The Constitutional Court ruled on January 21 that the bill concerning Romania’s cybernetic security in its current form violates the constitutional principles of the democratic state and the principles of intimacy, private and family life. Following the decision of the Court, the Ministry for Communications posted on January 27 a new version of the bill on its website to be debated publicly. The bill will be under public debate for at least 30 days since its publication.
According to the announcement on the ministry’s website, the new version of the bill was compiled by taking into consideration the criticism in Decision 17/2015 of the Constitutional Court.
The second public debate of the bill was due to take place on February 19th. The interested parties were urged to come up with concrete suggestions regarding the bill.
The law has several declared targets: to create a uniform terminology in cybernetic security, to make owners of cyber infrastructure accountable, increase the capacity of reaction to cyber-incidents and reduce their impact, set in place a national cooperation framework between the institutions and the private sector and establish the national interest cyber infrastructures.
The law thus applies to owners of national-interest cyber infrastructure, owners of cyber infrastructure which is processing personal data, providers of public networks and electronic communications services, providers of internet hosting services and providers of cyber-security services.
A National Cyber-Alert System must be created to prevent and counteract cyber risks and threats. Infrastructure owners must enforce the security of their networks, and must notify authorities concerning cyber-security incidents, as well as ensure support for counteracting these attacks.
The first draft of the law, which should ensure the protection of the fundamental rights and liberties of the Romanian citizens in the cybernetic space, was contested by NGO representatives and declared unconstitutional by the Constitutional Court.
One of the main reasons for the Court decision was that the national authority in the field of cyber security should be a civilian organism in order to guarantee that the fundamental rights are respected and not the National Center for Cybernetic Security, which works under the umbrella of the Romanian Intelligence Service (SRI). According to the Court, “since the National Cyber Security Center (CNSC) is a military structure within an intelligence service and subordinated to the management of this institution, therefore under direct military-administrative control, it is obvious that such an entity does not meet the requirements regarding the necessary warranties for respecting fundamental rights to intimacy, a private family life and the secret of correspondence.”
The Court also explained that the option of appointing a civilian structure as a national cyber-security authority, instead of a military structure with activities in the intelligence domain, would thus eliminate the risk that intelligence services could obtain information by violating these fundamental rights. “Which is exactly what the law does not avoid having appointed SRI, and its military structure CNSC,” concludes the Court.
When asked by BR to comment on this matter, Bogdan Manolea, founder of the website www.legi-internet.ro, and a member of the Association for Technology and Internet, said: “I think this is rather a matter of vision- if we believe that the cyber-security law should be written by the SRI as it sees fit, this is a bad start. Just like information security is a matter that involves the public, private and civil domains, in the same way, the law should be created by a public work group that should start from the principles that must be included.”
Manolea also added that, while the old version of the law was declared unconstitutional, the new version partially solves the initial problems raised by the Constitutional Court, such as the access to the data without the agreement of a judge and the role of the Romanian Intelligence Service as an auditor.
However, he points out, the new version still retains some problems of the old law, such as the extremely large spectrum of applicability of the law or the role of the SRI, as the authority, in this field.
“It also brings in new issues, which in fact do not have any direct connection with the field, such as some unclear stipulations regarding hosting obligations,” says Manolea.
During the first public debate, Marius Bostan, Romanian minister for Communications and Information Society, said that public money cannot be used for building a cyber- infrastructure without being sure that it is used correctly. “We are talking about Big Data, Cloud, Internet of Things. We cannot build cybernetic infrastructure without making sure that it is used correctly and to the benefit of the citizens. We cannot use public money to build infrastructure, computing power and capabilities only to see them fall into the hands of people who do not respect human rights and are the adversaries of democracy and freedom, values that we all wish to defend. We must ensure that this power is not used for the worse,” said the minister, quoted by Agerpres newswire.
According to Augustin Jianu, general manager of the Romanian National Computer Security Incident Response Team (CERT-RO), Romania needs a cyber- security law. “We have processed 68 million cybernetic security alerts, of which we extracted 2.3 million compromised or vulnerable unique IP addresses. The attackers, in order to remain anonymous, are using already compromised systems in order to keep on attacking others. At global level, in 2015, the average detection time in the case of an intrusion was 268 days. This means that the attacker cracked into a compromised system and stayed there for 268 days before being detected,” Jianu pointed out, according to Agerpres newswire.
On the other hand, when asked by Business Review, Manolea also agreed that “a law which should clarify the responsibilities of those who have in their administration informatics infrastructure is necessary. It is equally important to set rules for critical informatics infrastructure (such as energy, water, gas and so on). However, the text of the current proposal makes us extremely critical because obligations regarding informatics security cannot be identical in the case of a company with a computer and one with 5,000 computers. “
He also pointed out that the proposal is “too focused on security and forgets the purpose of the security- the protection of the citizens’ data and other confidential information. And here we should not be interested in the security per se, but rather in whether the data was lost or not.”