The National Cyber Security Agency (NCSA) aims to roll out 40 subordinate regulations of the Cybersecurity Act this year to strengthen the country’s systems. Roughly 100 organisations linked with critical information infrastructure (CII) stipulated by the act will also be directed to comply with the standard framework of security requirements this year to guard against cyber threats, said the agency.
The act stipulates NCSA is responsible for providing assistance to prevent and mitigate risks from cyberthreats to seven aspects of CII: national security, public service, banking and finance, information technology and telecoms, transport and logistics, energy and public utilities, as well as public health.
The Secretary-General of NCSA stated that the agency established in January 2021 will ramp up cybersecurity skill-building for sectors related to the seven CII aspects through intensive capacity-building programmes targeting 2,250 attendees, including 400 specialists and executives, in 2022. The move should enhance the country’s capacity to defend against escalating cyberthreats, particularly as more organisations shift their work online during the pandemic, relying more on online applications.
According to Section 44 of the Cybersecurity Act, NCSA is tasked with formulating a code of practice and standard framework of cybersecurity as a guideline for state and private agencies linked to CII to comply with. The agency is also expected to develop cybersecurity skills and competence for state and private agency workers to meet international standards, as well as create a digital economy and society action plan spanning from 2018 to 2022.
According to the Secretary-General, NCSA will enforce security standard requirements, including for software and operating systems, for state agencies and CII-linked enterprises by the end of this year. The requirements include daily monitoring of threats to ensure the security of their databases, he said.
Many government and private organisations are linked to the seven CII sectors, but around 100 are in the first batch subject to enforcement by this year. NCSA plans to work with various sector regulators on the tasks, such as the Thailand Banking Sector Computer Emergency Response Team, the Securities and Exchange Commission, the National Broadcasting and Telecommunications Commission and the Telecommunications Association of Thailand.
Public health is the most critical sector as it involves patient records, which could be a threat to people’s lives, the Secretary-General said. NCSA has around 60 staff, half of them recruited under contract agreements. Each of the seven CII sectors is expected to have cybersecurity coordination centres by the end of this year, he said.
In August 2021, NCSA established a national computer emergency response team (National CERT), which was transformed from ThaiCert (Thailand Computer Emergency Response Team) under the Electronic Transactions Development Agency. National CERT has five staff members. The agency received a budget of THB40 million in its first year of operation, which was raised to THB140 million in fiscal 2022. NCSA also secured another THB200 million from the Digital Economy and Society Ministry’s Digital Fund for its operations and management in fiscal 2022.
The Secretary-General also noted that they are a new agency with several limitations, but are eager to achieve their missions. NCSA aims to have 480 staff for its full-scale operations, but it may take 10 years to reach that level.