Risks of Draft Amendments to Law on Information Security

Early last month, draft amendments to the Law on Information Security were initiated by the Parliament of Georgia, which might contain a number of significant threats.

The proposed amendments fundamentally change the current cybersecurity system in Georgia. According to the draft, LEPL Operational-Technical Agency (OTA) of the State Security Service is to become the main coordinating and supervisory body of information and cybersecurity. The Agency will be entitled to cover the critical infrastructure of both public and private entities. A further agency will be added to the governance pillar of cybersecurity, which will be authorized to supervise relevant institutions, and at the same time cooperate with them.

The draft amendments suggest a three-tier categorization for objects of critical information infrastructure:

1. State agencies, institutions, LEPLs (other than religious organizations) and state enterprises;

2. Electronic communication companies;

3. Banks, financial institutions and other entities of private law.

Non-Governmental Organization, the Institute for the Development of Freedom of Information (IDFI) has said it feels the suggested changes will further complicate the cybersecurity management process, and will fail to provide precise roles and functions for the relevant structural divisions of the Ministry of Defense and the Ministry of Internal Affairs.

The organization says that according to the draft law, DEA, a LEPL of the Ministry of Justice, will be responsible for exercising its power in coordination with the LEPL of the State Security Service- OTA.

“Despite the fact that these two agencies will issue orders and other bylaws regulating information security, under the new arrangements, DEA will not have a supervisory mandate on the public sector and this function will be transferred to OTA. At the same time, DEA will be in charge of monitoring the standards of information security within the private sector only through close cooperation and coordination with OTA. Thus, in the given circumstances, the mandate of the DEA Computer Emergency Response Team is vague,” the NGO said.

The IDFI further noted that the proposed amendments will enable OTA to have access to the information infrastructure, systems and assets of objects of critical information falling under tier 1. Moreover, OTA will be granted the authority to manage the sensors and monitors installed at these institutions in order to identify relevant cyber-attacks.

“Modern information and communication technologies can be configured in a way that enables the collection of relatively vast categories of data, including real-time monitoring of the content. The abovementioned factors increase the risk of the State Security Service of Georgia gaining unlimited access to information on an indefinite number of individuals with the help of modern technologies,” the organization stressed.

It also noted that in the process of categorizing objects of critical information infrastructure, significant problems were identified related to objects falling under tier 2 and tier 3, which mainly include representatives of the private sector. The NGO claims that the most problematic aspect in that regard is the extent of tier 2, covering private electronic communication companies.

“In this case, the approach based on which the companies are grouped within tier 1 and tier 2 is ambiguous. It is also unclear why electronic communication companies are subject to a higher standard of accountability towards OTA,” IDFI said.

The NGO also stressed that according to a particular article in the amendments, the government will be given the authority to set certain restrictions for private companies purchasing, upgrading or using their respective IT systems.

“The noncompliance with these requirements will result in the imposition of administrative fines of up to GEL 5000. Such an approach per se is contradictory to the core principles of the free market and fair competition,” it added.

The IDFI called on the MPs not to support the suggested amendments due to the risks they contain. They also asked Parliament to start reforming the Cybersecurity System only after the National Cybersecurity Strategy and Action Plan are adopted.

The NGO underlined that the involvement of the local and international organizations and the private sector in the process of preparing draft amendments to the Law of Georgia on Information Security is necessary.

By Tea Mariamidze

Image source: 3i-infotech.com

28 November 2019 18:52