Transparency International Bangladesh (TIB) has questioned the rationale for declaring “29 institutions” as critical information infrastructures under the powers afforded in Section 15 of the Digital Security Act 2018. In a notice sent to the media on Tuesday (August 4), the organization claimed that this list is questionable and misleading. Despite not supporting any state policy, the publication of this list raises several fundamental questions. TIB believes that this has once again justified the demand for a radical reform of the Digital Security Act. The government has published a list of 29 institutions as critical information infrastructure through a notification dated October 02.
TIB Executive Director Dr. Iftekharuzzaman said, ‘The Digital Security Act empowers the government to “declare any computer system, network or information infrastructure as critical information infrastructure”. But in the recently published gazette, 29 institutions are called important information infrastructure. Also, it is not clear on what basis this list has been made. For example, even when national security is mentioned, the Ministry of Defence, Ministry of Home Affairs, Armed Forces remain out of this list. Similarly, National Parliament, Judiciary Department, Audit Department, Health Sector, Customs and Port Authority etc. have been left out. Except four state-owned banks, none of the remaining banks made it to the list. Numerous other examples can be given. But these numbers confirm that the list is questionable and ill-considered. If not, assume.
Critical Information Infrastructure in the Digital Security Act refers to any external or virtual information infrastructure, the loss of which would adversely affect public safety or economic security or public health and national security or state integrity or sovereignty. The Executive Director of TIB said, ‘There is a lack of clear policy or conceptual clarity in almost all areas of discussion, including national security. In such a reality, TIB feels that it is important to put national and public safety policies first. Because, if there is no clear policy guidance, safety will not be ensured, but the law will continue to be arbitrarily misused. Further under the provisions of section 16(3), There is a risk of hindrance in gathering news or gathering information under the Right to Information Act about the organizations listed in the notification. Because in the notification, instead of the organization’s computer network, the entire organization has been declared as an important information infrastructure.
Dr. Zaman said, ‘By publishing this list, another weakness of the new digital security law has come to the fore. Section 17 of the Act provides for only “unlawful access” to critical information infrastructure. However, even in the presence of legal access, unauthorized performance is not considered. In the absence of security policies, what action will be taken in case of illegal entry and damage to such infrastructure from outside the country, has not come into consideration. This is yet another example of the law being framed as a tool of containment rather than ensuring digital security.’
TIB hopes that the government will take immediate steps to amend the Digital Security Act to prevent arbitrary abuses and ensure its true effectiveness.