Download - Draft Cybersecurity Bill 20150106 EN

8/10/2019 Draft Cybersecurity Bill 20150106 EN

1/12

Unofficial translation by Thai Netizen NetworkJanuary 2015

Memorandum of Principle and Rationale of[Draft] National Cybersecurity Act B.E.

PrincipleTo legislate on the maintenance of national Cybersecurity.

RationaleThe use of Information Technology (IT) in daily transactions and communications

has led to an environment susceptible to cyber threats and crimes capable of causingwidespread impact, which is now exacerbated and causing damages both on the personaland national levels. As a result, the protection and tacling of cyber threats or rissre!uires swiftness and co"operation with all relevant agencies in order to ensure timely

protection and tacling, and to continuously maintain Cybersecurity. In order forThailand to be able to appropriately protect, prevent, and tacle circumstances of cyberthreats which may impact or #eopardise the service or application of computer networ,internet, telecommunications networ, or regular service of satellites in ways that affectnational security, including military security, domestic peace and order, and economicstability$ and to ensure the swiftness and uniformity of such execution, a Committee is setup to effectively and efficiently determine measures on national Cybersecurity.


2/12


[Draft]National Cybersecurity Act B.E.

%%%%.

&ection ' This Act is called The ational Cybersecurity Act *.+. %

&ection - This Act shall come into force after the expiration of '/ days from thedate of its publication in the 0overnment 0a1ette.

&ection 2 In this Act3Cybersecurity means measures and operations that are conceived in order to

maintain national Cybersecurity, enabling it to protect, prevent or tacle circumstances ofcyber threats which may affect or pose riss to the service or application of computer

networ, internet, telecommunications networ, or the regular service of satellites inways that affect national security, which includes military security, domestic peace andorder, and economic stability.

&tate agency means any ministry, department, &tate division otherwise calledand having e!uivalent status of a department, regional authority, local authority, publicorganisation, state enterprise, and agency set up by an Act or a 4oyal decree, and thisincludes any #uristic person, body of persons or person having the power to act in thegovernment5s operation in any case.

6fficials means persons appointed to execute this Act by the minister.

&ecretary means &ecretary of the 6ffice of the ational CybersecurityCommittee.

6ffice means the 6ffice of the ational Cybersecurity Committee.

&ection 7 the 8rime 9inister shall have charge and control of the execution of thisAct.

Capter !National Cybersecurity

&ection : The maintenance of national Cybersecurity must operate to protect,tacle, prevent and reduce riss arising from circumstances of cyber threats which affectboth internal and external national security covering economic stability, domestic peaceand order, and which may affect military security or significantly affects the country5soverall Cyber security, in a uniform manner. In doing so, consideration must be made asregards the coherence with the ational &ecurity Council5s policy framewor and masterplan concerning the maintenance of security as approved by the Council of 9inisters.


3/12


The operation for the maintenance of Cybersecurity therefore must at least coverthe following areas3

(1) Integration of the country5s Cybersecurity management$(2) Capacity building for the purpose of responding to Cybersecurityemergencies$

(3) &afeguard of the country5s important information infrastructure$(4) Alignment of co"operation between the public and private sectors onCybersecurity$

(5) 4aising awareness of and nowledge on Cybersecurity$() ;evelopment of regulations and legislations on Cybersecurity$

(!) 4esearch and development on Cybersecurity$(") Alignment of international co"operation on Cybersecurity.

Capter !!"e National Cybersecurity Committee

&ection < There shall be a committee called The ational CybersecurityCommittee (C&C) consisting of3

(1) 9inister of ;igital +conomy and &ociety as Chairperson$(2) &ecretary of the ational &ecurity Council, 8ermanent &ecretary of the9inistry of ;igital +conomy and &ociety, 8ermanent &ecretary of the9inistry of ;efence, Commander of the Technological Crime &uppression;ivision, the 4oyal Thai 8olice as 7 ex officiomembers$

(3) ot more than = !ualified members appointed by the Council of9inisters from persons having distinguished nowledge, expertise andexperience in the fields of information security, information technology andcommunications, law, or other fields that are relevant and useful for themaintenance of Cybersecurity$

The &ecretary shall ex officio be member and secretary, and assistant secretaryshall be appointed as deemed necessary.

