Sri Lanka's Cyber Security Act was passed in 2019 with the goals of protecting the country's vital information infrastructure, establishing the Cyber Security Agency, empowering the National Cyber Security Operations Center and Sri Lanka Computer Emergency Readiness Team, and providing for matters incidental or related to the country's National Cyber Security Strategy. The Act's objectives are to protect the Critical Information Infrastructure, establish the Cyber Security Agency of Sri Lanka, prevent, mitigate, and respond to cyber security threats and incidents in an effective and efficient manner, and enable other institutional frameworks to provide for a safe and secure cyber security environment. The Act covers a wide variety of cyber security-related concerns and is divided into 14 parts and 68 sections. Establishing the Cyber Security Agency of Sri Lanka, preventing, mitigating, and effectively responding to cyber security threats and incidents, safeguarding the Critical Information Infrastructure, and ensuring the effective implementation of the National Cyber Security Strategy in Sri Lanka are just a few of the Act's primary goals. The Act also specifies the Board's composition, the appointment of the Agency's director general and employees, the Cyber Security Agency of Sri Lanka's authority, responsibilities, and activities, as well as the consequences of non-compliance.
ANALYZING THE CYBER SECURITY ACT OF SRI LANKA
The Cyber Security Act of Sri Lanka was passed in 2019 with the goals of protecting critical information infrastructure within the country, establishing the Cyber Security Agency of Sri Lanka, empowering the National Cyber Security Operations Center and Sri Lanka Computer Emergency Readiness Team, and providing for matters incidental or related to the aforementioned. The Act seeks to protect the Critical Information Infrastructure, establish the Cyber Security Agency of Sri Lanka, prevent, mitigate, and respond to cyber security threats and incidents effectively and efficiently, and empower other institutional frameworks to provide for a safe and secure cyber security environment.
The Objectives of the Act:
(A) To ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka;
(B) To prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently;
(C) To establish the Cyber Security Agency of Sri Lanka and to empower other institutional framework to provide for a safe and secure cyber security environment;
(D) To protect the Critical Information Infrastructure.
However, given the rapidly advancing technologies and processes in the cyber security space, there are some gaps in the Act that need to be addressed.
Definition of Critical Information Infrastructure (CII): The Act does not offer a precise definition of what comprises CII, which can lead to misunderstanding and misinterpretation. As a result, certain organizations may not be labeled as CII, despite the fact that they are vital to the country's operation. A lack of clarity on the definition of CII can also lead to ambiguity in terms of the owner's responsibility to safeguard the CII and take all necessary procedures to protect CIIs as mandated.
Obligations of the CII Owner: While the Act puts obligations on the CII owner to protect the CII and take all necessary efforts to defend CIIs, it does not offer clear instructions on what these obligations include. This can lead to uncertainty and confusion, making compliance with the Act challenging for enterprises. A lack of clarity on the duties of the CII owner can also cause delays in compliance and make it difficult for companies to adequately preserve their CII.
The role of the Sri Lanka Computer Emergency Readiness Team (CERT) is as follows: While the Act mentions the role of CERT in providing technical assistance to law enforcement agencies in digital forensic investigations, providing timely technical assistance on cyber security issues at the request of any government institution or other relevant sectors, conducting and managing cyber security services for government institutions and other sectors on request, and sharing cyber threat intelligence with government institutions, other sectors, and me This can lead to misunderstanding and duplication of efforts, making it difficult for both groups to collaborate successfully.
Penalties for Noncompliance: While the Act imposes penalties on individuals who fail to meet the Act's requirements or fail to notify cyber security events to the Agency and CERT, it does not offer specific guidance on the consequences for noncompliance. This can cause confusion and uncertainty, making compliance with the Act challenging for enterprises. A lack of clarity on the penalties for noncompliance can also contribute to a lack of deterrence, making it simpler for companies to neglect their statutory commitments.
Personal Data Protection: While the Act strives to protect essential information infrastructure in Sri Lanka, it does not establish clear principles for personal data protection. This can result in a violation of privacy and confidentiality, making it harder for people to trust the government and organizations with their personal information. A lack of clarity on personal data security can also contribute to a lack of responsibility, making it simpler for companies to mishandle personal data.
REAL WORLD SCENARIOS & CASES
The lack of clarity in Sri Lanka's Cyber Security Act has resulted in misunderstanding and misinterpretation in a number of real-world circumstances and instances. As an example:
Sri Lanka's government certified 11 entities as CII in 2019, including the Colombo Stock Exchange, the Sri Lanka Ports Authority, and Sri Lanka Customs. However, several people were perplexed as to why some organizations were recognized as CII while others were not. For example, Sri Lanka Telecom, which offers crucial communication services, was not recognized as CII, raising questions about the Act's efficacy.
In 2020, the Sri Lankan government announced rules for the protection of CII, which included measures such as regular security assessments, access limits, and network traffic monitoring. However, there was some uncertainty about what these steps comprised, causing delays in compliance and making it difficult for enterprises to successfully secure their CII.
The Sri Lankan government created a National Cyber Security Operations Centre (NCSOC) in 2021 to proactively anticipate possible cyber security problems and promote coordinated response to cyber security crises. However, there was some uncertainty about the purpose of CERT in connection to the NCSOC, which resulted in duplication of efforts and made it difficult for both groups to operate successfully together.
In 2022, the Sri Lankan government penalized a corporation Rs. 200,000 for failing to notify the Agency and CERT of a cyber security problem. However, there was some debate over whether the fee was adequate to prevent noncompliance, raising worries about the Act's efficacy.
To secure personal data, the Sri Lankan government passed a new data protection legislation in 2023. However, there was some uncertainty about how the new legislation would interact with the Cyber Security Act, raising worries about personal data privacy and the efficacy of both regulations.
CONCLUSION
Finally, the Sri Lankan Cyber Security Act contains significant gaps that must be rectified in light of emerging technology and procedures in the Cyber Security area. The lack of clarity on the definition of CII, the responsibility of the owner of CII, the function of CERT, the consequences for non-compliance, and the protection of personal data are examples of these flaws. Real-world scenarios and instances have underlined the need for more clarification and advice in these areas in order to guarantee the Act's successful implementation. The Sri Lankan government must close these gaps in order for the Act to be effective in preventing, mitigating, and responding to cyber security threats and incidents, establishing the Cyber Security Agency of Sri Lanka, and empowering other institutional frameworks to provide a safe and secure cyber security environment, and protecting the Critical Information Infrastructure.
REFERENCES
[1] Cyber Security Bill 2019-05-22 LD Final Version.
https://www.icta.lk/icta-assets/uploads/2020/06/Cyber_Security_Bill_2019-05-22_LD_Final_Version.pdf
[2] https://www.slcert.gov.lk/documents/Cyber%20Security%20Bill.pdf
[3] https://www.desaram.com/BlogArticles/cyber-security-bill-summary.php
Stay Informed, Stay Safe!
 of Sri Lanka){kind=link}