Sri Lanka Cyber Security Bill Flaws and Improvements
1. Sri Lanka Institute of Information Technology
Master of Science (Information Management) Degree Program
Information and Network Security
Assignment 2
Cyber Security Bill – Sri Lanka
W.M.J.H. Fernando
MS18901290
2. 2
New Cyber Security draft Bill for Sri Lanka.
The Sri Lanka government has drafted a new “Cyber Security Bill to protect vital information and essential
service from cyber-attack. According to Non-Cabinet Minister of Digital Infrastructure and Information
Technology Ajith P. Perera.
Cyber Crimes Act will also be amended shortly to crack down on cyber-attacks, online security and social
media related incidents.
3. 3
A National Information and Cyber Security Strategy has also been unveiled at the launch of Cyber
Resilience for Development (CYBER 4DEV) project funded by the European Union (EU) in Colombo. [1]
British, Dutch and Estonian governments are the partners for the implementation of the project in
collaboration with Sri Lanka’s Ministry of Digital Infrastructure and Information Technology. CYBER 4DEV
project will be spearheading the promotion of cyber resilience through “raising awareness on cyber
threats; and developing national cyber security strategies.
4. 4
It will also be providing for information assurance and resilience; setting up, training and equipping
Computer Emergency Response Teams, building early warning, information sharing and analysis
capabilities.
Sri Lanka has already shown clear support to this through its national cyber strategy and through signing
the Commonwealth Cyber Declaration, agreed in London last year. In that Declaration, members of the
Commonwealth agreed to support a cyberspace that supports economic and social development and
rights online, to build the foundations of an effective national cyber security response, and to promote
stability in cyberspace through international cooperation, he added.
The Computer Emergency Readiness Team| Coordination Centre (CERT/CC) has formulated Sri Lanka’s
first Information and Cyber Security Strategy to be implemented over a period of five years from 2019 to
2023. [2]
The Strategy is an institutional framework that aims to create a resilient and trusted cyber security
ecosystem that will enable Sri Lankan citizens to have access to safe digital exposure and facilitate a better
future, Dr. Kanishka Karunasena,[3] the research and policy specialist for CERT said. [3] CERT has worked
with multi-sectoral institutions, banks and utility organizations to create this cyber security strategy.
But current Sri Lanka cyber security bill law having some unclear areas. These are, [4]
• “3(3) The Agency shall be the Apex and Executive body for all matters relating to cyber security
policy in Sri Lanka and shall be responsible for the implementation of the National Cyber
Security Strategy of Sri Lanka.”
This implies that SLCERT and NCSOC will be subordinate to CSASL. However, it is not immediately
obvious why three separate institutions are necessary. Siloes and delays in communication
across institutions are not conducive to the cybersecurity area, where working fast and staying
ahead of emergent threats is imperative. Increased budgets and bloated institutional structures
are also unaffordable in budget- and skills-constrained countries like Sri Lanka. [4]
As the example, Singapore which has a well-defined structure with the National Cybersecurity
Agency of Singapore as the “national agency overseeing cybersecurity strategy, operation,
education, outreach, and ecosystem development” and the Singapore Computer Emergency
Response Team (SingCERT) a unit within the Agency responsible for facilitating the detection,
5. 5
resolution and prevention of cyber security related incidents on the Internet relevant to
Singapore.
• Another confusion is about the seemingly relative imbalance of power between CSASL and
SLCERT. Part II 4(2) states that “in the discharge of its powers and functions, the Agency [CSASL]
shall at all times consult Sri Lanka Computer Emergency Readiness Team [SLCERT] and ensure the
said powers are carried out through the institutions established under Part IV of this Act.” While
it is natural that consultation shall occur with an agency that is likely to have a high level of
expertise, it is unclear why CSASL always must consult SLCERT. [4]
• Further contributing to the confusion of hierarchies is Part II 5(1)(a)(iv), which states that a
member nominated by the Board of Sri Lanka Computer Emergency Readiness Team is to be an
ex-officio member of the CSASL Board. It is unclear why a member of a subordinate institution
(SLCERT) should have a seat in the CSASL Board. The reverse makes sense, thinking through
normal governance hierarchies.[4]
• Part VII 21(3) “Every person who being the owner of a CII who fails, without reasonable cause, to
fulfill the obligations imposed under this Act or fails to report cyber security incidents to the
Agency and CERT, in accordance with section 19(1) (c) to (f), commit an offence under this Act
and shall on conviction be liable to a fine not exceeding two hundred thousand rupees or to
imprisonment for a term not exceeding two years or to both such fine and imprisonment.” By
mandating a fixed penalty (financial and jail time), the Bill violates the important principle that
the punishment should be proportional to the crime. Attacks on a CII that causes billions of
rupees of damage and one that causes hundreds of rupees of damage could be treated equally
when assigning such penalties.
− We propose other methods of calculating fines be considered - for example, a penalty that increases
by a prescribed amount each day an identified security violation is left unaddressed. Here, the
number of days acts as a proxy for the damage caused.
− Another question to be asked is if there a need to introduce punitive actions on parties deemed to
have failed in their responsibilities to contain any fallout from “cybersecurity incidents”? Will this
be an effective approach to address the problem?[4]
6. 6
References
[1] “Flaws in draft cybersecurity bill under review,” The Sunday Times Sri Lanka. .
[2] “Sri Lanka’s unsung cyber security champions.” [Online]. Available: http://www.ft.lk/columns/Sri-
Lanka-s-unsung-cyber-security-champions/4-677891. [Accessed: 18-Aug-2019].
[3] “Sri Lanka introduces new legislation to protect people from cyber-attacks,” The Sunday Times Sri
Lanka. .
[4] “Cyber_Security_Bill_2019-05-22_LD_Final_Version.pdf.”.