CSA v cybersecurity laws of other countries
Cybersecurity laws include rules and frameworks designed to safeguard digital systems, networks, data, and information from online threats. Countries like the US, UK, and those in the EU adopted these laws early and are continuously improving them. Meanwhile, in Bangladesh, the forthcoming Cyber Security Act (CSA) is poised to become the primary legislation concerning cybercrime. Comparing this law with those in other countries can help us determine how well the proposed CSA aligns with international standards.
As cyber threats have evolved, numerous laws and rules emerged focusing on three key aspects: 1) Protecting private, sensitive, and financial data; 2) Preventing computer-based fraud and unauthorised access; and 3) Creating guidelines to ensure strong security measures for data, computer systems, and networks across different institutions and infrastructures.
In the US, several laws are in place to safeguard specific types of data. For health data, there's the Health Insurance Portability and Accountability Act (HIPAA). For children's data, there's the Children's Online Privacy Protection Act, while the Gramm-Leach-Bliley Act deals with financial information. In Europe and in the UK, similar purposes are served by the General Data Protection Regulation (GDPR) and the Data Protection Act, respectively. In the US, computer-related frauds are addressed by the Computer Fraud and Abuse Act, while in the UK, the Computer Misuse Act criminalises unauthorised access, computer-related frauds, and similar cyber offences.
Much like its predecessor, the Digital Security Act (DSA), 2018, the proposed Cyber Security Act (CSA) also contains sections aimed at safeguarding computer systems, networks, and data. It establishes penalties for activities such as unauthorised access, disruptions, and the improper utilisation of IT systems. It also has penalties for actions like unauthorised access, disruptions, and the misuse of IT systems.
However, in contrast to similar laws in other parts of the world, the CSA includes clauses that do not directly relate to cybersecurity. These provisions include prosecuting defamation, limiting freedom of speech, and levying charges against the promotion of religious intolerance and offences related to the Official Secrets Act (OSA), 1923. The DSA gained infamy for its tendency to suppress opposing viewpoints rather than effectively addressing cyber threats, and there is no noticeable shift in this aspect within the newly suggested legislation.
To meet accepted standards, a law must have unambiguous provisions. Section 25 of the DSA has faced criticism due to lacking specificity and clarity, which could result in varying interpretations and possibly the unjust criminalisation of legitimate criticism and opinions. Such a vague clause raises questions about whether the DSA's objective was to safeguard against cyberattacks or if it was to curtail freedom of speech. To prevent misconceptions, any new cybersecurity legislation must have comprehensive and transparent descriptions of offences, aiming to eliminate uncertainties. Regrettably, the proposed CSA does not meet this standard.
In the US, the Federal Information Security Modernization Act (FISMA) guides federal agencies on securing their computer systems. In the EU, the newest version of the Network and Information Security (NIS2) Directive mandates essential service providers (such as from energy, transportation, banking, and healthcare sectors) to employ proper security measures. Despite Bangladesh's DSA incorporating regulations for protecting critical information infrastructure (under Section 16), recent incidents like the NID data breach and, in the past, cyber theft from Bangladesh Bank's account, reveal the ineffectiveness of DSA and its predecessor. The new CSA could have effectively addressed this concern by incorporating stricter provisions akin to those in FISMA. Regrettably, no such additions have been made, leaving room for unsavoury events to recur in the future.
Section 43 of the DSA, for instance, lets police arrest people without a warrant. In the US, the Computer Fraud and Abuse Act (CFAA) also allows warrantless arrests in specific cases. But it's important to note that the Fourth Amendment to the US Constitution imposes strict conditions on such actions by law enforcement. In Bangladesh, the absence of similar safeguards has led to the widespread misuse of Section 43 of the DSA, creating an environment of panic. It was prudent to either altogether remove the provision that allows warrantless arrests and searches by junior police officers or, if kept, to add more checks and balances (such as involving an executive magistrate during search and seizure operations). But the CSA has not been changed to that effect.
The UN Office of the High Commissioner for Human Rights has suggested removing two Sections (21 and 28) from the DSA and changing eight others. Many of these sections primarily relate to freedom of expression and journalism, deviating from the principles outlined in the International Covenant on Civil and Political Rights. But Sections 21 and 28 remain largely untouched in the proposed law. The OSA, which mostly deals with unauthorised entry to prohibited places, stealing information from there and spying (that is, offences not directly related to cybercrime) has been retained in the proposed CSA. Adding these offences to the CSA makes it more draconian than the original OSA, wherein a junior police officer could not carry out an arrest without a warrant.
The extent of the DSA's abuse can be gauged from the fact that, in the last five years, there have been at least 7,000 cases filed under this law, but only a few saw the accused being convicted. In the proposed CSA, it was necessary to eliminate the provision of allowing multiple cases to be filed against an individual for a single offence across various jurisdictions, and to also introduce rules that would severely penalise anyone, including law enforcement members, for intentionally making false allegations against innocent people. Regrettably, we see no such amendments in the proposed CSA.
Saifur Rahman is a senior IT specialist and certified professional at Australian Computer Society.