𝗖𝘆𝗯𝗲𝗿𝗰𝗿𝗶𝗺𝗲 𝗦𝘂𝗿𝗴𝗲 𝗶𝗻 𝗕𝗵𝘂𝘁𝗮𝗻 𝗦𝗽𝗮𝗿𝗸𝘀 𝗖𝗼𝗻𝗰𝗲𝗿𝗻𝘀 𝗼𝘃𝗲𝗿 𝗡𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆

…𝑻𝒉𝒊𝒎𝒑𝒉𝒖 𝑰𝒅𝒆𝒏𝒕𝒊𝒇𝒊𝒆𝒅 𝒂𝒔 𝑯𝒐𝒕𝒔𝒑𝒐𝒕 𝒊𝒏 𝑨𝒍𝒂𝒓𝒎𝒊𝒏𝒈 𝑹𝒊𝒔𝒆 𝒐𝒇 𝑪𝒚𝒃𝒆𝒓 𝑰𝒏𝒄𝒊𝒅𝒆𝒏𝒕𝒔

By Sonam Deki

Bhutan is grappling with a significant rise in cyber-related cases, with a total of 56 incidents reported across various divisions in the country until November 27, 2023. The data, released by Royal Bhutan Police, highlights the escalating threat of cybercrime, prompting concerns about The capital city, Thimphu, has emerged as a major hotspot, reporting an alarming 24 cybercrime cases. This concentration emphasizes the immediate need for bolstered cybersecurity measures in Bhutan’s most densely populated urban center. Other regions, including Trashigang (10 cases), Samdrup Jongkhar (4 cases), and Wangdephodrang (4 cases), have also witnessed a notable number of cyber incidents, indicating vulnerabilities that require targeted interventions.

Even in more rural divisions such as Paro, Punakha, and Trongsa, the impact of cybercrime is palpable, dispelling the notion that the threat is confined to urban areas.

In light of this surge, there are urgent calls for robust cybersecurity measures. Authorities are being strongly urged to invest in training programs, public awareness initiatives, and technology upgrades to counter the evolving tactics employed by cybercriminals.

A report from the Public Accounts Committee (PAC) has shed light on critical deficiencies in Bhutan’s approach to combating cybercrime. It highlights a stark absence of adequate legal frameworks and mechanisms dedicated to addressing cybercrime. Notably, the lack of legal provisions defining cybercrime, coupled with the absence of agreements for cross-border and multi-judicial investigation of cybercrime, poses significant challenges for law enforcement agencies.

The absence of a comprehensive legal framework not only impedes the ability to combat and criminalize cybercrimes, especially those requiring cross-border investigations, but also leaves Bhutan’s cybersecurity exposed to potential cyber-attacks. The report emphasizes the need for urgent action in fortifying legal provisions and agreements.

While acknowledging existing legal provisions for data privacy and protection, the report points out inadequacies in enforcement mechanisms, hindering the effective implementation of the Information, Communications, and Media (ICM) Act. This raises concerns about the safeguarding of individuals’ data and the overall integrity of the digital landscape.

The report further highlights the absence of a designated agency to lead and regulate cybersecurity, stressing a potential vulnerability in Bhutan’s cyber defenses. The current disintegrated approach, where various regulating agencies identify and monitor Critical Information Infrastructures (CIIs) under their jurisdiction, risks diffusion of responsibilities, exposing CIIs to persistent vulnerabilities and threats.

Additionally, the report draws attention to the absence of protocols for cyber incident reporting, leading to a lack of common understanding among agencies. This gap in reporting mechanisms poses a serious challenge, potentially resulting in numerous unreported cases. At the national level, this dearth of information makes it difficult to assess the country’s threat environment comprehensively and design strategic responses to cyber attacks.

In response to these systemic shortcomings, the PAC report emphasizes the pressing need for Bhutan to strengthen legal frameworks, foster collaboration for cross-border investigations, establish a centralized cybersecurity agency, and implement protocols for incident reporting. Swift actions are deemed imperative to fortify the nation’s cyber defenses and protect against evolving threats.