Ecuador: Cybersecurity Bill overview
On 19 October 2021, Assemblyman Rodrigo Fajardo submitted the draft Law on Digital Security, Cybersecurity, Cyberdefence and Cyberintelligence ('the Bill') for analysis and approval by the National Assembly of the Republic of Ecuador. Jaime Mantilla Compte, Partner at Falconi Puig Abogados, provides a general overview of the provisions of the Bill.
The Bill seeks to prevent and combat crises and recover information in case of cybernetic threats or attacks. In addition to creating a Cybersecurity Subsystem for this purpose, several reforms to existing laws are proposed, such as the possibility for the Superintendency of Banks to demand that controlled entities implement corrective measures in cyber and technological crimes, and even impose sanctions for non-compliance with cybersecurity policies.
Purpose and scope
The purpose of the Bill is to establish a digital security system that allows the prevention, neutralisation, and management of crises and the retrieval of information in case of threats, risks, and cyberattacks, with the participation of different public and private organisations to coordinate the actions of the Government.
The Bill pursues the execution of public policies in order to prevent and mitigate all malicious cyber activity that puts at risk the integral security of the Ecuadorian State, its sovereignty, and citizen's rights in general.
National Digital Security System
The National Digital Security System will be formed of the subsystems, institutions, policies, strategies, regulations, plans, and programs set forth in order to carry out the strategic management of the digital security of the Government and will be conducted by the Council of Public and State Security ('CONSEPE').
The Office of the Attorney General and the Judiciary Council will be auxiliary institutions. Eventually, any other institutions involved in the subject may take part, if required.
Secretary of the CONSEPE
The Secretary of the CONSEPE ('the Secretary') will have the following functions:
- preparing the Digital Security Plan according to the National Plan of Development;
- defining the public policy of the institutions in matters of cybersecurity, cyber defense, and cyber intelligence;
- carrying out the necessary diagnoses with the institutions of the National Digital Security System and presenting them to the President of the Republic and the CONSEPE;
- supervising and monitoring cybersecurity, cyber defense, and cyber intelligence risks and measures for the protection of critical infrastructures;
- presenting preventative and mitigation strategies to the President of the Republic and the CONSEPE on matters of digital security;
- ensuring the coordinated action of the subsystems to prevent, manage, and eliminate any act that threatens the cybersecurity, cyber defense, and cyber intelligence of the country.
- presenting reports to the President and the CONSEPE on the criminal acts that have taken place in cyberspace or in relation to cyber defense and cyber intelligence;
- ensuring that the institutions of the National Security System fulfil their functions;
- approving the plans, reports, or evaluations submitted by the different subsystems; and
- recommending the signing of international agreements on cybersecurity, cyber defense, and cyber intelligence matters to the Government.
The Cybersecurity Subsystem will be formed of the National Police, the Ministry of Government, and the Ministry of Telecommunications. It will directly coordinate with the Cyber Intelligence Subsystem, which will deliver the necessary information for its correct development.
The Ministry of Government will have the following functions within the Cybersecurity Subsystem:
- complying with and enforcing public policies, strategies, and plans issued by the Secretary;
- identifying the components of IT infrastructure that pose a high risk;
- carrying out an assessment of the cybersecurity vulnerabilities of State institutions to submit a report to the Secretary;
- proposing effective actions for the protection of data of State agencies that use IT systems;
- coordinating and supporting the implementation of solutions to cases of cybercrimes, cyberattacks, and other incidents that may affect public and private institutions;
- responding to IT incidents through its technical investigation and collecting evidence of any action that represents an indication of fraud in IT systems;
- providing undercover agents, informants, monitored and controlled deliveries, and interception of communications;
- generating public policy for international cooperation to support and resolve any incident that takes place within the country and may be caused from abroad;
- preparing a registry of investigations carried out and presenting it every six months to the Secretary;
- presenting research and technology transfer projects to prevent incidents and cybercrimes in cyberspace; and
- coordinating and cooperating with public and private organisations to jointly comply with the corresponding regulations in order to guarantee cybersecurity.