The selection of the !ualified members in paragraph ' shall comply with the8rocedures specified by the Council of 9inisters and published in the 0overnment0a1ette.

&ection = The C&C shall have the following powers and duties3

(1) to determine the approaches and measures for responding to andtacling cyber threats in the event of undesirable or unforeseeable situation orcircumstance concerning security that affects or may cause significant orserious impact, loss or damage so that the C&C becomes the centre ofoperation in the event of situation or circumstance concerning security in atimely and uniform manner, unless the cyber threat is such that affectsmilitary security, which is a matter within the powers of ;efence Council orthe ational &ecurity Council$


4/12


(2) to determine the operation procedures for the co"operation andfacilitation of operations with committees set up under other legislations,&tate agencies or private agencies in the order to efficiently and swiftly solvethe issues of cyber threat$(3) to determine the measures and approaches to improve the high"levelsills and expertise of the 6fficials appointed under this Act$

(4) to mae operation plans on national Cybersecurity that are coherentwith the policies, strategies and ational 8lans on the ;evelopment of ;igital+conomy and &ociety, and the ational &ecurity Council5s policy frameworand master plan concerning the maintenance of national security$

(5) to mae reports summarising the results of operations that result insignificant impact and report these to the ational &ecurity Council and theCouncil of 9inisters respectively$

() to mae recommendations and give opinions to the ;igital +conomy

and &ociety Commission or the Council of 9inisters on the process ofconsidering approvals for plans, pro#ects, operations of &tate agencies, and onthe process of considering solutions for issues or obstacles, which includelegislating or amending the laws concerning the maintenance ofCybersecurity, in order to ensure the stability and sustainability of theprotection, tacling, prevention and reduction of riss arising fromcircumstances concerning cyber threats which affect both internal andexternal national security$

(!) to appoint sub"committees or woring groups in order to considermatters or act as entrusted by the Committee$

(") to order or co"operate with &tate agencies or private agencies in order

to comply with policies or operation plans concerning the maintenance ofCybersecurity or perform other acts that are necessary for the maintenance ofboth domestic and international Cybersecurity$

(#) to monitor and assess the execution of this Act$

(10) to perform other acts concerning the maintenance of Cybersecurity asentrusted by the ;igital +conomy and &ociety Commission.

&ection >ualified members shall have !ualifications and not be under theprohibitions, as follows3

(1) being of Thai nationality$(2) being banrupt or having been dishonestly banrupt$(3) being incompetent or !uasi"incompetent$(4) having been sentenced by a final #udgment to imprisonmentnotwithstanding the suspension of the sentence, except for an offencecommitted through negligence or a petty offence$

(5) having been expelled, dismissed or removed from the official service,a &tate agency, a &tate enterprise, or a private agency on the grounds ofdishonest performance of duties or gross misconduct.

&ection ? >ualified members shall hold office for a term of 2 years.


5/12


In the case where a !ualified member vacates the office before term, the Councilof 9inisters may appoint another person to replace him@her and that person shall remainin office for remaining term of the !ualified member, except where the remaining term of

the !ualified member is less than ?/ days, the appointment of a new !ualified membermay not have to be made.

pon the expiration of term under paragraph ', if a new !ualified member has notyet been appointed, !ualified members who vacate office shall remain in office tocontinue their duties until the new !ualified members have been appointed.

A !ualified member who vacates office upon the expiration of term may bereappointed, but may not be appointed for more than - consecutive terms.

&ection '/ In addition to vacating office upon the expiration of term under

&ection 1, a !ualified member appointed by the Council of 9inisters vacates officeupon3

(1) death$(2) resignation$(3) being dismissed by the Council of 9inisters due to disgracefulbehaviour, negligence or dishonesty in the performance of duty, orinefficiency$

(4) being dis!ualified or under any of the prohibitions under &ection =2.

&ection '' 9eetings, voting, and the operation of the C&C, sub"committees andworing groups shall comply with the 4ules specified by the Committee.

In the performance of duty, the C&C may entrust one or more members toperform in place of the C&C, but the C&C may not rely on this fact to relieve itself of

responsibility.

&ection '- The C&C shall have the power to appoint consultants for the purposeof conducting studies, mae recommendations, or perform any act as entrusted by theC&C.

