Is the Conversation on Thailand’s New Cybersecurity Legislation Framed Too Narrowly?
There is a worrying divide between what some recent headlines say about the impact of Thailand’s new cybersecurity legislation on civil liberties and its argumentative thrust. The bill, which unanimously sailed through the National Legislative Assembly’s final reading in early March, set off tremendous domestic unease about a new monster in the closet: unrestrained powers of the state to access personal communications and fish out dissidents under the guise of securing the cyberspace. Given that the junta’s critics have been charged under the amended Computer Crimes Act, which forms another important legal pillar of Thailand’s emerging digital economy to regulate online content, it is reasonable that critics are out looking for the devil in the details. But criticisms premised on the notion of “Big Brother” result in an extremely narrowed framing of the legislation in which serious national security questions in the digital era are overlooked – with negative implications for Thailand’s national security and economic interests.
A close reading of the legislation reveals that the protection of the integrity of systems, networks, and data related to critical infrastructures is the centerpiece of the document as opposed to online content regulation. The bill mandates strict oversight of operators and compliance requirements, which reflects the need to force technical changes among relevant operators in order to mitigate national security threats from unauthorized data exposure and manipulation. As Thailand prepares its leap to a technology-driven economy, a robust oversight is needed to ensure that the government can effectively deal with existing threats to the resilience of the national digital infrastructure and confidence in consumer internet-of-things (IoT) devices.
What Government Oversight of Cybersecurity Is – And What It Isn’t
As digital technology becomes intertwined with every aspect of government, business, and private activities, threats to cyber-physical systems, networks, and personal information have also become more widespread. Just less than a year ago, for instance, a massive data breach occurred at two major Thai commercial banks, affecting at least 123,000 customers. These incidents suggest that apart from damages to confidence in services across domestic and global markets, the lack of robust cybersecurity controls could hamper the Thai government’s ability to manage its 4.0 Strategy aimed at leveraging technology and innovation to break the country out of the middle-income trap.
The digital infrastructure, upon which other sectors, enterprises, and society at large hinge on, should be reliable and resilient when confronted by cybersecurity threats of all kinds – be they from criminal enterprises, hacktivists, or other nation-states. The cybersecurity legislation’s prescription of greater government oversight – from compelling enterprises to adopt higher operational standards, mandating regular assessments, and demanding reports of significant cyber incidents – undoubtedly drive up the costs of doing business. However, breaches from cyberattacks show that end users and operators already bear great costs for such security lapses. In keeping with Andrew J. Gotto and Christos Makridis’ observations, allowing critical infrastructures to operate without effective oversight mechanisms impedes the ability of the government to conduct proper assessments of cyber risks confronting enterprises, guide investment decisions, and craft proportional and tough responses.
The notion of oversight need not always be synonymous with authoritarian centralization as some suggest. In fact, there are merits of establishing an executive committee like the National Cybersecurity Committee as the overarching point of contact and authority on cybersecurity policy decisions. As Kevin Newmeyer discusses in his paper on finding an appropriate authority to lead US cybersecurity efforts, it is important to bear in mind that because cybersecurity is a multifaceted issue that requires a whole-of-government approach, existing turf wars among relevant ministries and agencies to preserve their prerogatives and privileges could lead to a lack of strategic focus, overlapping missions, and weak interagency coordination and collaboration in responding to serious national security threats. Similar to a national coordinator, NCSC gives the prime minister the power to pull together different jurisdictions such as the Royal Thai Police, Ministry of Digital Economy and Society, and Ministry of Defense to exact compromises and compliance.
Expanding the National Cybersecurity Conversation
Concerns surrounding threats posed to civil liberties and protection from government abuse naturally claim a rightful place in the national debate on cybersecurity. But the vulnerability of systems and networks that have tremendous bearings on the economic direction of the country also deserve great attention. To foster a more holistic discussion on the national cybersecurity question, the Thai government should double down on efforts to address remaining concerns as they prepare to promulgate an additional set of organic laws on cybersecurity. These points of contention range from the exact facilities and installations that fall into the clusters of the critical infrastructures specified in Section 49 to the legal designs that are in place to prevent an operator’s sensitive data from being abused and manipulated by state investigators in the event of a cyber-related incident.
Moving forward, it is imperative that the Thai government revamp its public relations approach to be more commensurate with the digital era. Following the passage of the legislation, state efforts in engaging with the public clung to the old habit of insularity that steered clear of providing a comprehensive explanation of the bill. Maintaining such a tight-lipped approach, as opposed to actively leveraging existing social media devices and platforms to foster a two-way public discussion, further damages the public’s trust in what they already perceive to be corrupt and unresponsive governing institutions.