Cybersecurity regulations in BD and challenges for the business sector

The Digital Security Act 2018 (DSA), while a pioneering step towards establishing cybersecurity norms, faced criticism for its application in stifling dissent and limiting freedom of expression, without sufficiently addressing the core issues of online safety, digital system security, and personal data protection. Recognising these limitations and the need for reform, the Cabinet of Bangladesh introduced the draft Cybersecurity Act 2023 (CSA) in August 2023 as a replacement for the DSA, aiming to refine the country's cybersecurity framework.
The CSA 2023 seeks to enhance the cybersecurity measures previously outlined by the DSA 2018, aiming to provide a more focused approach to mitigate the public's online challenges. Despite these intentions, a closer examination reveals that the CSA's provisions concerning definitions, decision-making authorities, and penalties for offenses bear significant resemblance to those in the DSA. Organizations such as Transparency International Bangladesh (TIB) and even the United States Embassy in Bangladesh noted that appropriate stakeholders weren't consulted in the feedback process of the new act, and the act itself retains many of the more oppressive elements of its predecessor. This observation raises questions about the extent to which the CSA will diverge from its predecessor in practice, particularly in addressing the business community's concerns regarding online safety and data privacy in Bangladesh's evolving digital marketplace.
For businesses, the transition from DSA to CSA is critical. International businesses and local enterprises alike require a cybersecurity law that not only protects against cyber threats but also fosters an environment conducive to digital innovation and economic growth. The alignment -- or lack thereof -- between the CSA and global cybersecurity standards will significantly influence Bangladesh's attractiveness as a digital economy on the international stage.
The draft Cybersecurity Act 2023 (CSA) brings to the forefront challenges inherent in merging cybercrime and cybersecurity regulations, casting a long shadow over Bangladesh's digital ecosystem. This conflation may inadvertently prioritize punitive actions against cybercrime at the potential cost of neglecting proactive cybersecurity measures. For example, section 34 of the act which focuses on punishment for hacking offenses, proposes relatively severe penalties, including 14 (fourteen) years imprisonment and hefty fines. Cybersecurity experts may be deterred from carrying out valid research or disclosing vulnerabilities as a result of such fines, which would compromise the general security of digital systems.
Such a shift not only threatens the development of a robust digital infrastructure but also hampers the cultivation of a business environment conducive to innovation and economic progress.
The CSA's approach to blending cybercrime and cybersecurity legislation introduces potential legal ambiguities and complicates enforcement, underscoring the necessity for distinct legal frameworks to address the unique aspects of cybersecurity management and cybercrime prosecution. This distinction is paramount for aligning with international regulatory frameworks, such as the Budapest Convention and the GDPR, which differentiate between cybercrime and data protection to facilitate international cooperation and ensure compliance.
For both Bangladesh's local and the international business landscape, the CSA's stance presents considerable challenges. The blurred lines between cybercrime and cybersecurity in the CSA risk undermining Bangladesh's alignment with global cybersecurity norms-an essential element for participating competitively in the international digital marketplace. Companies operating in the digital domain depend on clear, enforceable legal structures that not only guard against cyber threats but also advance a culture of cybersecurity knowledge and readiness. The success of Bangladesh's digital economy hinges on the CSA's ability to provide such clarity and foster an environment where businesses can thrive securely and innovatively.
The draft Cyber Security Act (CSA) reflects the Digital Security Act (DSA)'s legacy, which unsurprisingly perpetuates similar challenges. The continuity of issues from DSA to CSA, especially around implementation, suggests a need for a critical evaluation of these legislative frameworks.
Section 8 of the Act, aiming to safeguard public order and digital security by allowing data prohibition or removal, highlights the necessity for clear, well-defined criteria and oversight mechanisms. This is crucial to mitigate the risk of misuse and ensure actions taken under this provision do not inadvertently lead to censorship. The use of ambiguous terms such as "threat to digital security," "solidarity," "financial activities," and "religious values" exacerbates the potential for broad interpretations, thereby increasing the risk of authority misuse.