The number of consultants appointed under paragraph ' shall not exceed :.

&ection '2 The C&C shall receive meeting allowance and other benefits asspecified by the 4ules issued by the Council of 9inisters.

The sub"committees, woring groups and consultants appointed by the C&Cshall receive meeting allowance and other benefits as specified by the 8rocedures issuedby the C&C.

Capter !!!#ffice of te National Cybersecurity Committee

1Translator note$ it is sus%ecte& that 'ection # is eant here2Translator note$ it is sus%ecte& that 'ection " is eant here


6/12


&ection '7 The 6ffice of the ational Cybersecurity Committee shall be set up asa &tate agency having a #uristic person, not being a &tate division or a &tate enterprise.

&ection ': The 6ffice shall have its head!uarter located in *ango or a nearbyprovince.

&ection '< The activities of the 6ffice shall not fall within the scope ofapplication of the law on labour protection, the law on labour relations, the law on socialsecurity and the law on compensation, but 6fficials and employees of the 6ffice shallreceive remunerations and benefits not less than those specified by the law on labourprotection, the law on social security and the law on compensation.

&ection '= The 6ffice shall have the following powers and duties3(') to respond to and tacle cyber threats in the event of undesirable or

unforeseeable situation or circumstance concerning security that affects or may causesignificant or serious impact, loss or damage by issuing operation measures that tae intoaccount the degree of secrecy and the access to classified information$

(-) to co"operate on operations with &tate agencies or private agencies in order toefficiently and swiftly solve the issues of cyber threat$

(2) to co"operate with &tate agencies or private agencies for the purpose ofcollecting information on cyber threats, the prevention and tacling of circumstances ofcyber threat, and other information concerning the maintenance of Cybersecurity, to beanalysed and submitted to the C&C for consideration$

(7) to manage overall plans and co"operate on the management and the executionof the operation plans or orders of the C&C$

(:) to monitor and speed up the operations of the &tate agencies involved in

maintaining Cybersecurity, and report to the C&C$(


7/12


('2) to perform other acts concerning national Cybersecurity as entrusted by theC&C or the Council of 9inisters.

6nce the Council of 9inisters approves the operation plan on national

Cybersecurity under ('), the 6ffice shall co"operate with the &tate agencies involved inorder to carry out such plan.

&ection ' Bor the purpose of the fulfilment of the ob#ectives under &ection '=,the 6ffice shall have the following powers and duties3

(1) to ac!uire ownership, possessory right and other proprietary rights$(2) to create a right or enter into all inds of legal transactions binding ona property, including other legal transactions for the benefit of the 6ffice5scarrying out of its activities$

(3) to enter into an agreement and co"operate with other organisations oragencies, both in the public and the private sectors, in activities concerning the

fulfilment of the 6ffice5s ob#ectives$(4) to perform other necessary or continuous acts for the purpose offulfilling the 6ffice5s ob#ectives.

&ection '? The funds and assets for the 6ffice5s operation consist of3

(1) 9oney and assets transferred under &ection 27$(2) 0eneral subsidies as appropriately allocated by the 0overnment$

(3) &ubsidies from the private sector, local authorities, or other agenciesincluding foreign sources or international organisations, and money or assetsfrom donation$

(4) Interests or income from the assets of the 6ffice.

The manner in which money or assets is@are obtained under (2) shall not deprivethe 6ffice of its autonomy or impartiality.

&ection -/ All income received by the 6ffice shall belong to the 6ffice for thepurpose of paying expenses incurred in the operation of the 6ffice and shall not beincluded in the &tate5s income.

&ection -' There shall be a &ecretary who is directly accountable to theChairperson of the C&C as regards the operation of the 6ffice and supervises the6fficials and employees of the 6ffice.

As regards activities dealing with third parties, the &ecretary shall represent the6ffice. The &ecretary may entrust any person to perform any specific act in his place in

accordance with the 4ules issued by the Committee and published in the 0overnment0a1ette.

The Committee shall have the power to select, appoint and remove the &ecretary.

&ection -- A candidate for the position of the &ecretary shall have the!ualifications as follows3

(1) being of Thai nationality$(2) being not more than


8/12


(3) being able to wor for the 6ffice full"time.

