A major challenge with cybercrime is that it involves cross-border issues.
The bill envisages the creation of a dedicated National Cyber Security Center, but will it appoint the right people to the right jobs or will it simply be a “center” for political appointments and will hire “my people”? Questions remain as to whether this will be a viable option. Because it remains in another existing center/department.
Cyber threats are not new to Nepal. In the past, there have been many cases where not only government agencies but also private websites have been hacked. We often hear about many social media accounts being hacked. Additionally, in many cases, someone close to you has asked you to report the account or page. All these problems are mainly due to the lack of secure security systems and protective walls. However, cyber literacy is another fundamental issue where Nepal lags behind. Although the government is keen to share the growth in internet penetration, the vulnerable aspects of the internet have never been talked about in Nepali society.
Keeping aside the issue of cyber literacy, the Ministry of Communication and Information Technology has drafted the Information Technology and Cybersecurity Bill, 2024 (Bill) to overcome the challenges of cybersecurity and regulate aspects of cybersecurity, and has received public feedback. Feedback was also requested. In Nepal. The bill is an amalgamation of two separate bills: the Information Technology Bill (which has been under consideration since 2017) and the Cybersecurity Bill 2022.
Once enacted, the bill would replace the existing Electronic Transactions Act of 2006. The bill addresses issues related to the prevention of cyber security threats and cyber security incidents, as well as the regulation of cyber security service providers. The bill requires licenses to operate data centers and cloud services within Nepali territory, which must be renewed annually. These data centers and cloud service providers must comply with security standards that are reviewed by licensing authorities.
Additionally, critical information infrastructure is also envisaged, but this infrastructure is not defined within the law and has been published in the Nepal Gazette by the Government of Nepal on the recommendation of the Cyber Security Center (a new authority created by the Bill). It will be stipulated. These identified critical information infrastructures must comply with security requirements, including reporting of cyber incidents. Persons providing cybersecurity audit services must be registered with the Center along with organizations that handle prescribed hardware and software related to cybersecurity. Blockchain, machine learning, artificial intelligence and the Internet of Things (IoT) are some of the terms used in the bill, which requires discipline and transparent use.
It is a welcome step that the government has recognized the importance of cybersecurity and has introduced legislation. However, cybersecurity is a changing issue and requires dedicated technical talent. We have been on the sidelines of technology wars in many cases, where hackers use cyber threats to attack and hack government technology infrastructure. Therefore, to defend, such law enforcement agencies must be well-equipped with technology and human resources. The bill envisages the creation of a dedicated National Cyber Security Center, but will it appoint the right people to the right jobs or will it simply be a “center” for political appointments and will hire “my people”? Questions remain as to whether this will be a viable option. Because it remains in another existing center/department.
This bill correctly envisions critical information infrastructure. However, the bill provides no hint as to what critical information infrastructure should be considered. It is only stipulated that such infrastructure shall be identified by the government and published in the Nepali Official Gazette, which is good practice. However, the bill needs to set out the basis for identifying such infrastructure. In the absence of such a basis, broad authority to make decisions about such critical infrastructure would be given, which would also delegate too much power to the government. His previous Cybersecurity Bill of 2022 provided a basis for identifying critical infrastructure, which was removed in the latest bill.
The draft law requires government, public, financial and health service providers to process certain data within Nepal's borders. Although this is intended to protect sensitive data, it does raise concerns for companies such as international card companies and e-commerce companies that operate in Nepal without having a physical presence. Factors such as technical capabilities and data protection laws should be considered before implementing strict data localization. Policies need to be clear about purpose, balancing innovation and data privacy. Additionally, the bill lacks clarity regarding cross-border data transfers, which are important for global companies, suggesting the need for mechanisms to transfer data while meeting privacy compliance requirements.
Another positive aspect is that the bill makes it mandatory for all government authorities (ministries, commissions, departments, etc.) to appoint a Data Protection Office. However, with increasing reliance on technology and electronic services, such appointments should also be extended to private companies that handle personal/sensitive information. Sound appointments by all organizations can be costly and may not be business efficient. Therefore, there is a need to adopt standards that require private entities to appoint a data protection officer. Basis is similar to companies that handle personal or sensitive data on a large scale, or whose primary and core business activities depend on the processing of personal information. The same applies to reporting cybercrime, with reporting requirements currently only mandatory for critical infrastructure. However, such reporting requirements should apply to all entities that handle personal data. Furthermore, the bill would need to clarify the types of crimes to be reported and the content of the report, specify a deadline for reporting, and outline the consequences of not reporting.
In conclusion, it is important to ensure that law enforcement agencies have the appropriate skills and resources to effectively investigate and respond to reported cyberattacks. Enacting laws that criminalize malicious cyber activity is not enough. To be truly effective, all aspects of the law enforcement system must be trained and equipped with the tools necessary to enforce and enforce these laws. If properly implemented, this will be a long-term effort aimed at educating local and national police and judges about this new area of crime. Additionally, a major challenge with cybercrime is that it involves cross-border issues. It is therefore clear that cross-border communication and information exchange mechanisms need to be improved to strengthen research, prevention and protection efforts.
