Passing the Law on cybersecurity
On June 12, 2018, Law No. 24/2018/QH14 on cybersecurity is passed by the 14th National Assembly of Socialist Republic of Vietnam during its fifth session.
This Law provides for protection of national security and public order in cyberspace; responsibility of relevant organizations and individuals.
The Law defines “cybersecurity” as assurance that activities in cyberspace do not harm national security, public order, the lawful rights and interests of any organization or individual.
Cybersecurity protection measures include: Cybersecurity appraisal; Cybersecurity assessment; Cybersecurity inspection; Cybersecurity monitoring; Cybersecurity incident response and remediation; Cybersecurity protection activities; Use of cryptography for cybersecurity protection; Request for suspension or termination of network information; termination and suspension of establishment, provision and use of telecommunications network, the Internet, production and use of radio transmitters and receivers as prescribed by law; Request for removal of illegal or false information in cyberspace which violates national security, disrupts public order or violates lawful rights and interests of other organizations or individuals. Collection of electronic data relevant to violation of national security, disruption of public order or violation of lawful rights and interests of any organization or individual in cyberspace; Block or restrict activities of certain information system; termination, suspension or request for termination of certain information system; revocation of domain names; Initiation of charges, investigation, prosecution and hearing in accordance with the Criminal Procedure Code; and other measures defined by regulations of law on national security and handling administrative violations.
Some prohibited acts can be counted as: using of cyberspace for certain purposes such as organizing or participating in opposition to Socialist Republic of Vietnam; colluding with other people, persuading, buying off, duping, enticing or training people to oppose the government of Socialist Republic of Vietnam; Distortion of history, denial of revolutionary achievements, undermining national solidarity, blasphemy, discrimination by gender or race; Provision of false information for the purpose of causing public confusion or economic loss, obstructing regulatory bodies or law enforcers, violating lawful rights and interests of other organizations and individuals; Prostitution, vice, human trafficking; posting pornographic or criminal information; damaging Vietnam’s good traditions, social ethics or public health; Enticing, persuading or tempting others to commits crimes.
Actions to be taken in response to a cybersecurity emergency include: promptly implementing the cybersecurity emergency prevention and response plan; avoiding, eliminating or minimizing damage caused by the cybersecurity emergency; Informing relevant organizations and individuals; Collecting relevant information; continuously monitoring the cybersecurity emergency; Analyzing information; estimating damage and impacts caused by the cybersecurity emergency; Stopping providing cyberinformation within a certain area or disconnect from the international internet gateway; Providing forces and equipment for prevention and elimination of the cybersecurity emergency…
Responsibility to respond to cybersecurity emergencies is also stipulated as follow: The organization or individual that detects a cybersecurity emergency must promptly inform a professional cybersecurity force and implement the measures mentioned above. The Prime Minister will make decisions or authorize the Minister of Public Security to make decisions regarding cybersecurity emergencies that occur nationwide or locally or to a specific target. The Prime Minister will make decisions or authorize the Minister of National Defense to make decisions regarding cybersecurity emergencies that occur to cryptography of VGCA; Professional cybersecurity forces will take charge and cooperate with relevant organizations and individuals in implementing the measures mentioned above to respond to cybersecurity emergencies; Relevant organizations and individuals will cooperate with professional cybersecurity forces in implementing measures for prevention and response to cybersecurity emergencies.
Heads of organizations in central and local authorities and political organizations are responsible for organizing cybersecurity protection activities under their management. The struggle for cybersecurity protection in these organizations includes: Developing and completing regulations on use of local networks and the Internet; plans for assurance of cybersecurity of information systems; plans for cybersecurity incident response and remediation; Implementing and applying various cybersecurity protection plans, measures, technologies to information systems, information and documents created, stored and transmitted within information systems under their management; Providing refresher training in cybersecurity for officials, public employees and other employees; improve the capacity of cybersecurity forces; Ensuring cybersecurity during provision of public services in cyberspace, exchange of information with other entities; internal and external transmission of information and other activities specified by the Government; Investing in and develop infrastructure suitable for assurance of cybersecurity of information systems; Inspecting cybersecurity of information systems; prevent and deal with violations against regulations of law on cybersecurity; respond to and remediate cybersecurity incidents.
This Law comes into force from January 01, 2019. Within 12 months from the effective date of this Law, administrators of information systems that are already on the list of national security information systems shall ensure fulfillment of all cybersecurity requirements, which will be assessed by professional cybersecurity forces in accordance with Article 12 of this Law; The Prime Minister will consider extending this deadline for up to 12 more months where necessary. Within 12 months from the day on which an information system is added to the list of national security information systems, its administrator shall ensure fulfillment of all cybersecurity requirements, which will be assessed by professional cybersecurity forces in accordance with Article 12 of this Law; The Prime Minister will consider extending this deadline for up to 12 more months if necessary.