The Impact of the Thailand Cybersecurity Law

The Impact of the Thailand Cybersecurity Law
Author: Nipon Nachin, CISA, CISM, CISSP, CSSLP, GICSP, GREM, ITIL v3 Expert, QSA, PCIP, SSCP, Chatpong Tangmanee, Ph.D., and Krerk Piromsopa, Ph.D.
Date Published: 22 April 2019

In the past 5 years, the cybersecurity agenda has been raised and discussed and in many forums because cyberattacks have been developed for various purposes, and the number of cybersecurity incidents or data breaches have increased dramatically every year. After major incidents around the world in the past few years, cyberattacks have caused several impacts on public services, business, people and even the accusation of the cybercrime from others. Therefore, many countries, such the United Kingdom, German, Estonia, Australia, Canada and Singapore, have developed and issued laws to take action on cybersecurity, such as the national strategy, guidelines of implementation and reporting. Generally, all cybersecurity acts are focusing on industries identified as critical infrastructure (CI) or critical information infrastructure (CII) of the nations, such as national security, financial, telecommunication, public transportation and logistics, healthcare and energy sectors. These sectors are always the first primary target of cyberattacks and cause the biggest business disruption or impact nationwide.

The Thai government will soon issue the first cybersecurity bill, which aims to level up the cybersecurity safeguard, minimize or control cyberrisk and create cyberresilience in CII organizations. According to the bill, the law will focus on the incidents or crises of CII that have impact on public services or could even cause death or injury, rather than individual computer crimes or monitoring behavior on the Internet. The CII has been categorized into at least 7 groups, which are: national security, public service, financial service, information technology and telecommunication, supply chain and logistics, public utility and energy, and healthcare.

The new cybersecurity agency created by the bill will be responsible for enforcing, cooperating with other regulators and international organizations, supporting, responding to cyberincidents and regulating the CII organizations. The law contains the obligations and several penalties for noncompliance. In addition, the law also contains details of how CII can be compliant with this law, which relates to risk base management concept and 5 functions of the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) version 1.1 (i.e., identify, protect, detect, response, recover). Therefore, all CII enterprises are now facing the challenge of complying with the law and other coming regulations, which will provide more implementation details for the bill, especially the operation technology (OT) and public services. The OT is claimed to be in the closed network system (no external or Internet connection) for a long time, while public services sometimes focus on the service and avoid the security issues due to the service volume. These areas must be improved as fast as we can by using the NIST framework as the implementation guideline or other IT security standards, such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 or European Union Agency for Network and Information Security (ENISA) guidelines. The area of the cybersecurity development or improvement in the organization must be covered all aspects of people, process and technology.

Last but not least, for the implementors or compliance, ISACA has published the Implementing the NIST Cybersecurity Framework to enable practitioners and enterprises to gain an understanding of the CSF and its implementation.

Read Nipon Nachin, Chatpong Tangmanee and Krerk Piromsopa’s recent Journal article:
How to Increase Cybersecurity Awareness,” ISACA Journal, volume 2, 2019.