The approval of initiative 6347 that contains the Cybersecurity Law in Congress again presents delays, because, according to several deputies, the opinion of the bill presents inconsistencies which may be subject to objections and even unconstitutionality if approved at this time by the Legislature.
The initiative received a favorable opinion from the National Security Affairs Commission in August of the previous year. Among the main aspects that have been framed is the classification of new computer crimes, such as computer forgery, appropriation of another’s identity, illicit access and interception of data, computer fraud and abuse of technological devices. Prison sentences for these crimes range from 6 to 30 years.
In addition to the classification of crimes, The strengthening of the entities in charge of research is established and the administration of justice, such as the Public Ministry (MP), the Judicial Branch (OJ) and the National Civil Police (PNC), through the creation of prosecutors’ offices and investigation units specialized in the issue of cybersecurity.
It also proposes the creation of the Computer Security Incident Response Center of Guatemala (CSIRT-GT), which will be made up of the ministries of Defense, Interior, Foreign Affairs, Communications and Finance, as well as the Secretariat of Strategic Intelligence of the State and the Attorney General’s Office (PGN), which will be the technical entity responsible for the analysis, management, coordination and response to cybersecurity incidents at the national level.
In terms of international cooperation, The bill establishes the creation of a Mutual Assistance Network against Computer Crimes RED 24/17 Guatemala, with the objective of guaranteeing the provision of immediate help at an international level for the purposes of investigations or procedures related to indications of crimes linked to computer systems and data. The creation of this network will be the responsibility of the Public Ministry, indicated in the initiative.
It also proposes cooperation in matters of extradition due to cybercrimeswhen required, applying the provisions of the Law Regulating the Extradition Procedure, Decree 28-2008 of Congress, as well as the international treaties on the matter to which Guatemala is a party.
In addition to these aspects, The strengthening of the Ministry of National Defense is also stipulated in terms of cyber defense, with the objective of providing protection of critical and important information of the State.
According to the opinion, with this law Guatemala “aligns itself with international and regional standards on cybersecurity, laying the foundations for secure, resilient and sovereign digital governance.”
Weaknesses of the law
According to several deputies, The opinion of said proposal contains aspects that are not properly defined.
Elmer Palencia, second vice president of the Legislature, who raised the privileged motion on April 14 for the initiative to be removed from the agenda and sent again to the working committees of National Security Affairs and the Economy, pointed out several weaknesses within the opinion, such as an institutional design that is not clear, since, for this purpose, an autonomous entity with technical capacity and sufficient resources is required, among other weaknesses.
“The main weakness – is that it mixes different subjects, cybersecurity, cybercrimes, institutional response, without delimiting powers. This does not strengthen the State, it generates confusion and weakens the ability to act,” said the congressman.
At your discretion, A law on this matter must be based mainly on risk prevention and management, among other important aspects.
“A modern cybersecurity law must focus on prevention, risk management, identification of vulnerabilities, clear standards, audits and mandatory reporting of incidents,” he pointed out.
Deputy Sandra Jovel, from the Valor bloc, considers that the opinion that was about to be approved in its third debate does not respond to the protection of the data of Guatemalans that were already violated with the hacking that occurred in the General Directorate of Weapons and Ammunition (Digecam), since cybersecurity must also focus on protecting the privacy of citizens.
“The initiative –6347– does not answer the most urgent question: who protects Guatemalans today who have already been violated? Because cybersecurity is not just theory, cybersecurity is also the protection of rights, it is the defense of private life, it is the guarantee of personal security,” said the congresswoman.
Deputy Nery Rodas, from the Cabal bloc, considers that in Guatemala the issue has not been given importance and that they only react according to the situation.
“Guatemala is one of the countries that does not take this issue seriously and we are letting countries like the Dominican Republic, like Costa Rica, set the example for us. It is not just talking about cybersecurity and now the alert is raised because of what happened in one of the institutions, but this is a serious problem that at any time can destabilize the entire government. But as I already said, Guatemala sometimes reacts based on current issues, media pressure,” he says.
Civil and preventive model
Juan Carlos Zapata, executive director of the Foundation for the Development of Guatemala (Fundesa)indicates that it is positive that the opinion of initiative 6347 has been returned again to the commissions to issue a new one, since, If it had been approved, the Legislature would have made an error.
“Unlike other comparative civil cybersecurity frameworks, the opinion lacks an autonomous and multisectoral entity that guarantees transparency, prevention and integration of cybersecurity with data transformation and protection policies,” he comments.
It also indicates that The law’s current approach prioritizes a national security and defense model rather than a civilian model, preventive and coordinated with the digital transformation.
“In democratic countries such as Chile, Spain, Germany, France, the United States and Costa Rica, among others, it is focused on a civilian leadership of cybersecurity and reserving military intervention only for exceptional cases of national defense. The model contained in the current opinion of the Cybersecurity Law initiative in Guatemala is only seen in countries such as China, Russia, Iran and North Korea,” says Zapata.
Furthermore, it indicates that Civil and multisectoral actors are not taken into account within the cybersecurity leadership. It also highlights that there is an absence of an administrative and preventive regime, coupled with the lack of transparency and accountability mechanisms.
“The analysis carried out by the Legal Certainty Table of the Guatemala Doesn’t Stop initiative established the danger of initiative 6347 being approved in its current form. Now the key is that the institution – the governing body – is decentralized so that it really has the necessary capabilities and that it is not going to remain in the Ministry of Defense because we already saw what happened in Digecam,” concludes Zapata.