Legal
Considerations, Ministry of Defence, and National Cybersecurity
Today
it is generally accepted that cyber threats can have a serious impact on
services of computer, internet, telecommunications, and satellite networks,
whether at individual or national levels. The impact can be a matter of concern
for national security, including military security, law and order, prosperity
and economic stability. The
Ministry ofDefence, charged
with national defence and security,thus plays an important role in overseeing
national cybersecurity. In
this connection, the Ministry and agencies under its jurisdiction that have
something to do with domestic and international laws have to discharge duty
under the rule of law. The National CybersecurityStrategy (2017-2021) includes
the protection of national interests and security against conventional as well
as modern threats, whereby the armed forces are entrusted with the
responsibility of cyber-related national security and
support of cybersecurity, especially in the event of national cyber-crisis or cyberwar. This paper will focus in part on cyber
warfare with military objectives and cyber defence in the military context as
it touches upon military security and in part on the military role in support
of other agencies in the civilian context.
The
hostile forces and cyberterrorism today come in many forms, whether in
disguised or open fashion, can be classified as follows: countries
openly involved in the combat or war, enemy countries operating clandestinely,
terrorist organizations/movements, international and
domestic organized crimes, groups of ordinary individuals, and individuals
operating overseas or domestically. The situation transcends conventional
frontiers. In today’s combat or war there is no need to resort solely to attack or
use of arms against military or physical targets, i.e. using bombers, artillery or missiles to destroy dams, nuclear
power plants, or telecommunications systems. The war can be waged on the cyber
front to inflict damage on them as well as on other military or economic
targets.
The
cyberspace operations in armed conflicts or cyberwar are subjected to
international considerations as follows:
1. According to Article 51 of the UN Charter, a UN member state
can employ forces and cyber operations in self-defence
against an armed attack by another country but shall immediately report to the
UN Security Council. However,
its action must not in any way jeopardize the power and responsibility of the
Security Council. There
is an observation to be made in this regard. The right to exercise self-defence against pre-emptive attack in some
instances can be too late.
There are two countries that seem not to follow the rule, the USA
and Israel.
2. The International Humanitarian Law, also known as the Law of
Armed Conflict, provides important principles governing or justifying the
possibility of engaging cyber-warfare:
2.1 Military necessity: accounting for the legitimacy of operation necessary to reach
the objective of the task, ensuring the military defeat of the enemy, while
falling within the criteria and scope of the Law.
2.2 Unnecessary suffering: meaning
that weapons and other means of warfare, albeit with destructive killing power,
must not cause “unnecessary suffering”.
2.3 Proportionality:military operations and means of warfare must be in the
appropriate balance, i.e. the damages
that follow must not overly exceed the military advantage, not causing civilian
damage or injury, something that must be avoided as much as possible.
2.4 Humanity: civilians,
prisoners of war, medical staff and religious personnel are to be treated with
respect for humanity. They
must be distinguished from legitimate combat targets. It is prohibited to use the protected
objects or personnel as targets or attack them in reprisal.
Nevertheless,
there is no direct mentioning of cyber acts in international laws or universally
accepted standards. It
was mentioned first the Convention on Cybercrime, also known as Budapest
Convention on Cybercrime or Budapest Convention in short. The convention was initiated by the
Council of Europe and opened for signature in the Hungarian capital of Budapest
on 23 November 2001. Fifty-two countries have already ratified although Thailand is not
yet a signatory party to the instrument. It is considered the first
international agreement or treaty to address the issue of internet and computer
crimes at one go, leading to considerable improvement of investigative
techniques and greater international collaboration to prevent and suppress
international cybercrimes.
Another piece of documentation is the 2015 report of theUnited
Nations Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of International Security (UN GGE) with its 11 cyber-related
recommendations on the basis of which negotiations and considerations can be
applied to suit the context of individual countries on a voluntary non-binding basis.
Attempts have also been made to develop what is known as "TALLINN MANUAL 2.0 ON THE
INTERNATIONAL LAW APPLICABLE TO CYBER OPERATIONS" by
NATO Cooperative Cyber Defence Centre of Excellence, a research and training
institute in Tallinn in Estonia. The document is a result
of the cooperation of cyber experts from several countries although
internationally it is not legally binding in any way.
With
regard to Thailand’s legal instruments dealing with cyber-operations or warfare, cyber-prevention in
the context of international armed conflict and cybersecurity in the civilian
context, there are a number of laws that concerns the Ministry of Defence as
follows:
1. In the Constitution of the Kingdom of Thailand, B.E. 2560 (2017), Section 56 provides that the State shall put in place armed
forces to ensure national security, law and order. In Section 8, Section 36, Section 37
and Section 40 of the Act on the Ministry of Defence Organization, the Ministry
of Defence shall have the powers and duties in defending and maintaining
national security against external and internal threats, and other duties
including non-combat military operations designed to
maintain national security.
It is the ministry’s duty to prevent, stop
or suppress threats to the State’s security and terrorism,
which may require immediate military intervention, as well as to protect and
maintain other national interests. In this connection, military personnel
can act as competent officers in accordance with the Criminal Code. The legal provisions,
thus, make it possible for the Ministry of Defence and its agencies to conduct
cyber-operations even in the absence of specific legal
stipulations if they are dealing with cybersecurity and national security or
interests or terrorist acts that require military intervention. In this light, the Constitution and
the Act on the Ministry of Defence Organization empower the Ministry of Defence
and agencies under its jurisdiction to take appropriate action.