&ection -2 A person having any of the following prohibitions shall not tae theposition of the &ecretary3

(1) being banrupt or having been dishonestly banrupt$

(2) being incompetent or !uasi"incompetent$(3) having been sentenced by a final #udgment to imprisonmentnotwithstanding the suspension of the sentence, except for an offencecommitted through negligence or a petty offence$

(4) being a civil servant, official or employee of a &tate division or a &tateenterprise or another &tate agency or a local authority$

(5) being or having been a political official, a person holding politicalposition, a member of local assembly or local administrator, except wheresuch person vacates office for not less than ' year$

() being or having been a director or a person holding any other positionin a political party or an official of a political party, except where such personvacates office for not less than ' year$

(!) having been expelled, dismissed or removed from the official service,a &tate agency, a &tate enterprise, or a private agency on the grounds ofdishonest performance of duty or gross misconduct.

&ection -7 The Committee shall determine the rate of salary and other benefits ofthe &ecretary.

&ection -: The &ecretary shall hold office for a term of 7 years.

The &ecretary who vacates office upon the expiration of term may be reappointed,but may not be appointed for more than - consecutive terms.

&ection -< In addition to vacating office upon the expiration of term, the&ecretary vacates office upon3

(1) death$(2) resignation$

(3) being dis!ualified under &ection -- or being under any of the prohibitionsunder &ection -2$

(4) being removed by a resolution of the Committee due to negligence ordishonesty in the performance of duty, disgraceful behaviour or inefficiency.

Capter !$#peration and "ac%lin& of Cyber "reats

&ection -= 6nce the C&C produces the 9aster 8lan on ational Cybersecurity,the 6ffice shall produce approaches, measures, operation plans, or pro#ects on themaintenance of Cybersecurity that are coherent and consistent with such policy andmaster plan.


9/12


6nce the Committee approves the approaches, measures, operation plans, orpro#ect(s) on the maintenance of Cybersecurity and these come into effect, the C&C is,in case of necessity, shall have the power to amend or supplement these as appropriate.

&ection - The performance, by &tate agencies, of acts within their powers andduties under the law(s) applicable to them shall be coherent with the approaches,measures, operation plans, or pro#ects under &ection -=. &uch performance is deemed tobe the execution of that which is re!uired by the Council of 9inisters.

The head of &tate agencies shall have the duty of ensuring that the performanceunder paragraph ' is carried out smoothly and achieves its goals in the specifiedtimeframe.

In case where the C&C monitors the progress and assesses the performance,including where it performs any act, &tate agencies shall have the duty of assisting andfacilitating such performance of duty.

&ection -? In case where it is deemed appropriate, the C&C may re!uire &tateagencies to submit a list of persons responsible as regards the approaches, measures,operation plans, or pro#ects on the maintenance of Cybersecurity or of personsresponsible in the localities, to the C&C for the purpose of appointment of person(s)responsible for the operation of preventing and solving issues of cyber threat.

The person(s) appointed under paragraph ' shall perform the operation byadhering to the operation plans, resolutions, or commands of the C&C or the orders ofthe Chairperson of the C&C or of any person entrusted by the Chairperson with theapproval of the C&C.

on"performance of paragraph - is deemed to be insubordination to thesupervising official.

&ection 2/ The 8rime 9inister shall be in command with powers to control anddirect the maintenance of Cybersecurity across the country in accordance with theoperation plans on the maintenance of Cybersecurity and this Act. Bor this purpose, the8rime 9inister shall have the power to command and order the persons responsible for

the operation under &ection -3across the country.

&ection 2' In case where the C&C issues a resolution holding that a ministry,&tate agency or any person in charge of executing this Act fails to execute this Act oroperates in contravention of an approach issued under this Act, the C&C shall advise theministry, &tate agency, or the person so in charge to correct, cancel or terminate such act

within a specified timeframe. In case where the ministry, &tate agency or the person so incharge fails to comply with the resolution of the C&C within the specified timeframewithout reasonable excuse, the 8ermanent &ecretary of the ministry, the head of the &tateagency or the person so in charge, depending on the circumstances, shall be deemed tohave committed a disciplinary breach and the matter shall be submitted to the relevantauthority for the purpose of disciplinary proceedings.

