need to have adequate personnel with cyber security know-how and need to enhance enforcement and compliance mechanisms through various means such as rules and regulations, license contract agreements, monitoring and reporting mechanisms, and accountability mechanisms.”

Other recommendations include the GovTech Agency to implement the draft National Cyber security Strategy with implementation plan, budget, monitoring and evaluation framework; expedite the identification and protection of Critical Information Infrastructures (CIIs) in the country strengthen the legal framework for cyber security by reviewing the existing Acts, Rules and Regulations and strengthen the enforcement mechanism for data privacy and protection against unauthorized disclosure and processing of personal data. The PAC has also recommended that the GovTech Agency should develop protocols to classify data to ensure that sensitive and confidential information is protected, in order to ensure data protection and security.

The performance audit of preparedness for cyber security was conducted in BtCIRT and Government Technology Agency (GovTech). The audit covered the period from the inception of the BtCIRT, April 2016 to December 2022.

Nidup Lhamo from Thimphu