2. Computer Crimes Act, B.E. 2550
(2007) and subsequent amendments
3. Electronic Transactions Act, B.E. 2544 (2001) and
subsequent amendments
3.1 Royal Decree Prescribing Rules and Procedures for Electronic
Transactions in Public Sector, B.E. 2549
(2006) issued under Section 35
paragraph one of the Electronic Transactions Act B.E. 2544 (2001),together
with the following notifications:
3.1.1 Notification of the Electronic Transactions Commission, dated
31 May 2010, on Policy and Practice Guidelines for Maintaining Information
Security in Public Sector, B.E. 2553 (2010), to ensure security and reliability
of electronic transactions with/by the public sector as
well as to ensure international acceptance. In this regard, all public agencies,
including the Ministry of Defence, shall each have in place its policy on
information security in writing.
3.1.2 Notification of the Electronic
Transactions Commission, dated 1 October 2010, on Policy and Practice
Guidelines for Protecting Information of Personnel of Public Sector, B.E. 2553 (2010), to ensure security and reliability of electronic transactions
of the public sector and to protect personal information with the same standard
across the board. In
this regard, all public agencies, including the Ministry of Defence, shall each
have in place its policy on personal information protection in writing.
3.2 Royal Decree on Safe
Procedures for Electronic Transactions, B.E.
2553 (2010) issued under
Section 25 of the Electronic Transactions Act, B.E. 2544 (2001) together
with the following notifications:
3.2.1 Notification of the Electronic
Transactions Commission, dated 13 November 2012, on Types of Electronic
Transactions and Criteria for Assessing the Level of Impact of Electronic Transactions
under Safe Procedures, B.E. 2555 (2012) to ensure the reliability of
electronic transactions under safe procedures as prescribed by the Commission.
3.2.2 Notification of the Electronic
Transactions Commission, dated 13 November 2012, on Standards of Maintaining
Information System Security under Safe Procedures, B.E. 2555 (2012), to
ensure the reliability of electronic transactions under safe procedures as
prescribed by the Commission.
4. Office of the Prime Minister’s
Regulations onPreparatory National Cyber Security Committee, B.E. 2560 (2017),
prescribing the presence of the Preparatory National Cyber Security Committee
during the preparation of the law on national cybersecurity to be submitted to
the National Legislative Assembly. It is designed to prepare the
development and maintenance of cybersecurity and to ensure that Thailand can
defend and protect itself against cyber threats or handle the situation in a
prompt manner. This
will protect all people concerned, whether public, private, or civil society,
and instill confidence in them.
The committee will consist of such members as the Minister of
Defence, Permanent Secretary for Defence, Chief of Defence Forces, Commander-in-Chief of Royal Thai Army, Commander-in-Chief of Royal Thai Navy, and Commander-in-Chief of Royal Thai Air Force.
Inevitably,
when one starts to prescribe measures and actions to prevent or protect against
untoward cyber-situations and threats, especially when it
involves service of computer, internet, and telecommunication networks,
satellite services, infrastructure systems, and public services in the country,
it may affect the right and liberty of certain individuals or groups of people. This is even more so,
when it comes down to national security, military security, internal law and
order, and economic security, collectively called “security”. Such inconvenience on individuals or groups of people will
not constitute a violation of human rights if action is taken under the legal
framework oris not deliberately taken on them. Article 4 of the International
Covenant on Civil and Political Rights, to which Thailand is party,states that
in time of public emergency which threatens of the nation, the State Parties to
the Covenant may take measures derogating from their obligations on civil
rights and freedom to the extent strictly required by the exigencies of the
situation. In
addition, the European Convention on Human Rights, to which Thailand is not yet
party, can be considered an international principle on this matter. Article 15 of the
Convention states that in time of war or other public emergency threatening the
life of the nation, the State Party can cake measures derogating from its
obligations on civil rights and freedoms to the extent required by the
exigencies of the situation.
This is a case of public safety or pubic security, which emerges
as the most important.
The
above-mentioned domestic laws – Computer
Crimes Act, B.E. 2550 (2007) and subsequent amendments, Electronic Transactions Act, B.E. 2544 (2001) and subsequent amendments, other secondary acts and
notifications – may suffice to prevent and suppress
cybercrimes but do not go far enough to cover “national
cybersecurity”. It
is necessary for Thailand, therefore, to come with a law on national
cybersecurity as soon as possible. In this matter, the Ministry of
Digital Economy and Society is the lead agency in drafting a bill on national
cybersecurity B.E…. which will be in
force in due course. It
is hoped that the draft act will include provisions concerning the part of the
military personnel of the Ministry of Defence accordingly.
Conclusion: The Ministry of Defence is an important agency in national
cybersecurity. The
Ministry and agencies under its jurisdiction will have to act under the
domestic and international laws.
Admittedly, at present, domestic laws do not sufficiently cover
or deal with “national cybersecurity” in
a comprehensive manner. It
is necessary, therefore, for Thailand to put in place a law on national
cybersecurity as soon as possible.
***************
ไม่มีความคิดเห็น:
แสดงความคิดเห็น