Bhutan Computer Incidence Response Team

Cyber security in Bhutan

If the Bhutan Information, Communications, and Media (BICM) bill is adopted without any amendments by a new government next year, the Information and Communications Ministry will establish an agency or department to overlook cyber security.

The agency or department will be called the Bhutan Computer Incidence Response Team (BCIRT), and will be concerned with the collection, analysis, and dissemination of information on cyber incidents, according to the BICM bill. Its functions will include forecasting and alerting, and coming up with emergency measures for cyber security incidents.

The proposed agency or department will also coordinate cyber incident response activities, besides issuing guidelines, advisories, vulnerability notes related to information security practices, procedures, prevention, response and reporting of cyber incidents, among others.

The agency or department will be a major move by the Information and Communications Ministry to address cyber security issues that have emerged since 2006, when the current legislation was enacted.

The BICM bill includes a chapter dedicated solely to provisions related to cyber security.

Cyber security, as defined by the bill, is protection of information, apparatus, ICT facilities, computers, and computer networks from unauthorised access, use, disclosure, disruption, modification or destruction.

The bill gives the government the right to intercept, monitor or decrypt, any information generated, transmitted, received or stored in any ICT system, apparatus, including computer or computer net- work, for purposes of sovereignty and integrity of Bhutan.

The right is also granted for the defence and security of the country, and to maintain friendly relations with foreign states, for public order, to prevent incitement to the commission of any cognisable offence, or for investigation of any offence.

Non-compliance of such a directive to intercept, monitor or decrypt, is punishable as a felony of the third degree. Interception, monitoring, and decryption, carried out without directive, will also be punishable, as it will be considered a breach of privacy, it is pointed out.

On the same reasons that the government can intercept, monitor or decrypt information, the government can also block for access by the public, any information.

To enhance cyber security and for identification, analysis, and prevention of intrusion or spread of computer contaminant in Bhutan, the government can also authorise any of its agencies or departments to monitor and collect traffic data and information. Traffic data is defined as any data identifying any person, computer, network, or location, among others.

The bill also provides the Information and Communications minister, by directive to declare any computer or network, as “critical information infrastructure”. A critical information infrastructure is defined as a computer or network, which, if incapacitated or destroyed, would have a debilitating impact on national security, the economy, public health, social welfare, or safety.

Unauthorised access to the critical information infrastructure would be punishable as a felony of the second degree.

Data protection also receives specific provisions under the BICM bill.

Any legal entity will be liable to pay damages or compensation to an affected person, if it is negligent in handling personal data or information, and causes its loss or wrongful gain to an- other person, it is pointed out in the bill. Persons, who are pro- viding services under terms of lawful contract, but disclose data without consent of the customer, or user, to another person, will be punished with a petty misdemeanour, or with a fine.

Unauthorised downloading, copying and extraction of data, without lawful permission of the owner, by a person in charge of a computer or network, can be charged with misdemeanour.

The bill also points out that persons, who knowingly or intentionally conceal, destroys, or alters computer source code used by a computer, program, or network, will be charged with felony of the fourth degree or additional fines.

The bill will be submitted to the first parliament of the next government.


From KUENSEL on 22 September 2012


This story from KUENSEL

KUENSEL is Bhutan's national newspaper. Founded in 1967, KUENSEL is Bhutan's oldest newspaper.