Breaking the National Cyber Security dilemma in Tunisia

31 June, 2016

Following the latest elections in October 2014, Tunisia is experiencing a set of circumstances that are unprecedented in the Arab world. Despite holding two peaceful elections and passing a constitution that is widely heralded as one of the most progressive in the Arab world, the national cyber security environment in Tunisia remains a hidden threat to data protection, privacy, and online security for cyber activists. 

Lately, Tunisia has decided to adhere to the Budapest convention. As an acknowledged member state in the Convention 108, Tunisia needs an updated Data Protection law.  The current Data Protection law contains imperfections and has not been amended since 2004, despite the development of new communication technologies, and should be modified to meet international standards. The INPDP (National Instance of Personal Data Protection) which was created in 2008 is working on updating this law. The new law will fix all oversights and include the following rules:                                                                                                                                                                                                                        
  • Subjecting all public structures to protection rules
  • Establishing official protection in all public or private structures
  • Including valuable standards for the protection of personal data
  • Framing new projects such as visual surveillance of public roads, creating a unique identifier, storing ID card data online
  • Establishing the possibility of indirect access to the data through the INPDP
  • Establishing rules to deal with digital communication technologies
  • Authorizing the INPDP as a first-degree judicial body to shed violators' penalties
Budapest Convention and the way forward

When it comes to the Budapest Convention, a Cybercrime law needs to be enacted in Tunisia. A proposal has been drafted and has not reached consensus among different ministries (the Ministry of Telecommunication Technologies and the Digital Economy, Ministry of Justice, Ministry of the Interior, Ministry of Defense, and other institutions involved in this law). This law aims to prevent crimes related to information and communication systems and set the provisions for collecting electronic evidence.  

The ATT (Technical Agency for Telecommunication) was created in 2013 to perform legal interception of suspicious online communication. It will have an important role in the provision of technical support for the implementation of bills relating to data access and support to the judicial investigations into the information systems of crimes and communication. The inception of the ATT agency is considered by human rights advocates in Tunisia to be controversial, but from a state national security perspective the attacks in March 2014 and June 2014 added weight to the government’s “antiterrorism” efforts to fight “cybercrimes” and “cyber terrorism” through a special unit within the Ministry of the Interior called “Brigade 5.” The unit is composed of 30 information security engineers, mandated under the counterterrorism law. 
It is important to mention that the Tunisian parliament proposed a cybercrime law that was leaked to the public on July 23, 2014, with equally vague, punitive  and highly sweeping language as well as another controversial counterterrorism law on July 25, 2015, replacing an older law from 2003. The law includes several ICT provisions and presents interception of communications and surveillance as a mechanism to gather evidence in ongoing criminal investigations and any online threat that might put at risk national cyber security.

Today, there is a discussion on how to deal with hackers. Many activists in civil society are pushing to not consider hacking as a criminal act. Concerning the cyber security law, it is incorporated in the telecommunication code. The telecommunication code is being updated to follow the evolution of the Internet ecosystem and the introduction of new services. As it is today, it does not encourage or strengthen the infrastructure nor enhance the digital economy in the country. The new digital code will promote the use of infrastructure, enhance employability, and facilitate the establishment of startups. It will include three main chapters. 

The structure of the telecommunication sector, electronic communications, and cyber security law:                                                                                                                                                                                                                                                                                                             
  • Define the roles of different institutions and their reforms
  • Stress the functions of the regulator as a market regulator for fair competition
  • Strengthen infrastructure and broadband technologies (break all barriers preventing investment in fiber optics)
  • Set up mechanisms to develop new e-services such as e-health and e-education
  • Provide funds for some terminals to promote the deployment of new services (the Internet of Things)                                                                                                                                                                                                                                                                                                    
The current cyber security law includes the creation of ANSI (National Information Security Agency, which accredits audits and runs national security systems). The law aims to set up the different rules to protect information systems and networks and adjust the information systems and network structures, which are subject to a mandatory audit and its follow-up procedures. However, this law includes many dispersed and diverse texts that lag behind an ever-evolving technology. In addition, we are facing a legislative vacuum between new applications and services like cloud computing. The update of the cyber security law will come with a reform for ANSI, which could become the Information system department of the government, and fix the different gaps in the current legal texts.

Tunisia has taken the right initiatives to reinforce the deploying of the infrastructure in terms of policies, regulation, and legislation within its ambitious strategy. Having a cyber crime bill and an updated cybersecurity law with a whole new digital code regulating the ICT ecosystem with respect to data privacy and its protection will be beneficial to build an enabling environment for access and connectivity and will certainly encourage foreign investors to create business in the country which will have a positive economic impact.
Mrs. Wafa Dahmani, Senior Engineer & Head of Internet Resources Department, Tunisian Internet Agency (ATI)