A draft of a new cybersecurity law, which has not previously been made public but has been obtained by Rest of World, would give the Cambodian government expanded powers to seize computer systems from companies, initiate searches during loosely defined cybersecurity incidents, and prosecute those who don’t comply.
The document is marked “confidential” and dated September 2, 2022. Laid out over 13 pages, the law would allow the government to seize operating systems and copy and filter data from entities unable to mitigate the impacts of a “cybersecurity threat or cybersecurity incident at the critical level” — defined broadly as an event that could cause “significant harm” to “national security, national defense, foreign relations, the economy, public health, safety or public order.”
“Any person” who “opposes the performance of duties” of the ministry or security committee could face imprisonment up to a year under obstruction or incitement charges, and be fined up to 150,000,000 riel (about $37,000) — around double the annual salary for a company executive in Cambodia. It would also use a “Digital Security Committee” under the ministry to prevent and respond to cybersecurity attacks.