Fortifying Nepal’s Cybersecurity: Analyzing Legislative Initiatives – myRepublica


A major challenge of cybercrime is it involves cross-border issues 

Though the bill has envisaged establishing a dedicated national cyber security center, doubt remains whether the center will appoint the right person in the right place, or will the center be a mere “center” for political appointment and a means to recruit “my person” as it remains in another existing center/department.

Cyber threats are not new in Nepal. There have been numerous instances in the past where private as well as governmental websites have been hacked. It is also common to hear that many social media accounts have been hacked and in numerous instances, we have also been requested to report the account/pages by our near ones. All these issues are primarily due to a lack of a secured security system and prevention wall. However, cyber literacy is one of the other fundamental issues which is lagging in Nepal. The government is keen to share the increasing numbers of internet penetration but the vulnerable side of the internet has never been the talk of the town in Nepalese society.

Keeping aside the cyber literacy issue, the Ministry of Communication, and Information Technology (Ministry) prepared a Draft Information Technology and Cyber Security Bill 2024 (Draft Bill) which was also issued for public feedback, to overcome the cybersecurity challenges and regulate the cybersecurity aspect in Nepal. The said bill is a merger of two separate bills i.e. Information Technology Bill (which has been in discussion since 2017) and the Cybersecurity Bill 2022.

The Draft Bill after being enacted will replace the existing Electronic Transaction Act 2006. The Draft Bill has dealt with issues about prevention of cyber security threats and cyber security incidents along with regulation of the cyber security service providers. The Bill requires licenses for operating data centers and cloud services within the territory of Nepal which are subject to renewal every year. These data center and cloud service providers are required to comply with the security standards which shall be examined by the licensing authority.

Further, it has envisaged critical information infrastructure which however has not been defined within the act and shall be prescribed in the Nepal Gazette by the Government of Nepal with the recommendation of the cyber security center (which is a new authority created by the bill). These identified critical information infrastructures must comply with security requirements including reporting of any cyber incidents. Any person to provide cyber security audit services has to be listed in the center along with an entity dealing with prescribed hardware and software relating to cyber security. Blockchains, Machine learning, Artificial Intelligence, Internet of Things (IoT) are some of the terms used in the bill and requires its discipline and transparent use.

It is a welcoming step that the government has realized the importance of cyber security and has come up with the Draft Bill. However, cybersecurity being a transforming issue requires dedicated technological human resources. We have on numerous instances been spectators of the technological wars where hackers have been attacking through cyber threats and hacking the governmental technological infrastructure. Hence, to defend, such law enforcement authority must be well equipped with the technology and human resources. Though the bill has envisaged establishing a dedicated national cyber security center, doubt remains whether the center will appoint the right person in the right place, or will the center be a mere “center” for political appointment and a means to recruit “my person” as it remains in another existing center/department.

The bill has rightly envisaged critical information infrastructure. However, the bill does not provide any hint on what critical information infrastructure to consider. It just provides that such infrastructures shall be identified by the government as shall be published in the Nepal Gazette, which is a good practice to do. However, the bill should lay down the basis by which such infrastructure shall be identified. In the absence of such a basis, it gives wide power in determining such critical infrastructure which is again an excessive power delegated to the government. The previous cybersecurity bill 2022 had provided a basis on which the critical infrastructure can be identified, which, however, has been removed in the recent draft bill.

The draft mandates that government, public, financial, and health service providers must handle certain data within Nepal’s borders. While this aims to protect sensitive data, it raises concerns for businesses like international card companies and e-commerce firms operating in Nepal without a physical presence. Before enforcing strict data localization, factors like technical capabilities and data protection laws need consideration. The policy should clarify objectives while balancing innovation and data privacy. Additionally, the bill lacks clarity on cross-border data transfer, crucial for global businesses, suggesting a need for a mechanism to transfer data while meeting privacy compliance requirements.

It is another positive aspect that the bill has mandated the appointment of a data protection office by every government authority (ministry, commission, departments, etc.). However, with growing technological dependency and e-services, such appointments must also extend to private entities dealing with personal information/sensitive information. The wholesome appointment by every entity may be costly and may not be business efficient. Hence, a basis must be adopted where private entities are required to appoint data protection officers. Basis is like an entity dealing with personal and sensitive data on a large scale or whose primary and core business activity is dependent on processing personal information. The same also applies to reporting of the cybercrime, the reporting requirement at the moment is only mandated to the critical infrastructure. However, such reporting requirements must extend to all the entities dealing with personal data. Additionally, the bill should also clarify the types of crimes to be reported and, the contents of the report, specify a timeframe for reporting, or outline consequences for non-reporting.

To conclude, it is crucial to guarantee that law enforcement agencies possess adequate skills and resources to effectively investigate and respond to reported cyber-attacks. Simply enacting laws to criminalize malicious cyber activities is insufficient. To be truly effective, every aspect of the law enforcement system must receive training and be equipped with the necessary tools to enforce and implement these laws. If executed properly, this constitutes a long-term endeavor aimed at educating local and national police as well as judges on this emerging realm of crime. Also, a major challenge of cybercrime is it involves cross-border issues. Hence, there is a clear need for an improved mechanism of cross-border communication and information exchange to enhance investigation, prevention, and protection efforts.

Comments are closed.