3Translator note$ it is sus%ecte& that 'ection 2# is eant here


10/12


In case where a conse!uence of the failure to comply with the resolution of theC&C under paragraph ' causes serious damage to the civil service, such persons shallbe deemed to have wrongfully performed their duty or have committed a gross

disciplinary breach, depending on the circumstances.In case where the person failing to comply with the resolution of the C&C under

paragraph ' is a minister, the C&C shall report to the 8rime 9inistry for his@herconsideration for action as he@she sees fit.

&ection 2- In case where a incident of cyber threat occurs or is expected to occurin the information system under the supervision of any &tate agency, that &tate agency or

the person in charge of the operation under &ection - 4 shall promptly report suchincident to the &ecretary.

6nce the &ecretary is informed of such incident under paragraph ', he@she shallimmediately tae appropriate action to prevent or solve such cyber threat and report to

the C&C for its consideration for action.

&ection 22 pon the occurrence of an emergency or danger as a result of cyberthreat that may affect national security, the C&C shall have the power to order all &tateagencies to perform any act to prevent, solve the issues or mitigate the damage that hasarisen or that may arise as it sees fit and may order a &tate agency or any person,including a person who has suffered from the danger or may suffer from such danger ordamage, to act or co"operate in an act that will result in timely control, suspension, ormitigation of such danger and damage that have arisen.

In case where a person is nown to be involved in the causing of the cyber threat,the C&C shall have the power to prohibit such person from acting in any way that willresult in aggravating the violence resulting from the cyber threat.

&ection 27 In case where it is necessary, for the purpose of maintainingCybersecurity, which may affect financial and commercial stability or national security,the C&C may order a &tate agency to act or not to act in any way and to report theoutcome of the order to the C&C as re!uired by the otification of the C&C.

Capter $#fficials

&ection 2: Bor the purpose of performing their duties under this Act, the 6fficials

who have been entrusted in writing by the &ecretary shall have the following powers3(') to issue letters asing !uestions or re!uesting a &tate agency or any person to

give testimony, submit an explanation in writing, or submit any account, document, orevidence for the purpose of inspection or obtaining information for the benefit of theexecution of this Act$

(-) to issue letters re!uesting &tate agencies or private agencies to act for thebenefit of the C&C5s performance of duty$

4Translator note$ it is sus%ecte& that 'ection 2# is eant here


11/12


(2) to gain access to information on communications, either by post, telegram,telephone, fax, computer, any tool or instrument for electronic media communication ortelecommunications, for the benefit of the operation for the maintenance of

Cybersecurity.The performance under (2) shall be as specified by the 4ules issued by the

Council of 9inisters.

&ection 2< 6fficials are prohibited from disclosing or passing on the informationobtained under &ection 2: to any person.

8aragraph ' shall not apply to cases where such acts are done for the purpose ofprosecuting offenders under this Act or for the purpose of prosecuting 6fficials involvedin abuse of powers or where such acts are ordered or authorised by the Court.

Any 6fficial who violates paragraph ' shall be liable to imprisonment for a termnot exceeding 2 years, or to a fine not more than


12/12


of salary or wage as specified by the Committee, but these shall not be less than theirprevious salary or wage.

&ection 7- The +lectronic Transactions ;evelopment Agency shall perform theduties of the 6ffice of the ational Cybersecurity Committee until such time that the6ffice is set up in accordance with this Act.

&ection 72 6nce this Act comes into force, during the initial period, thecommittee shall consist of the 9inister of ;igital +conomy and &ociety as Chairperson$the 8ermanent &ecretary of the 9inistry of ;igital +conomy and &ociety as ice"Chairperson$ the &ecretary of the ational &ecurity Council, the Commander of theTechnological Crime &uppression ;ivision, the 4oyal Thai 8olice as members$ and the;irector of the +lectronic Transactions ;evelopment Agency as member and secretary.

The committee under paragraph ' shall temporarily perform the duties of the

Committee until such time that the Committee under this Act is set up, the timeframe forwhich shall not exceed ?/ days from the date of coming into force of this Act.

Countersigned by3

%%%%%%%.

8rime 9inister

Download - Draft Cybersecurity Bill 20150106 EN

Top Related