Romania’s Intelligence Service (SRI) or the Ministry of National Defense (MAPN) could gain expanded and discretionary access to private individuals’ security issues and data, and cyber security service providers will become professional whistleblowers, the Technology and Internet Association has warned. (APTI) regarding the new draft law on cyber security and defense.

CyberInt_SRIPhoto: Scientific Research Institute

A new legislative proposal in the field of information security establishes absurd breach notification requirements for extremely broad categories of private individuals and other issues that ignore the importance of privacy, writes APTI, an association whose executive director is Bohdan Manoleya, a lawyer specializing in Internet legislation.

This is a draft law presented for public discussion on Friday, November 4, by the Ministry of Research, Innovation and Digitization, led by the liberal Sebastián Bourduilla, which, as HotNews.ro wrote, obliges all private individuals who own networks and IT – systems. report security incidents on a DNSC-managed platform to which SRI, SIE, STS, MAPN and other agencies will have guaranteed access.

The main samples identified by APTI:

  • disproportionate measures for broad categories of private entities;
  • definitions that are vague, unclear or inconsistent with other applicable laws;
  • denunciation of private specialists as a method of protecting the Internet
  • expanded and discretionary access of intelligence services to security issues and data of private individuals.

Not every website has to meet security requirements according to EU directives

The association argues, among other things, that the personal data of private individuals and the security of the systems in which it is stored should not be transferred to the state, except in cases where the public interest is higher than the public interest. private interests in question, aspects already limited by the European Directives NIS1 and NIS2.

The association says that the inclusion in Article 3 (1) c) of networks and computer systems of legal entities that provide public services or are of public interest (without defining these terms in the content of this regulatory act) makes the scope of application excessively broad. .

“The obligation to notify within 24 hours and the obligation of Article 40 cannot be fulfilled for any of the following:

  • a site with 3 users managed by a PFA at an NGO providing an online service (which is public by definition);
  • a website owned by a small media outlet, free or paid service,
  • a small offline store (which also has a public service) equipped with an electronic cash register (i.e. an IT system).

Therefore, it is not clear to include the private sector in the same category as public sector networks in the following formulation:

  • “c) networks and IT systems owned, organized, administered or used by central and local bodies and institutions of public administration, except for those provided for in letter a), as well as legal entities that conduct industrial, scientific and research activities or provide public services or are of public interest, except for those specified in letter b).”

Our recommendation is to relate this topic to the categories of networks and computer systems owned, organized, managed or used by legal entities under the NIS2 directive (which is also cited by the proponents in the rationale) and which are likely to be included in the future valid until the end of 2022:

  • limiting private entities to obligations exclusively to the sectors covered by NIS1 and NIS2;
  • limiting large and medium-sized actors and excluding small actors, including from these sectors, to avoid excessive and impossible measures to be implemented;
  • providing a single obligation to report security incidents in the law implementing the NIS2 directive.”, write APTI.

Security service providers will become professional whistleblowers

Another criticized aspect Article 24 which provides the following:

  • “Cybersecurity service providers are obliged to provide authorities, provided for in Art. 10 (on DNSC, SRI, SIE, STS, MAPN, MAI, SPP, etc. ), upon their motivated request, within a maximum of 48 hours from the date of receipt of the request, data and information regarding incidents, threats, risks or vulnerabilities, the manifestation of which may affect the network or computer system of the owner or third parties”

“The goal of a security service provider is to protect and solve the problems of its customers. Typically, cyber security service providers are technical specialists who have extremely strict contractual obligations of confidentiality to their clients (from Romania or abroad). Some of the information they have access to or discover is related to incidents, threats, risks or vulnerabilities.

According to the Romanian draft law on cyber security, these providers are obliged to protect their own clients in response to any question from one of the institutions referred to in Article 10. Without a court order, without express permission, these providers are obliged to provide information about the client’s security status or, worse, an entire infrastructure (which may include the personal and sensitive information of multiple customers, whether or not they are directly affected by the potential vulnerability).

