In the past four years, Bhutan recorded 650 cases of cybersecurity threats and attacks, with 204 incidents occurring in 2024 alone. These cases range from abusive content and fraud to system vulnerabilities and intrusion attempts.
In response to these escalating threats, the Bhutan Computer Incident Response Team (BtCIRT) under GovTech plans to implement the action plans of the National Cybersecurity Strategy (NCS).
A key focus of this will be reviewing legislative gaps and strengthening cybersecurity laws to bolster the country’s defence system.
A BtCIRT official said that a comprehensive and robust incident response framework will be established, outlining clear protocols for identifying, reporting, and managing cybersecurity incidents. The review of the Information, Communications, and Media Act (ICM) of 2018 is particularly urgent to address the evolving nature of cyber threats.
“Protecting critical information infrastructure is a top priority,” the official said “We need robust legal and regulatory frameworks to ensure the security of these vital assets.”
The official added that the Act needs to be updated to adapt to the changing technology landscape, which is challenging at the moment.
A recent review conducted by GovTech, supported by the World Bank, revealed that the ICM Act lacks specific legal mandates requiring CII compliance with minimum security standards. While the Act includes broad provisions for cybersecurity, data protection, and online privacy, it falls short in providing detailed rules and enforcement mechanisms.
To gain insights and best practices, government officials participated in a three-day seminar on national cybersecurity strategies, which began on October 9. This seminar was organised by the Embassy of the Czech Republic in New Delhi, in collaboration with the National Cyber and Information Security Agency (NUKIB) of the Czech Republic, GovTech, and the Honorary Consulate of the Czech Republic in Thimphu.
The seminar aimed to strengthen the preparedness and resilience of Bhutanese government institutions against cyber threats. The seminar also highlighted the Czech Republic’s experience in establishing cybersecurity legislation.
One of the trainers, Kolek Netolicka Veronika said that a legislative framework on cyber security is essential for setting basic measures and obligations for all regulated entities including private sector, public sector, and state sector companies.
In 2014 Czech Republic was among the first countries in the world to implement a complex legislative framework in cyber security, centralising its efforts under NUKIB.
The trainer said that when Czech Republic first started out it faced challenges of gaining trust among regulated entities .
After 10 years, the trainer said they have still not been able to overcome all the challenges but are able to know how their system works and what they need to improve.
The BtCIRT official said the key lessons learned from the seminar emphasise the necessity of robust regulations for entities operating critical information infrastructure.
As part of enhancing Bhutan’s cybersecurity legislation, BtCIRT will align these laws with international frameworks and engage various stakeholders to ensure they capture the evolving cybersecurity landscape.
BtCIRT plans to collaborate with stakeholders to review existing legislation, identify gaps, and propose amendments that incorporate best practices in cybersecurity.
The Royal Audit Authority’s (RAA) audit on preparedness for cybersecurity performance of May 2023 revealed significant shortcomings in Bhutan’s cybersecurity preparedness. The audit report also pointed out that the draft NCS was not been fully implemented. The NCS also lacked essential components such as a risk assessment, monitoring framework, and clear performance indicators.
The draft NCS was developed in 2018 and was intended to be implemented from 2021 to 2025, of which two years have already elapsed.
However, the draft was recently approved for implementation from 2024 to 2029.
