Strengthening Cybersecurity in Bhutan: A Comprehensive Approach
In recent years, Bhutan has faced a significant increase in cybersecurity threats, with 650 recorded cases over the past four years. Alarmingly, 204 of these incidents occurred in 2024 alone, highlighting the urgent need for a robust cybersecurity framework. These threats range from abusive content and fraud to system vulnerabilities and intrusion attempts, underscoring the diverse challenges that the nation must address.
The Role of Bhutan Computer Incident Response Team (BtCIRT)
In response to the escalating cybersecurity landscape, the Bhutan Computer Incident Response Team (BtCIRT), operating under GovTech, is taking proactive measures to implement the action plans outlined in the National Cybersecurity Strategy (NCS). This initiative aims to fortify the country’s defenses against cyber threats and ensure the safety of its digital infrastructure.
A primary focus of BtCIRT will be to review existing legislative gaps and strengthen cybersecurity laws. This is crucial for establishing a solid defense system capable of adapting to the rapidly evolving nature of cyber threats. A BtCIRT official emphasized the importance of creating a comprehensive incident response framework that outlines clear protocols for identifying, reporting, and managing cybersecurity incidents.
Legislative Reforms: Addressing Gaps in the Information, Communications, and Media Act
One of the most pressing issues identified is the need to update the Information, Communications, and Media Act (ICM) of 2018. The current legislation lacks specific legal mandates requiring compliance with minimum security standards for critical information infrastructure (CII). While the Act provides broad provisions for cybersecurity, data protection, and online privacy, it falls short in offering detailed rules and enforcement mechanisms.
The urgency of this review is underscored by a recent assessment conducted by GovTech, supported by the World Bank, which revealed significant shortcomings in the existing legal framework. The official from BtCIRT stated, “Protecting critical information infrastructure is a top priority. We need robust legal and regulatory frameworks to ensure the security of these vital assets.”
Learning from Global Best Practices
To enhance its cybersecurity preparedness, Bhutanese government officials participated in a three-day seminar on national cybersecurity strategies, which commenced on October 9. Organized by the Embassy of the Czech Republic in New Delhi, in collaboration with the National Cyber and Information Security Agency (NUKIB) of the Czech Republic, this seminar aimed to strengthen the resilience of Bhutanese institutions against cyber threats.
The Czech Republic, a pioneer in establishing cybersecurity legislation, shared valuable insights from its own journey. Kolek Netolicka Veronika, one of the trainers, emphasized the necessity of a legislative framework that sets basic measures and obligations for all regulated entities, including the private, public, and state sectors. The Czech Republic was among the first countries to implement a comprehensive legislative framework in cybersecurity in 2014, centralizing its efforts under NUKIB.
Challenges and Lessons Learned
Despite the progress made in the Czech Republic, the trainers acknowledged that challenges persist. Gaining trust among regulated entities was a significant hurdle in the early stages of their cybersecurity framework. After a decade of implementation, they have developed a clearer understanding of their system’s strengths and weaknesses, which can serve as a valuable lesson for Bhutan.
The BtCIRT official noted that the key takeaways from the seminar highlight the necessity of robust regulations for entities operating critical information infrastructure. This insight will guide Bhutan in aligning its cybersecurity laws with international frameworks and engaging various stakeholders to capture the evolving cybersecurity landscape.
Addressing Audit Findings and Moving Forward
The Royal Audit Authority’s (RAA) audit on cybersecurity preparedness, conducted in May 2023, revealed significant shortcomings in Bhutan’s current cybersecurity posture. The audit pointed out that the draft NCS, developed in 2018 and intended for implementation from 2021 to 2025, has not been fully realized. Essential components such as risk assessment, monitoring frameworks, and clear performance indicators were notably absent.
With two years already elapsed since the intended implementation period, it is imperative for Bhutan to take decisive action. BtCIRT plans to collaborate with stakeholders to review existing legislation, identify gaps, and propose amendments that incorporate best practices in cybersecurity.
Conclusion
As Bhutan navigates the complexities of the digital age, strengthening its cybersecurity framework is not just a necessity but a fundamental requirement for safeguarding its critical information infrastructure. By learning from global best practices, addressing legislative gaps, and fostering collaboration among stakeholders, Bhutan can enhance its resilience against cyber threats and ensure a secure digital future for its citizens. The journey ahead may be challenging, but with a committed approach, Bhutan can emerge as a leader in cybersecurity in the region.