Cyber Control in the name of Safety Protection

Tazo Kupreishvili, Netgazeti

The state is going to undertake responsibility to solve the problems of informational safety of major private and state departments. The information protected in the computer systems of these departments will be accessible while eradication of the problem created in the system.

The majority MPs presented the Draft Law on Informational Safety to regulate this issue. According to the draft law, the state will oversee the protection of informational safety of significant state and private departments. In order to do so, the state might receive authorization to have access to the information protected in the computer systems of these companies.

The draft law presented by MPs Kakhaber Anjaparidze and Zviad Kukava was registered in the Parliament last week. The first hearing has not taken place yet.

Some specialists think the Draft Law on Informational Safety is vague and uncertain and if the existing formulation is adopted, a lot of information protected in the computer systems of private organizations will become accessible for the government.

According to the draft law, the unified system should fight the cyber threats.

The Draft Law on Informational Safety introduces new terms like “critical infrastructure” which implies the legal entities, state bodies and other spheres of state activity the “steady functioning of which is important for the defense and economic safety of the state and normal functioning of government and public.”

According to the legislative initiative, the subject of critical infrastructure is obliged to present the politics of informational safety and any subsequent changes in it to the Agency of Data Protection a state body under the authority of Ministry of Justice.

Elaborating the politics of informational safety will become mandatory. Besides, the subjects of critical infrastructure will be obliged to create the post of officer of informational security where people will be responsible for implementing informational politics.

Agency for Data Exchange will be the only body authorized to conduct audit of informational security and the payment for this service will be determined by the contract.

The draft law also states that the Group of Fast Reactions of Agency of Data Exchange of Ministry of Justice will have a responsibility to react on any cyber threat.

Group of Fast Reactions has right to request accessibility on informational active of subject of infrastructure and its informational system if this kind of accessibility is essential for adequate reaction to the ongoing or already occurred computer incident.

Goal of Draft Law

According to authors, the Draft Law on Informational Security serve the goals of effective protection of informational security and for this aim it determines the main standards of informational security and legal and institutional grounds for implementing cyber-threats. The draft law establishes the rights and responsibilities of public and private sector in the sphere of protection of informational security. Also it determines the mechanisms for state control such as determining the subjects of critical infrastructure, also creating the monitoring system of audit, inventarization of actives, classification of information and other obligations.

According to the authors of the draft law, the technologies play important role in the daily life of the citizens of Georgia and in the process of fulfilling state obligations. The dependence on modern technologies grows rapidly.

“Therefore, the impediment of the existing systems may cause irreparable political-economic damage to the country the most obvious example of which is the cyber attack against Georgia in the August of 2008,” – the authors state in the explanation note of the draft law.

Big Goal, Vague Draft Law

Certain group of specialists thinks that Draft Law on Informational Security has “big aims.” However, it is too vague and uncertain and creates certain risks.

Lawyer of Georgian Young Lawyers Association (GYLA) Tamar Kordzaia states that the draft law has vague terminology such as: confidential information, restricted information, non-classified information.

“Paragraph fifth of article three of the draft law states that these provisions will not affect the provisions of Georgian legislation which regulate the freedom of information, protection of personal data and private and commercial secret. According to Georgian Constitution, state, commercial or personal secret are different types of information. It is uncertain which secret information this law protects. Also, it is vague to which category this informational security belongs to – commercial, state or private,” – Tamar Kordzaia states.

According to Tamar Kodzaia, this is “very dangerous possibility” for the state to intervene in the work of private legal entity. Tamar Kordzaia states that protecting its own informational security belongs to the interests of private person and the state should not intervene in this matter. According to her, the law needs to precisely explain why the state intervenes in the interests of private business and why it thinks that it can better protect the informational security of banks for instance, than they could do it themselves, especially considering the huge damage the banks would experience if it does not protect its own system.

“The state needs more argumentation in this aspect. Otherwise, it seems like the state wants to intervene in the work of private sector and have access to information protected in the computer systems of private sector. The state needs to be protected – the goal is acceptable but the ways for reaching this goal are very uncertain. Besides, it will be the Security Council which will intervene in all this. It will set the criteria for safety and then the President will confirm these criteria,” – Tamar Kordzaia stated to Netgazeti.

Dimitri Khachidze, lawyer of NGO Article 42 of Constitution also talks about the shortcomings of this draft law.

According to him, article 2 of this draft law states that besides the state bodies, any legal entities the list of which is determined by the President in six months after the adoption of this law, can be considered to be the “subject of critical infrastructure.”

“I think it should have been done vice versa. First we should have determined who and what we are protecting and we should have adopted the law with the direct involvement of those people,” – Dimitri Khachidze stated to Netgazeti.

According to the lawyer, the state body (in this case the Data Exchange Agency of Ministry of Justice) should protect its information but when it intervenes in the protection of private sector, we need to have different kind of regulations there.

Dimitri Khachidze also states that the Law on Informational Security should include a provision that the state cannot use the commercial or private information received while taking measures for ensuring informational safety against anybody.

Tamar Kordzaia thinks that one other shortcoming of granting status of “subject of infrastructure” to the legal entities is that it will be done by the order of the President and it will not be written in the law itself.

“It seems like this can be applied to any legal entity which uses computer technologies in its work,” – Tamar Kordzaia thinks.

Inaccuracies in the Draft Law

The specialist of internet-technologies Konstantin Stalinsky states that there are big terminology mistakes in the draft law regarding the informational security and information on certain issues is presented incorrectly.

According to Stalinsky, the term “non-classified” information is a result of wrong translation.

“Classified information means “secret information.” In general, classification of information does not belong to the protected sphere i.e. granting X category to certain N article of certain publication does not mean the classification of information. This has nothing to do with the Classified information,” – the computer technology specialist states.

According to Konstantin Stalinsky, the state body (Data Exchange Agency) should not conduct the audit of informational security of private legal entity. According to him, private companies have been doing this for years in abroad and international companies also have an experience of conducting quality audit.

According to the specialist of computer technologies, the presented draft law raises many questions i.e. “what rights and responsibilities the Data Exchange Agency has? Will it have right to request information protected on servers of private companies (data bases)? Do you have to consult with the Data Exchange Agency to delete information from computer systems? Also, whether the service rendered by this agency will be requiring payment and etc.”

The authors of the draft law explain in the explanation note that adoption of this draft law and the legal regulation of critical infrastructure will protect the country from the cyber threats like the one that the country went through in the August war of 2008.

According to Konstantin Stalinsky, in August of 2008 besides the breaking of sites, DDos attack was used massively. This type of cyber attack implies artificial entrance of 2-3 million IP addresses in this website as if for getting information. The server and the line cannot endure the press and they “get turned off” as a result.

According to the specialists, it is impossible to prevent these kinds of cyber attacks in advance, especially with the measures envisaged by the draft law currently presented in the Parliament.