Institute for Development of Freedom of Information (IDFI) responds to the Draft Amendments to the Law of Georgia on Information Security initiated to the Parliament of Georgia on October 2nd, 2019.
The rapid development of information technologies increases the dependence of every member of society on modern electronic systems. At the same time public services, structures and security systems are increasingly dependent on constantly updating digital technologies. These developments pose both internal as well as external risks. Identifying such risks and implementing relevant measures of protection are crucial in the given reality. However, it should also be taken into account that Georgia is a young democracy, with developing systems of good governance and accountability, thus the potential unsubstantiated increase of the state control over information security should not be implemented at the expense of restricting human rights and freedoms.
IDFI finds that the new draft law, initiated to the Parliament of Georgia on October 2nd, 2019 poses a number of significant threats discussed below.
1. Major Reform of the Information Security System
The proposed version of the draft law fundamentally changes the current cybersecurity architecture. LEPL Operational-Technical Agency (OTA) of the State Security Service is, in fact, becoming the main coordinating and supervisory body of information and cybersecurity. The mandate of the Agency covers the critical infrastructure of the public as well as private entities. The draft law does not clearly indicate the mechanisms through which interagency coordination will be strengthened. Quite on the contrary, according to the draft law the governance pillar of cybersecurity is added by another agency authorized to supervise relevant institutions, and at the same time cooperate with them (including via issuance of joint orders). This will further complicate the cybersecurity management process. Regarding the process of coordination, the draft law does not precisely provide roles and functions of the relevant structural divisions of MoD and MIA.
According to the draft law, DEA (LEPL of MoJ) is responsible to exercise its power in coordination with OTA (LEPL of the State Security Service). Despite the fact that these two agencies will issue orders and other bylaws regulating information security, under the new arrangements, DEA will cease to have a supervisory mandate and it will be transferred to OTA. At the same time, DEA will be in charge to monitor the standards of information security within the private sector only through close cooperation and coordination with OTA. Thus, under the given circumstances the mandate of DEA Computer Emergency Response Team is vague.
2. Problems of Grouping the Subjects of Critical Information Infrastructure into Tiers and High Risks of Unjustified Interference into the Protected Area of Human Rights
The draft amendments introduce the following three-tear categorization for the objects of critical information infrastructure (three tears):
a) Tier 1 – state agencies, institutions, LEPLs (other than religious organizations) and state enterprises;
b) Tier 2 – electronic communication companies;
c) Tier 3 – banks, financial institutions and other entities of private law.
Therefore, proposed amendments will enable OTA to have access to the information infrastructure, systems and assets of the objects of critical information infrastructure falling under tier 1. Moreover, by virtue of Article 10(4) of the draft law, OTA will be granted the authority to manage the sensors and monitors installed at these institutions in order to identify relevant cyber-attacks. Modern information and communication technologies can be configured in a way that enables collecting relatively vast categories of data including real-time monitoring of the content. The abovementioned factors increase the risk of the State Security Service of Georgia gaining unlimited access to information on an indefinite number of individuals with the help of modern technologies.
In the process of categorizing objects of critical information infrastructure, significant problems were identified related to the objects falling under tier 2 and tier 3, which mainly cover representatives of the private sector. The most problematic aspect in that regard is the extent of tier 2, covering private electronic communication companies (as defined by the Law on Electronic Communications) according to Article 1(G2) of the proposed draft law.
In this case, the approach based on which the companies are grouped under tier 1 and tier 2 is ambiguous. It is also unclear why electronic communication companies are subject to a higher standard of accountability towards OTA. OTA Computer Emergency Response Team is entitled to direct electronic communication companies to take necessary measures to identify and neutralize computer incidents in its infrastructure in order to prevent their reoccurrence in the future. It should be noted that the failure to do so entails administrative responsibility, which might render objects falling under tier 2 more vulnerable to OTA, as they would be more likely to grant OTA access to their infrastructure, including network sensors in order to avoid fines.
3. Standards of GoG Decree Regarding the Receipt and Processing of Personal Data by the Objects of Critical Information Infrastructure
The provisions of Article 82(1) of the draft law, according to which GoG decree will determine requirements for manufacturers developing hardware and software used in the process of receiving, processing, storing and transmitting personal data by the objects falling under tier 1 and tier 3, is also problematic. By virtue of this article, GoG will have the authority to set certain restrictions for private companies purchasing, upgrading or using their respective IT systems. The noncompliance with these requirements will result in imposing administrative fines of up to 5 000 GEL. Such an approach per se is contradictory to the core principles of the free market and fair competition.
Taking into consideration existing challenges of cybersecurity in Georgia there is a pressing need to amending the Law of Georgia on Information Security, particularly in regards to its enforcement mechanisms. However, based on the risks and threats identified by IDFI we call on the Parliament of Georgia to:
1. Turn down the draft amendments to the Law of Georgia on Information Security;
2. Start reforming the Cybersecurity System of Georgia only after the National Cybersecurity Strategy and Action Plan are adopted;
3. Ensure the active participation of all relevant stakeholders, including the representatives of local and international organizations as well as the private sector in the process of preparing draft amendments to the Law of Georgia on Information Security.
IDFI held the online conference - International Standards for Cyber Security and Georgia24.09.2020
The Coalition Statement on the Draft Amendments to the Organic Law of Georgia on Common Courts Initiated in the Parliament of Georgia08.09.2020