Sri Lanka just came out with a draft bill for a proactive, national cyber-defense entity. This entity functions by designating systems as Critical Information Infrastructure (CII) and then appointing people responsible for reporting security breaches and so on and so forth. The legalese looks like this: Part V 18(1) states that “the Agency shall identify and recommend to the Minister the designation of a computer or computer system as CII for the purposes of this Act, if the Agency is satisfied that- (a) the computer or computer system is necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace or for any other criteria as may be prescribed and the disruption or destruction of which would likely to have serious impact on the public health, public safety, privacy, national security, international stability or on the effective functioning of the government or the economy; and (b) the computer or computer system is located wholly or partly in Sri Lanka… The current proposed version gives the Agency the right to designate even corporate computer systems as CIIs, bust down their doors, inspect […]