On April 15, 2022, Uzbekistan adopted the Law “On Cybersecurity” No.764, which regulates relations in the field of cybersecurity. However, this Law will enter into force after three months from the date of its official publication – July 17, 2022.
This Law enacted that the unified state policy in the field of cybersecurity is determined by the President of the Republic of Uzbekistan. Furthermore, the Law established an authorized state body in the field of cybersecurity, which is the State Security Service of the Republic of Uzbekistan.
The authorized state body is endowed with a wide range of rights and powers. The powers of this state body in the field of cybersecurity include:
· development of regulatory legal acts and government programs in the field of cybersecurity;
· conducting operational search activities, pre-investigation checks and investigative actions on cybersecurity incidents;
· making a decision on the inclusion of objects in the unified register of critical information infrastructure objects based on information provided by subjects of cybersecurity;
· determining requirements for ensuring cybersecurity of critical information infrastructure objects;
· organization of work on the implementation of means for detecting, preventing and eliminating the consequences of cyber-attacks, as well as taking measures regarding cybersecurity incidents at critical information infrastructure objects;
· organization of work on identification, collection and analysis of data on existing vulnerabilities and possible threats at critical information infrastructure objects.
Additionally, the authorized state body, when exercising its powers in the field of cybersecurity, has the following rights:
· execution of the function of state control and verification of ensuring the state of cybersecurity for unhindered access and connection to information systems and resources of organizations, as well as the study of data regarding the implementation and operation of means for ensuring cybersecurity of information systems and resources of these objects;
· gratuitous use of technical installations and services to take immediate action to eliminate cyber-attacks;
· access to monitoring systems or critical information infrastructure objects for the implementation of organizational and technical measures during monitoring work to ensure cybersecurity;
· enter unhindered, if necessary, with damage to locking devices and other items, into the living quarters of individuals and legal entities, inspect them when prosecuting persons suspected of committing crimes in the field of information technology, or if there are sufficient grounds to believe that such a crime is being committed or was committed there.
This Law also obliges the subjects of cybersecurity (legal entities and individual entrepreneurs):
• to notify the authorized state body of cybersecurity incidents and cybercrimes that had occurred;
• to carry out mutual exchange with the authorized state body of data in the field of protection and monitoring of the safe operation of cybersecurity objects;
• to ensure the functioning of mechanisms for taking measures against cybersecurity incidents and the work of cybersecurity units, and in their absence — to use outsourcing services with the permission of the authorized state body in accordance with the established procedure;
• to grant the authorized state body the right of access to monitoring systems and (or) cybersecurity objects for the implementation of organizational and technical measures for monitoring cybersecurity.
In our opinion, some provisions of the Law run counter to the basic principle of civil law, namely, the principle of freedom of contract, as well as the principles formed in a huge number of laws and regulations - the inadmissibility of arbitrary interference of anyone in private affairs and the need for unhindered exercise of civil rights. However, it still remains in question how this Law will be practically implemented.
Most of the requirements of this Law affect objects of critical information infrastructure. This category includes informatization systems used in the field of:
· public administration and provision of public services;
· defense, state security, law and order;
· fuel and energy complex (nuclear power), chemical, petrochemical industries, metallurgy;
· water use and water supply, agriculture;
· healthcare, housing and communal services;
· banking and financial system, transport;
· information and communication technologies;
· ecology and environmental protection, extraction and processing of minerals of strategic importance, industrial sphere;
· and in other sectors of the economy and the social sphere.
Subjects of critical information infrastructure are subject to mandatory examination for compliance with cybersecurity requirements, and must also certify hardware, hardware-software and software tools. Employees responsible for ensuring the cybersecurity of critical information infrastructure objects are certified by an authorized state body. Information about cybersecurity incidents is limited to dissemination and can be disclosed after the incidents are completely eliminated.
This Law also prescribes state support and development in the field of cybersecurity. For example, the support of subjects of cybersecurity are:
· provision of tax and customs privileges and preferences to subjects of cybersecurity; · creating conditions for attracting funds from economic entities to finance the cybersecurity sector.
Support of scientific, technical and innovative activities in the field of cybersecurity includes:
· allocation of subsidies to subjects of cybersecurity to finance research, design and technological work carried out during the implementation of investment projects;
· stimulating demand for innovative products, including optimization of goods (works, services) purchased for state needs;
· providing financial assistance to organizations implementing projects to improve the level of cybersecurity, including those engaged in innovative activities in the provision of services using existing advanced technologies.
The State develops and supports human resources in the field of cybersecurity and encourages employees responsible for ensuring the cybersecurity of critical information infrastructure objects.
The Law also separately emphasizes the readiness and openness of the Republic of Uzbekistan to carry out international cooperation in the field of cybersecurity. Information on the fight against international cybercrime can be provided to foreign States and international organizations in advance without a request, if the information does not interfere with investigative actions or judicial process and serves to suspend cyber-attacks. The authorized state body may, upon request, provide foreign States and international organizations with information on combating international cybercrime. Moreover, such information can be provided in advance without a request, if such information does not interfere with investigative actions or judicial process and serves to suspend cyber-attacks, timely detection and elimination of criminal acts committed using cyberspace.