Bangladeshi media can disclose any weakness and mismanagement of the institutions declared as Critical Information Infrastructure (CII) by the ICT Division as media reporting will help authorities take appropriate measures to beef up cyber defence.
Apart from this, the declaration of CII in accordance with the relevant law will help deter undesirable incidents like the cyberheist at Bangladesh Bank.
These were stated in a statement issued by the state-backed Bangladesh e-Government Computer Incident Response Team (BGD e-Gov CIRT) on Saturday.
The government formed the BGD e-Gov CIRT under the Bangladesh Computer Council (BCC) just after the heist of the central bank’s reserve to combat any such fatal intrusions further.
The Financial Express released the statement as is excluding the names of 29 organisations’ Critical Information Infrastructure( CII) in the following.
“Critical Information Infrastructure (CII)” in the Digital Security Act, 2018 means any such external or virtual information infrastructure as declared by the government which controls, processes, transmits or stores any data or any electronic information and which is damaged or endangered; – (a) may adversely affect public safety or economic security or public health, (b) national security or state integrity or sovereignty; It is good to note here, that declared critical information infrastructure is limited to secured of information technology infrastructure.
To ensure compliance with internationally recognised widely used standards (ISO/IEC/BDS 17025, 15489, 20000, 27001, 27005, 27037, 27041, 27042, 27043, 27050) for secured operations, the government has declared 29 institutions as critical information infrastructures.
The organisations named in a notice issued by the ICT Division on October 3 are:
1) President’s office, 2) Prime Minister’s Office, 3) National Board of Revenue, 4) Bangladesh Data Center Company Ltd., 5) Bridges Division, 6) Department of Immigration and Passports, 7) National Data Center of Bangladesh Computer Council, 8) Bangladesh Telecommunication Regulatory Commission, 9) National Identity Registration Wing of Election Commission Secretariat, 10) Central Procurement Technical Unit, 11) Rooppur Nuclear Power Plant Establishment Project, 12) Biman Bangladesh Airlines, 13) Immigration Police, 14) Bangladesh Telecommunication Company Ltd., 15) Bangladesh Water Development Board, 16) Power Grid Company of Bangladesh, 17) Titas Gas Transmission and Distribution Company Ltd., 18) Bangabandhu Satellite Company Ltd., 19) Civil Aviation Authority Bangladesh, 20) Birth and Death Registration unit of the Office of the Registrar General, 21) Bangladesh Bank, 22) Sonali Bank, 23) Agrani Bank, 24) Janata Bank, 25) Rupali Bank, 26) Central Depository Bangladesh Ltd., 27) Bangladesh Securities and Exchange Commission, 28) Dhaka Stock Exchange, 29) Chattogram Stock Exchange.
The Director General shall, from time to time, inspect and inspect any critical information infrastructure to ensure that the provisions of the Digital Security Act are being duly complied with and submit a report to the government.
Most importantly, Bangladesh Standards and Testing Institution (BSTI) has declared all these ISO standards as national standards. Guidelines for CIIs operation and audit have been issued by the government to ensure information security.
The declaration of critical information infrastructures does not obstruct journalism in any way. The digital security act protects only intrusion into CII network, storage, and servers by hackers to steal money, information etc.
The declaration of CIIs is necessary to check the recurrence of Bangladesh Bank like heists, loss of credit & debit card information of citizens, disruptions of utility services etc.
State Minister for ICT in a press briefing on 22 August 2022 apprised the journalists on the prevailing menace of cyber threats to Bangladeshi individuals and organisations. However, it is observed that some so-called, self-declared cyber security experts are misleading the journalist community with various false statements.
Provisions for the declaration of critical information infrastructure are also in place in other countries. The declaration of CII in accordance with the relevant law will help deter undesirable incidents such as that of Bangladesh Bank. The process of identification of CIIs and skills enhancement of the officials of these information infrastructures started back in 2016 after the Bangladesh Bank Incident. On competition of all primary readiness requirements, the government has released the list of important information infrastructures as per the law. The declaration of CII through gazette provides a tool for immediate action by the relevant countries in case of transborder cybercrime. Information and Communication Technology Division has provided in country and overseas training to more than 4000 (four thousand) officials through gh Bangladesh Computer Council. In addition to training, three cyber drills are being organized annually from 2020 to create resilience to cope with cyber security-related threats. The ICT Division has set up a state-of-the-art cyber range at the Military Institute of Science and Technology (MIST) through the Bangladesh Computer Council. This cyber range provides opportunities for students and law enforcement agencies to practice cyber defence through simulations for readiness to mitigate cyber threats.
There is a difference between Critical Information Infrastructure (CII) and Key Point Installation (KPI). The Declaration of Critical Information Infrastructure only ensures adherence to national standards for the secure management and operation of information technology-dependent networks. The intrusion under DSA-2018 refers only to illegal entry with the intent of hacking into the physical or virtual IT Infrastructure. The important information infrastructure here is not the organisation, but the information technology-based network, data centre, data transmission etc. only.
On the other hand, government-declared Key Point Installation (KPI) controls the management of personnel access to organizations, the code of conduct of security guards and other related matters. The Ministry of Defense and Ministry of Home Affairs are responsible for announcing and managing Key Point Installation (KPI).
There is no hindrance in disclosing information about any weakness, mismanagement, etc. by the media under the declaration of CII by the ICT Division, rather media reporting will be helpful for the authorities to take appropriate measures to strengthen cyber defence.