The Ministry of Telecommunications will have the following functions within the Cybersecurity Subsystem:
- complying with the activities and functions determined by the Secretary;
- issuing protocols, strategies, and IT security plans in order to protect the different cybernetic infrastructures of Government Institutions;
- recommending prioritisation in obtaining technological and human equipment to strengthen the digital infrastructures of the Government; and
- alerting and reporting to the competent authorities about incidents and crimes that may occur in cyberspace and affect citizen security and state sovereignty.
Cyber Defense Subsystem
The Cyber Defense Subsystem will be formed by the Ministry of Defense, the Joint Command of the Armed Forces, and the Ministry of Telecommunications, and will have direct coordination with the Cyber Intelligence Subsystem, which will deliver the necessary information for the correct development of its functions of protecting the sovereignty of the State.
The Ministry of Defense and the Joint Command of the Armed Forces will have the following functions within the Cyber Defense Subsystem:
- complying with and enforcing public policies, strategies, and plans issued by the Secretary;
- identifying the IT infrastructure components that have a high risk in relation to State sovereignty;
- evaluating the vulnerabilities in cyber defense of State institutions and presenting a report to the Secretary, which must include actions and recommendations to control the possible risks;
- coordinating and implementing solutions to cybercrimes, cyberattacks, and other incidents that may affect public and private institutions putting in risk the defense and sovereignty of the State;
- responding to IT incidents through its technical investigation and compiling evidence of any action that represents an indication of fraud in IT systems, which puts the defense and sovereignty of the State at risk;
- providing undercover agents, informants, monitored and controlled deliveries, and interception of communications, which will belong to the Armed Forces;
- generating public policies for international cooperation, in order to support and resolve any incident that endangers the defense and sovereignty of the State;
- preparing a registry of investigations carried out which must be submitted every six months to the Secretary;
- presenting research and technology transfer projects in order to prevent incidents or attacks on the sovereignty of the State in cyberspace; and
- coordinating and cooperating with both public and private organizations, to jointly comply with the corresponding regulations in order to guarantee cyber defense.
Cyber Intelligence Subsystem
The Cyber Intelligence Subsystem will be led by the Strategic Intelligence Center and will be articulated with the Subsystems of Cybersecurity and Cyber Defense for the detection and neutralisation of threats to citizen security and the defense of the Government in cyberspace.
Auxiliary bodies of the National Digital Security System
The Bill establishes certain specific functions to auxiliary bodies that can support the National Digital Security System.
The Office of the Attorney General will provide legal technical assistance in the application of laws through its institutional organisation, as well as the following functions:
- advising the National Digital Security System on the criminal problems and statistics according to the complaints filed for cybercrimes;
- registering complaints of all cybercrimes and sending reports to the Secretary every six months;
- collecting criminological information and propose crime prevention policies and strategies in cyberspace; and
- preparing statistics related to crimes that occurred in national cyberspace.
The Judiciary Council will have the following functions within the Cyber Defense Subsystem:
- registering all judicial processes initiated for cybercrimes and sending reports to the Secretary every six months;
- presenting a report twice a year with the results of the judicial processes that are carried out in the justice system; and
- executing plans, actions, and training on digital security for judges, prosecutors, experts, and other public officials of the Judicial Branch.
Reforms to other laws
The Bill proposes reforms to other laws in order to include other authorities to this cybersecurity system that is created, which are:
- The Monetary Code:
- the adoption of measures to prevent cybercrimes within the operations of financial entities (included within the competences of the Financial Policy and Regulation Board);
- the extension of the functions of the Superintendency of Banks by incorporating the capability of requiring controlled entities to adopt corrective measures regarding cyber and technological crimes; as well as the faculty of imposing sanctions for noncompliance with cybersecurity policies;
- the same function mentioned above is given to the Superintendence of Popular and Solidarity Economy by reform of the Organic Law on the matter; and
- the Organic Law on the Protection of Personal Data incorporates a new function for the data protection authority, which is to provide a quarterly report to the Secretary on risks and cyberattacks related to data protection.
Jaime Mantilla Compte Partner
Falconi Puig Abogados, Quito