Cybersecurity Regulation 2024: Progress or Pitfall?

Thu, Dec 26, 2024, 6:27 p.m
Last updated on: Thu, Dec 26, 2024, 6:34 p.m

Zarif Faiaz

Thu, December 26, 2024, 6:27 p.m. Last updated on: Thu, December 26, 2024, 6:34 p.m

One of the most controversial aspects of the regulation is the broad authority it grants to the Director General of the National Cyber ​​Security Agency. Image: Zarif Faiaz

“>

One of the most controversial aspects of the regulation is the broad authority it grants to the Director General of the National Cyber ​​Security Agency. Image: Zarif Faiaz

The Government of Bangladesh’s draft Cyber ​​Security Regulation 2024 has reignited debates on digital rights and governance. The regulation aims to strengthen cybersecurity and combat crimes in cyberspace and has drawn sharp criticism for its vague provisions, uncontrolled powers and lack of safeguards against misuse. Many experts argue that the proposed law is in some ways more regressive than its predecessors, including the Digital Security Act, the Cyber ​​Security Act and the ICT Act.

Scope and purpose of the regulation

The draft regulation is divided into nine chapters and 52 sections and covers a wide range of topics, including preventive measures, crimes and punishments, and the establishment of the National Cyber ​​Security Agency and the National Cyber ​​Security Council. Cyberspace is defined broadly to include digital networks, telecommunications systems and physical infrastructure. Its stated purpose is to ensure cybersecurity, protect digital assets and prosecute cybercrimes. While the draft attempts to rationalize non-criminal acts and claims to the protection of personal freedoms and freedom of expression, critics point to significant gaps and ambiguities.

Vague provisions and extensive discretionary powers

One of the most controversial aspects of the regulation is the broad authority it grants to the Director General of the National Cyber ​​Security Agency. Under clause (8), the Director General may request the Bangladesh Telecommunication Regulatory Commission (BTRC) to remove or block information deemed harmful, with the BTRC empowered to act in “appropriate cases”. Critics argue that the term “appropriate cases” is undefined and leaves room for subjective interpretation and possible misuse to suppress dissent.

The regulation also gives decision-making powers regarding the “development of cybersecurity” to the National Cyber ​​Security Council, headed by the head of state and supported by the government and intelligence agencies. However, the lack of clarity about what constitutes “cybersecurity development” raises concerns about overreach and accountability. Provisions to collect data for “global threat intelligence” further exacerbate fears as they lack procedural safeguards and could facilitate surveillance and repression under the guise of regional and international cooperation.

Structural Gaps and Enforcement Concerns

Several structural weaknesses in the draft were identified, particularly in relation to censorship, surveillance and state consolidation of power. Section (36) allows searches, seizures and arrests without a warrant and requires reports to be submitted to a court, but without a specified time limit. The lack of a reporting deadline increases the risk of harassment and abuse by authorities. Similarly, sub-section (3) of section (48) allows seizure of legitimate digital materials if they are found along with prohibited content. Critics warn that this provision could lead to companies or organizations being unfairly closed.

The regulation does not take into account the increasing threats posed by artificial intelligence, particularly in crimes involving deepfake technology, where victims’ voices, images and videos are manipulated to cause harm. Provisions to protect whistleblowers are also lacking, leaving those who expose cybercrimes vulnerable to retaliation. Additionally, the draft does not require organizations to notify customers or the public after cyberattacks, even if citizens’ data, finances or digital assets are compromised.

Token clauses and unrealistic guarantees

One provision grants citizens the right to 24-hour Internet access, a seemingly progressive step. However, experts argue that this clause is largely symbolic, as existing laws allow state-sanctioned grid disruptions. Without going into the legal framework that allows such an intervention, the guarantee is considered unworkable and unrealistic.

Criticism of the legislative process

The government’s decision to allow only three days for public feedback on the draft regulation has drawn widespread criticism. Advocacy groups deplore the lack of meaningful dialogue and transparency and describe the process as disrespectful to citizens’ right to participate in shaping laws affecting their digital rights. The hasty approach reflects poorly on the government’s commitment to reform and undermines confidence in its intentions.

Critical sectors are overlooked

The regulation overlooks key sectors vulnerable to cyberattacks, particularly transportation and healthcare, which are critical to public safety. Experts recommend including the ministries responsible for these sectors in the Cyber ​​Security Council to ensure comprehensive protection against potential threats.

A step forward or a step backwards?

While the regulation addresses some of the weaknesses of its predecessors, such as the attempt to rationalize non-punishable crimes, it retains and introduces provisions that raise serious concerns about civil liberties and digital rights. The lack of transparency, the absence of procedural guarantees and the extensive discretionary powers of the authorities make the regulation a potential instrument of abuse rather than protection.

Critics emphasize the need for significant changes to ensure the regulation is in line with global digital rights and cybersecurity standards. Without these changes, the Cyber ​​Security Regulation 2024 risks perpetuating the same problems that have plagued Bangladesh’s digital governance for years, leaving citizens vulnerable to surveillance, censorship and government overreach.