Government’s cybersecurity policy raises privacy and implementation concernsNational Cyber Security Policy has some features that will potentially harm internet ecosystem and digital rights.
Amid a steep rise in both cybercrime cases and complaints in recent years, the Cabinet on August 8 endorsed the National Cyber Security Policy 2080 BS (2023).
While multiple stakeholders welcomed the move, they also pointed out that the new policy lacks a collaborative approach and seems to be a copy of similar measures in neighbouring countries.
“The government consulted only a few stakeholders. Worse, it failed to incorporate even the limited feedback it got into the new policy. The policy is also highly influenced by similar measures in neighbouring India and China,” said Taranath Dahal, chief executive of Freedom Forum Nepal, an organisation that works for the right to information. “It’s a welcome initiative as we don't have a cybersecurity law, policy or data protection law. But it also has some objectionable provisions.”
Until now, the country has been dealing with cybercrime-related complaints as per the Electronic Transactions Act, 2063 (2008). But this law does not address specific cybercrimes and emerging threats.
Dahal questioned the policy that talks about the government-owned network internet, as well as the National Internet Gateway, which centralises control over all incoming and outgoing domestic and international internet traffic through a single infrastructure.
“This type of surveillance whereby all internet traffic comes to the country through a single government gateway is enforced only by autocratic regimes,” the Digital Rights Nepal, an advocacy group to strengthen civic space and digital rights, says in its analysis of the government’s policy paper. In the analysis paper released on Monday, the organisation said such a system was implemented by Cambodia and international human rights organisations including the Amnesty International and Human Rights Watch had seriously objected to it.
“The internet is a global and decentralised platform. But the new provision could be used for data surveillance, which is not in keeping with a democratic system,” Dahal said.
Last year, 33 human rights organisations had asked the Cambodian authorities to revoke the establishment of the National Internet Gateway, calling it a serious human rights concern as it allowed the establishment of a digital gateway to manage all internet traffic in and out of Cambodia.
Cybersecurity expert Vivek Rana said the new policy is ‘controlling’. “Policies should always address the problems of society, businesses and the country. But that is not the case with the recently-released government policy,” said Rana.
He said the policy was aimed more at controlling people’s data rather than boosting trust in the country’s IT and digital systems.
But Netra Subedi, spokesman and joint-secretary at the Ministry of Communication and Information Technology, said the policy aims to promote self-regulation among the public. “This is the first time the government has called for an open discussion on the issue,” Subedi told the Post. “We have asked for feedback by publishing the draft of the policy on our website.”
Cybersecurity expert Rana, however, said the policy’s main drawback is that it has national security at its core, and hence is aimed at control rather than fostering a business-friendly environment for the public.
Dahal appreciated the government’s plan to create ‘cyber-resilient space’ and to climb up the Global Cybersecurity Index (GCI), a trusted reference that measures the commitment of countries to cybersecurity at a global level.
He, however, criticised the policy for lacking clarity on the procurement process for surveillance equipment, saying this could invite the risk of financial embezzlement.
Dahal also claimed that the policy tries to control media content with cybersecurity tools, when there is already a media law to look into such matters.
Earlier, in May first week, when the ministry was working on the new policy, various stakeholders, including civil society organisations, had called for an open, safe, harmless, and human rights-friendly cyberspace in the country.
ICT experts, meanwhile, are particularly concerned about the policy’s implementation, saying it alone would be inadequate unless it is backed by necessary laws and rules.
“It's good that a new policy has been drafted, but the most important things are infrastructure and new laws for its successful execution,” said ICT expert and lawyer Satish Krishna Kharel.
“For cybersecurity to be effective, we need both tangible and intangible infrastructure including well-trained manpower.”
He said Nepal’s policies are always good on paper, but seldom are they well executed.
Over the past few years, the country has faced many security breaches on government websites. In late January, about 1,500 government websites were shut down by hackers.
Pashupati Kumar Ray, spokesman for the Nepal Police cyber bureau at Bhotahity, said the country is embracing a cyber security policy due to the constant evolution of cyber-related crimes. “The new law should address cyber-related issues for an individual, businesses as well as national security issues,” said Ray.
The impact of cybercrimes at an individual level is more alarming. According to the cyber bureau, it got over 16,000 complaints in the past four years. Until a few months ago, they would get an average of 60 to 70 complaints a day, but officials say the numbers have seen a sharp rise. A majority of complaints are related to hacking of email and social media passwords, and other general issues.
Meanwhile, cyber security expert Rana said he is more concerned about how the cyber security policy will translate into law in Parliament.
He said at a time when Parliament is reluctant to enact laws concerning social issues they are already familiar with, the lawmakers could struggle to comprehend the new bill on cybersecurity. “It’s also important to address the impact of the internet from the business and societal perspective, and that is missing in the policy,” said Rana.
The government’s new cyber policy talks of providing a resilient cyber space and a national computer emergency response team in all seven provinces. It also discusses the promotion of ethical hacking, and running digital literacy programmes on cyber security for vulnerable groups like women, children and elderly people.
The policy, moreover, mentions a programme to protect online harassment and spam messages, and applying a surveillance technique to control misinformation through social media. It aims to control various kinds of online harassment too.
Santosh Sigdel, founder and chairman of Digital Rights Nepal, the advocacy group, said the new policy contains some concerning provisions that might have a long-term impact on the internet ecosystem and digital rights in the country.
“The policy does not mention the objectives and necessity for a National Internet Gateway, which was neither included in the draft version, nor discussed with the stakeholders,” Sigdel said.