THE coming year is expected to be the year of cybersecurity for Thailand with the likely introduction of key digital laws, especially the Cybersecurity Act, to take effect in 2019.
Paiboon Amonpinyokeat, of the National Cyber Security preparation committee and a cyber law expert, said that 2019 is expected to see active moves in cybersecurity, with the Cybersecurity Act expected to effect in 2019. This will encourage investments in cybersecurity and ventures by startups in Thailand.
“All cybersecurity bills are expected to be effective before the election, so it should be effective by February,” said Paiboon.
Cybersecurity in 2019 is expected to see much higher growth from 2018 since the new laws will encourage and compel organisations - both in the government and private sectors - to invest more in cybersecurity in order to ensure legal compliance.
The critical infrastructure will inject a lot more investment to make their system/infrastructure more secure and, by doing so, put them in legal compliance. Moreover, there will be more cybersecurity manpower and resource developments. According to the National Cyber Security Preparation Committee, the country is expected to have at least 5,000 cybersecurity workers in the next three to five years.
Under the Cybersecurity Act, apart from law enforcement, the provisions are part of efforts to encourage the critical infrastructure providers to invest and to devote more attention to cybersecurity. Another key act, the Digital ID Act, will also help leverage investment in cybersecurity in the country.
However, close monitoring is required on which draft of the Cybersecurity Act is picked by the commission to put for the NLA's consideration, between the revised draft that the Cabinet has endorsed or the first draft that the Council of State has endorsed.
Two months were spent on the revised draft to make the adjustments of the earlier draft as a result of the participation of experts across the legal, technology and business domains.
It consists of three parts - business promotion, protection, and is not focused on “content”. The former draft is focused on content.
Prinya Hom-anek, the secretary of the Thailand Information Security Association (Tisa) and a cybersecurity expert, said that in 2019 all four digital Acts will officially take effect. The first two concern the leveraging of the Electronic Transactions Development Agency (Public Organisation) to become a national agency that operates and runs under its own Act; and the Electronic Transactions Act (2019).
As a result, electronic transactions will be tightened and have more costs to ensure regulatory compliance. This is to create more confidence in electronic transactions and will dramatically increase the number of electronic transactions in 2019.
The other two digital acts – the Cybersecurity Act and Personal Data Protection Act - are also expected to effect in early 2019. All four Acts are scheduled to be passed on to the National Legislative Assembly (NLA) for consideration and are expected to take effect next year.
Prinya has also highlighted the 10 cybersecurity trends for Thailand in 2019.
The first concerns data privacy and the risk of more leaks from cloud networks.
After the European Union's (EU) General Data Protection Regulation (GDPR) took effect, Google, Apple and Facebook have allowed their users to download their own data.
The move comes against the backdrop of concerns that if people lose their passwords, other people would be able to download all their personal data. This leads to the prospect of an increase in repetitional risk, especially for people who set passwords that are too easy, without two-factor authentication. Those users without strong passwords have a higher chance that their personal data will be leaked.
Also, people who are careless with their passwords have a greater risk of losing their personal data.
Therefore, the first trend of cybersecurity is to have two-factor authentication. At this level of security, users need a six-digit authentication code each time. Two-factor authentication will be the default next year and indeed will become mandatory.
The second trend is for regulations to be tightened.
The drafts of the Personal Data Protection Act and Cybersecurity Act are expected to be effective next year. They have already passed the Cabinet's scrutiny and awaiting the consideration of NLA.
The critical infrastructure will be more concentrated on cybersecurity and they will invest a lot more in leveraging their cybersecurity standards. Meanwhile, privacy policies and disclaimers will become more stringent next year.
“Individuals must carefully and thoroughly read the privacy policies of service providers,” said Prinya.
The third trend is de-anonymisation, which is a reverse data mining technique that re-identifies encrypted information. Efforts here will be related to personally identifiable information (PII), which is the practice of collecting public and private personal data that can be used to identify an individual for legal and illegal applications.
The fourth trend is the full implementation of cyber resilience. It needs to have full life-cycle-incident management. It is not about asking “Are we secure?”, because there is no 100 per cent secure guarantee. The question should be: “Are we ready?” And once there is a hacking, how prepared will an organisation be in terms of incident response?
“All individuals need to help protect themselves and not leave cybersecurity matters to the online service providers only. Individual (mobile) Internet users need to change their mindset about security. They have to prepare how fast they respond rapidly; they should prepare for the worst scenario,” said Prinya.
The fifth trend is enterprises’ cybersecurity discipline. Enterprises need to have more cybersecurity discipline. Cybersecurity is just not about technology issues, but it is about people and process issues. The trend is people will focus a lot more on people and process, not only technologies.
“Cybersecurity is not only a technical issue, it is about process and people and top management leadership,” said Prinya.
The sixth trend is Internet of Things (IoT) security.
A lot more devices connected to the Internet are raising more concerns about cybersecurity. Most of connected devices have default passwords, especially the medical devices and industrial devices. Therefore, a trend for hackers is to attack IoT and OT (operational technology) in the critical infrastructure.
“Thus, it is consistent with the second trend that the regulations will see more tightening, especially on the critical infrastructure that are targets of an attack,” said Prinya.
The seventh trend is about artificial intelligence used for the dark side of the Internet.
Hackers also use AI in hacking. Rather than coding, hackers use AI and machine learning to detect a system's weakness and to attack the victim.
Viruses will be empowered by AI and machine learning as well as learning the patterns in order to avoid the anti-virus detection.
The eighth trend is for more social media scandals.
Social media scandals will also include those concerning fake news and cyber bullying. Since social media is a circle of influence, it can be used to manipulate the masses.
It is about the attention economy. Social media scandals are related to the attention economy. People normally have only eight seconds of attention. Cybersecurity is not just only about hackers and viruses.
“The most dangerous hacker is yourself when using social media and online services carelessly,” said Prinya.
The ninth trend is for cybersecurity transformation.
The next year trend is about a shift from digital transformation to cybersecurity transformation. If cybersecurity and privacy are not good, trust will not be sustained.
Therefore digital transformation would not be a success. So, cybersecurity transformation (including privacy) is the foundation for digital transformation.
The 10th trend concerns the area from the data economy to the crypto-economic field.
Now, the country is moving towards the data economy, which is not crypto-economic. Crypto and blockchain are the future, but not at the moment.
It is to move from the data economy to the crypto-economic realm in the next couple of years We are not yet seeing real-world mass implementation. It is the future technology and its arrival will take time.
“It is a subject matter for expert groups and for internal study,” said Prinya.