Such an obligation – which was also part of the law with the same object, declared unconstitutional by CCR 17/2015 – would be similar to the obligation of an auditor or accountant to report primarily to the ANAF and not to advise his client what to do for of being in law.”, APTI warns.

What, exactly, are IT systems within the competence of DRI? Can anyone identify them?

APTI also requires a separate, correct and complete definition of Article 10(d) so that it is clear what the specific areas of competence of each institution are. Currently, the text is vague and uses general terms: “networks and computer systems in the field of their competence, activity or responsibility”.

Article 10, point d) is as follows:

  • “Ministry of National Defence, Ministry of Interior, Office of the National Registry of State Secrets, Intelligence Service of Romania, Foreign Intelligence Service, Special Telecommunications Service and Security and Protection Service for security and cyber protection, respectively, for knowledge, prevention and countering of cyber threats to networks and IT -systems within their competence, activity or responsibility. In this sense, they establish structures and technical and organizational measures for the coordination and control of cyber security and defense activities.”

The Association notes that it is not possible to know from the above text, for example, which IT systems may fall within the SRI’s scope of competence or responsibility.

  • “Does this include IT systems installed in other government agencies through the SII Analytics project? Do they include the systems they will purchase – perhaps – for the government cloud? Do they include IT systems for the interception of electronic communications installed by the DIR, but currently used by other bodies in the field of criminal investigation (as a result of the decision of KKR 51/2016)? It is to avoid these ambiguities that the text should be rewritten to clarify and demarcate the attributes of each institution.”, says APTI.

Civilian activities and systems should not be included in the military

Another aspect criticized by the Association concerns the definition of “cyber protection”, for which the MAPN is defined by the competent authority at the national level.

This is how cyber security is defined in Article 2:

  • a) cyber protection – a set of measures, means and measures used to counter threats from cyberspace and mitigate their impact on communication systems and information technologies, weapons systems, networks and information systems, including those that support military defense capability;

Defining Cyber ​​Security, APTI Says should be limited exclusively to activities related to the military sphere and exclude IT activities or civil sector systems. Otherwise, the definition and Art. 29 or 30 will see the entire Internet as a space for maneuvering military actions.

Another interpretation would violate the principle proclaimed by the DRC in the declaration of unconstitutionality dated 17/2015: “Institutions dealing with the field of cyber security must be civil bodies under the control of citizens.”

Access to the national IT security incident platform is unclear

Another aspect criticized by APTI is the “guaranteed access” that the intelligence services, MAI, SPP or MAPN will have to the national cyber security incident reporting platform – PNRISC.

Article 19 provides for the following:

  • (1) The DNSC shall develop and administer the National Cyber ​​Security Incident Reporting Platform, hereinafter referred to as the PNRISC.
  • (2) Powers provided for in Art. 10 have guaranteed access to PNRISC.
  • (3) Access to information from PNRISC is limited by the privacy policy established and implemented by DNSC.

APTI points out that the terms in Article 19, paragraphs 2 and 3 are unclear and do not take into account the protection of confidential data sent by the subjects of the right (or data related to their own vulnerabilities or personal data).

A privacy policy cannot be a mechanism for protecting this information, as DNSC may develop such a policy at its discretion. Also, what business would ORNISS or SPP have to do with an incident reported by a private provider?

In our opinion, paragraph 2 should be reworded in such a way that “authorities have access – on the basis of a specific right of need in accordance with legal obligations clearly established by law – to statistical data or anonymous reports”.

Paragraph 3 should be reworded to clarify that the purpose of this privacy policy is to protect personal data and other non-public information. Moreover, the purpose of access is limited to the use of information for the purpose of ensuring one’s own IT security,” APTI claims.

  • VIEW ALL APTI REMARKS HERE

The association says it sent its comments to the Ministry and demanded a public discussion of the bill.

  • Read more: Romania’s cyber security and defense: SRI becomes national cyber intelligence agency. What data will he have access to – the project