The vagueness of these terms not only poses a threat to free expression online but also facilitates arbitrary enforcement practices. This ambiguity directly challenges the predictability and objectivity required by international human rights standards, underscoring the importance of precise legal language and transparent procedural safeguards in the CSA. For businesses, this uncertainty can complicate compliance efforts, affecting operations and undermining confidence in Bangladesh's digital market environment.
The National Cyber Security Council outlined in the draft CSA is set to include a diverse array of government ministries and agencies. However, it lacks specific mention of the inclusion of technical expertise and sectoral representation that characterises successful cybersecurity frameworks like the US's Cybersecurity and Infrastructure Security Agency (CISA) or the UK's National Cyber Security Centre (NCSC). The absence of provisions for integrating technological skills and fostering cross-sector collaboration could potentially impact the effectiveness of Bangladesh's cybersecurity initiatives.
Furthermore, while the draft CSA recognises the need to monitor, inspect, and secure critical information infrastructure, it falls short in detailing necessary incident response protocols, cybersecurity measures, or technical standards critical for the protection of essential assets. The mention of digital security experts' involvement in inspections is a positive step, yet the legislation does not sufficiently address their participation in strategic decision-making or the planning process, which is vital for a comprehensive cybersecurity strategy.
Sections 38 to 53 of the CSA focus on empowering law enforcement agencies to tackle cybercrime, providing them with investigative and prosecutorial authority. While these provisions aim to fortify the legal framework against cybercrime, they raise concerns about due process, privacy rights, and balancing law enforcement capabilities with individual freedoms. The aces designation of police officers as the sole Investigation Officers for cybercrimes triggers discussions on the need for specific technical knowledge and skills in cyber investigations. Given the intricate nature of cybercrime, this highlights an urgent requirement for specialized training or qualifications for law enforcement personnel to ensure effective and nuanced handling of such offenses.
From the perspective of businesses, these aspects of the CSA represent critical areas for improvement. The effectiveness of a cybersecurity framework from a business perspective hinges not only on its ability to combat cyber threats but also on its capacity to foster innovation, protect privacy, and maintain operational integrity in a rapidly evolving digital landscape. Ensuring that the CSA incorporates detailed provisions for technical expertise, cross-sector collaboration, and specialized law enforcement training will be pivotal in building a resilient and dynamic digital economy in Bangladesh.
The recent cybersecurity breaches at Biman Bangladesh Airlines and within various government sectors highlight a critical gap between the aspirations of Bangladesh's digital security measures and their actual efficacy. These incidents underscore the limitations of existing frameworks like the Digital Security Act (DSA) in safeguarding digital assets and personal data effectively.
The transition from the DSA to the draft Cyber Security Act (CSA) -- despite persistent challenges -- necessitates a reassessment of the national cybersecurity strategy. For the business community, particularly, this calls for a legislative environment that not only responds to the dynamic nature of cyber threats but also aligns with global standards and respects human rights. A strategic recalibration should prioritize clear differentiation between preventive measures and punitive actions, ensuring judicial oversight and promoting cross-sectoral collaboration. Moreover, an emphasis on cybersecurity education and the cultivation of a technically adept workforce is paramount to fortify defences and mitigate future vulnerabilities.
This complex issue demands a strategic shift toward legal frameworks that are adaptable to the changing landscape of cyber threats and consistent with international human rights norms. A modernized strategy should embody principles of proportionality and accountability, facilitating collaboration between the government, the private sector, and cybersecurity experts. Embedding a balance between prevention and enforcement within the CSA, and investing in cybersecurity training, are essential steps to bridging the existing technical gap.
In summary, navigating the cybersecurity challenge requires a nuanced and flexible strategy that balances security imperatives with the protection of fundamental freedoms. Progress hinges on a proactive stance that addresses current shortcomings while paving the way for a secure, inclusive digital future. This balance is crucial not just for safeguarding individual rights but also for maintaining Bangladesh's competitiveness and trustworthiness as a digital economy partner on the global stage.

This article is being published as part of an effort to bring further awareness regarding cybersecurity and policy gaps relating to cybersecurity in Bangladesh to the general public, stakeholders, and policymakers and is supported by DAI Global LLC and USAID under the Digital Connectivity and Cybersecurity Partnership (DCCP) Program.(Syed Shadman Wahid is a Senior Associate at Inspira Advisory Consulting Limited)