In the last thirty years, information and communication technologies (ICT) have been in constant evolution and have revolutionized from the way we work to the way we interact. As the use of ICTs expands, so do the risks and dangers associated with their use. Efforts to create a safe national cyberspace can be traced to activities that have been carried out for more than fifteen years, from the drafting and approval of legislation against cybercrime (Law 53 on Crimes and High Technology Crimes), to the ratification of important international treaties, such as the Council of Europe Convention on Cybercrime, and the creation of specialized bodies for the prosecution and prosecution of these crimes, such as the Directorate for the Investigation of Crimes and High Technology Crimes of the National Police (DICAT) and the Office of the Specialized Prosecutor for High Technology Crimes (PEDATEC). Notwithstanding these actions, the country needs to strengthen its capacity to deal with cyber threats and incidents and the implementation of legislative instruments and public policies aimed at inter-institutional and intersectoral coordination and strengthening of effective response capacity. In 2016, the Dominican Government approved the Digital Republic program, conceived as a set of policies and actions that promote the inclusion of ICT in productive, educational, governmental and service processes.
With the adoption by decree 230-18 of the National Cybersecurity Strategy of the Dominican Republic 2018-2021 (ENCS), the strengthening of cybersecurity policies in the country began. Generally speaking, this ENCS aspires to a more secure cyberspace. This is proposed to be achieved through the adoption of a legal framework that regulates cybersecurity and institutional strengthening, the protection of critical infrastructures and IT infrastructures of the State, education and culture on cybersecurity and national and international alliances. Through legislation and regulations on Coverage, the State will have basic response mechanisms for the investigation and prosecution of crimes and the imposition of sanctions for non-compliance with its provisions. He is currently studying in the Senate and preliminary draft of the Cybersecurity Management Law for the Dominican Republic. 1. The National Cybersecurity Center Decree 230-18 in Article 10 creates the National Cybersecurity Center (CNCS) as a dependency of the Ministry of the Presidency of the Dominican Republic. The purpose of the center is “the preparation, development, updating and evaluation of the National Cybersecurity Strategy, the formulation of policies derived from said strategy and the definition of the initiatives, programs and projects that lead to its successful implementation, as well as the prevention, detection and management of incidents generated in the relevant information systems of the State and national critical infrastructures ”
To strengthen its role and powers, the draft bill seeks to formalize its creation as a public law entity with its own legal personality and functional and budgetary autonomy, under the authority of the Ministry of the Presidency. The bill establishes that the CNCS will be made up of a collegiate body called the National Cybersecurity Council and an Executive Directorate. The Council will be chaired by the Ministry of the Presidency, and also made up of the Ministry of Defense, the Ministry of the Interior and Police, the Office of the Attorney General of the Republic, the National Police and the Executive Director of the center. 2. Critical Infrastructure The bill defines what is known in modern societies as critical infrastructures; for example, electricity, gas, ports and airports, water management and information and communication technologies, the interruption of which can have serious consequences for the economy and the well-being of citizens, with potential great impact on health, safety or the economic well-being of citizens or the efficient functioning of State institutions, with which those of critical infrastructures go beyond the responsibility of companies, sectors and, sometimes, even States.
In these terms, Law No. 267-08, on Terrorism, in its article 8 determines a list of strategic infrastructures, listing the following: a) fuel terminals and depots, owned by the State or private companies; b) domestic or international ports, domestic and international airports, civil or military; c) dams, reservoirs, lakes, main irrigation channels, aqueducts or water treatment plants; d) industries or public establishments or property of individuals that have special significance in the country’s economy; e) maritime platforms built within maritime areas of national jurisdiction, including the exclusive economic zone; f) the electrical, telephone, passenger and cargo transmission networks, as well as the systems of protected areas in accordance with the General Law on the Environment and Natural Resources; g) public and private mail or correspondence systems; h) National monuments of historical or cultural importance; i) electric power generation systems and technology platform. It is true that the classification made here only focuses on infrastructures that can be affected by acts of terrorism, but it must also be taken into account that a threat or a cyber attack cannot necessarily be classified as an act of terrorism. The legislative proposal contemplates the creation of a mechanism through which the CNCS can designate an information system as a critical infrastructure, whose loss or vulnerability of the information system has a debilitating effect on the availability of said service.
- Obligations of Critical Infrastructure Operators Due to the importance of a critical infrastructure, its operation includes the fulfillment of a series of obligations in order to safeguard cybersecurity and increase cyber resilience. To these ends, the draft bill contemplates the following obligations. – Obligation to deliver relevant information related to the information system within a period of _______ as required by the CNCS, in order to determine if the information system meets the criteria of a critical infrastructure. Exceptions or exemptions are contemplated for the delivery of information that could be considered confidential. Substantial changes in the design, configuration, security or operation of the critical infrastructure must be notified to the CNCS once they have been made, if it is a substantial change that affects or may affect the cybersecurity of the critical infrastructure or capacity. critical infrastructure owner to respond to a cybersecurity threat or incident.
– Obligation to report cybersecurity incidents. The owner of a critical infrastructure must notify the CNCS of the occurrence of the following: a) a cybersecurity incident that has affected the critical infrastructure; b) a cybersecurity incident that has affected any information system under its control that is interconnected or communicates with critical infrastructure; and c) any other type of cybersecurity incident that the CNCS has specified to the owner of the critical infrastructure. This leads to a subsidiary obligation, which is one by which the owners of critical infrastructures must establish technical and procedural mechanisms in order to detect cybersecurity threats and incidents. These mechanisms include the use of incident response teams, the implementation of cybersecurity standards, among others. – Obligation to carry out cybersecurity audits and risk assessments: It is proposed to create the means that allow evaluating the suitability of compliance with technical measures, performance standards and other elements that must be applied by the owners of critical infrastructures. Cybersecurity audits and risk assessments are arranged at least once every two years. These audits must be communicated to the CNCS, providing it with a copy of the report of their results. The CNCS, when it finds that the report of an audit carried out was not carried out satisfactorily, may order the owner of the critical infrastructure to have the auditor carry out that aspect of the audit again or, in the event that are not satisfied with the results of the systems audit, it may order the owner of the critical infrastructure to take additional steps to ensure the level of cybersecurity of said critical infrastructure. The obligation to carry out audits and risk assessments also comes when the owner of a critical infrastructure has notified the CNCS that they have made a substantial change in the design, configuration, security or operation of the critical infrastructure.
– Obligation to carry out cybersecurity exercises: Carrying out cybersecurity exercises allows to be prepared and know what to do during real incidents and strengthens contingency plans, thus improving familiarity with the tools and processes necessary to address and remedy incidents in a better way. way. This obligation falls on the CNCS in order to test the preparedness of all those involved in the different critical infrastructures to respond to major cybersecurity incidents. On Responsible Disclosure of Vulnerabilities The contemplated law promotes the investigation, publication and disclosure of vulnerabilities, provided that these are made based on good faith. That is, a person would not be considered to have violated legal provisions on the confidentiality, integrity and availability of data and systems, regulations, contracts and professional codes of conduct by communicating, publishing or disclosing vulnerabilities, provided that this is done based on good faith and that aspects such as non-request for rewards under coercion or threat of publication of the information are taken into account, as well as the granting of a reasonable time to solve the vulnerability before publishing or disclosing it. Threats to cybersecurity are a global problem and need a global solution in which all the actors involved participate, in which there is a shared responsibility of the Government, the private sector and civil society in general.