A draft of a new cybersecurity law, which has not previously been made public but has been obtained by Rest of World, would give the Cambodian government expanded powers to seize computer systems from companies, initiate searches during loosely defined cybersecurity incidents, and prosecute those who don’t comply.
The document is marked “confidential” and dated September 2, 2022. Laid out over 13 pages, the law would allow the government to seize operating systems and copy and filter data from entities unable to mitigate the impacts of a “cybersecurity threat or cybersecurity incident at the critical level” — defined broadly as an event that could cause “significant harm” to “national security, national defense, foreign relations, the economy, public health, safety or public order.”
“Any person” who “opposes the performance of duties” of the ministry or security committee could face imprisonment up to a year under obstruction or incitement charges, and be fined up to 150,000,000 riel (about $37,000) — around double the annual salary for a company executive in Cambodia. It would also use a “Digital Security Committee” under the ministry to prevent and respond to cybersecurity attacks.
The draft bill doesn’t specify whether it would apply to international as well as local companies, but experts told Rest of World that its language was broad enough to be enforced against both.
Prime Minister Hun Sen has held power in some capacity since 1985, making him one of the longest-serving leaders in the world. Ahead of Cambodia’s last national elections in 2018, the country faced an uptick in hacking and phishing attempts that hit journalists, government ministries, and opposition figures and were likely orchestrated by state-linked Chinese hackers, according to a report by independent cybersecurity firm FireEye. The proposed cybersecurity law, says the government, would help combat threats of a similar kind.
But the draft law is also one of several digital initiatives that experts say is ripe for abuse, as the Southeast Asian nation aims to censor government critics and bolster control of the internet ahead of its July 2023 national elections.
“The intention of the regime matters, and Cambodia’s approach to security is very much driven by protection of the regime,” Gatra Priyandita, an analyst at the Australian Strategic Policy Institute’s International Cyber Policy Centre who specializes in Southeast Asia, told Rest of World. “The danger is that [the phrase] ‘public order’ gets equated to regime security. And in many cases, that has happened.”
Overseeing the law is the Ministry of Post and Telecommunications (MPTC), a key government department located in an ornate, colonial-era headquarters on a busy Phnom Penh street. In response to questions from Rest of World, a ministry spokesperson said that “the law is still in draft, and the team is working hard to review the comments from all stakeholders.”
In Cambodia, a political crackdown is playing out on- and offline. In the last three months, the government essentially closed VOD, one of the country’s last independent media outlets, and threatened NGOs into taking down a rap video commemorating a garment workers’ strike, while its courts have sentenced a former opposition leader to 27 years for treason and upheld a $1 million defamation conviction against another.
“Elections are a flashpoint when it comes to restrictions on political rights and civil liberties in Cambodia,” Kian Vesteinsson, a senior technology research analyst at nonprofit Freedom House, told Rest of World. “The draft cybersecurity law could open the door to further abuses, particularly against media outlets, telecommunications providers, and other digital service companies.”
The law would apply to public or private organizations providing services in 12 sectors, including telecommunications, security and emergency, banking and finance, health care, digital government and media, plus “other essential services.” The definition would cover the vast majority of companies operating in Cambodia. Nongovernmental organizations, so far, aren’t mentioned in the wording of the draft.
“This presents a whole new set of police powers, and it’s very possible that they could be enforced in really creative ways,” said Vesteinsson. “If the [security committee] names some sort of online content on a social media platform as presenting a critical cybersecurity threat, what enforcement actions would the government then take? Would we be seeing data seizures leveraged at local servers in Cambodia, for instance?”
The cybersecurity draft bill, experts told Rest of World, helps to place regulation firmly in MPTC’s grip as it grows its internet oversight. With a draft clause allowing the MPTC to “perform any … necessary duties related to cybersecurity,” as well as coordinate the security committee’s general secretariat, the ministry would appear to have eyes on “virtually everything” cybersecurity related, Priyandita said.
Since 2018, the MPTC has been one of three ministries authorized to monitor and investigate internet service providers in order to stop them from spreading “fake news.” In 2021, it was tasked with creating the contentious “National Internet Gateway” to route traffic through centralized government servers. Progress has been unclear after its launch was delayed last year, but the department has started requiring Cambodia-based entities to register their websites to a .kh domain name.
Recent reports have referred to the “fast-tracking” of a separate cybercrime bill. Drafts have been leaked, including one in 2020 that outlined punitive steps, such as upward of 10 years’ jail time for people transferring computer data without authorization.
While government-aligned media reported that the cybersecurity draft was also circulating among internet service providers, one longtime executive said their organization had not been informed of the draft process, nor received it as of late February. The MPTC has not publicly announced its next steps for the cybersecurity draft, which it says is “comprehensive.”
Representatives for Meta and Telegram did not respond to requests for comment.