Venezuelan rulings on the issue of cybersecurity

On the issue of cybersecurity in Information and Communication Technologies, currently Venezuela has the following rulings:

1. Law on protection of communications privacy;

2. Administrative Procedure containing the rulings associated with the request of information on the mobile telephony service;

3. Law on Data Messages and Electronic Signatures and its Regulation;

4. Special Law against Informatics Crime;

The law on protection of privacy in telecommunications was published in the Official Gazette of the Bolivarian Republic of Venezuela, N° 34.863, dated 16 December 1991, and its objective is to protect the privacy, confidentiality, inviolability and secrecy of communications between two or more individuals.

The aforementioned Law establishes sanctions for those individuals who:

• In an arbitrary, clandestine or fraudulent manner, record, impose, interrupt or prevent communications between individuals;

• Without being authorized by the referenced Law, installs devices or instruments for the purpose of recording or preventing communications between individuals;

• Disturbs the tranquility of another person through the use of information obtained through procedures banned by the same Law.

Notwithstanding the above mentioned, the law in Venezuela allows for compelling the telecommunication companies and Internet service suppliers to reveal to investigation officials information related with communication activities, including some users’ personal data, in accordance with the provisions of the Organic Legal Penal Code and the related terms established by the Law on Protection of Privacy of Telecommunications; these rulings allow the interception or recording of conversations by telephone or other radio electric means of communication, as long as the Prosecutor’s Office obtains a warrant from the local judge in the area of the investigation, which shall be granted to the effect of investigating the following punishable actions:

a) Crimes against the security or independence of the State;

b) Crimes foreseen by the Organic Law to Safeguard Public Patrimony;

c) Crimes contemplated by the Organic Law on Narcotic and Psychotropic Substances; and

d) Crimes of Kidnapping and Extortion.

Likewise, at a sub-legal level, Venezuela has the Administrative Ruling containing the rulings related with the request of information in mobile telephony services, mandated by CONATEL and published in the Official Gazette of the Bolivarian Republic of Venezuela N° 38.157, dated 1 April 2005, whose objective is to establish the rulings related with the request for personal data to mobile telephone subscribers by service operators at the time of subscribing their service contracts, as well as the rulings associated with the provision of information by the mobile telephone service operators to the State security organizations on the occasion of a legal investigation.

With respect to the Law on Data Messages and Electronic Signatures, published in Official Gazette N° 37.148 dated 28 February 2001, its objective is to award and acknowledge the efficacy and legal value of the Electronic Signature, the Data Message and all intelligible information in electronic format, regardless of its material support, attributable to individuals or legal entities, public or private, as well as to regulate that related with Certified Service Providers and Electronic Certificates.

The Law on Data Messages and Electronic Signatures is applicable to Data Messages and Electronic Signatures regardless of its technological characteristics or any future technological developments. To this effect, its rulings will be developed and interpreted progressively, oriented towards acknowledging the validity and probatory efficacy of the Data Messages and the Electronic Signatures.

Through the Law on Data Messages and Electronic Signatures, the Electronic Certification Service Superintendence, SUSCERTE, is created as an autonomous service, with budgetary, administrative, financial and managerial autonomy, on the subjects of its jurisdiction, under the Ministry of Science and Technology. This Superintendence is responsible for accrediting, supervising and controlling the Certification Service Providers, both public and private, under the terms provided by this Decree-Law and its regulations.

Some of the responsibilities of SUSCERTE are:

• Provide accreditation and corresponding renewal to the Certification Service Providers.

• Revoke or suspend the granted accreditation whenever any of the required terms, requirements or obligations is not fulfilled.

• Maintain, process, classify, safeguard and protect the Registry of Certification Service Providers, public or private.

• Verify that the Certification Service Providers comply with the requirements of the Law on Data Messages and Electronic Signatures.

• Supervise the activities of the Certification Service Providers.

• Inspect and supervise the installation, operation and service provision of the Certification Service Providers.

• Act as mediator in the resolution of conflicts that may arise between the Certification

• Service Providers and their users.

With respect to the Special Law against Informatics Crimes, it was published in the Official Gazette N° 37.313 of the Bolivarian Republic of Venezuela dated 30 October 2001, with the objective of providing comprehensive protection to the systems using information technology, as well as the prevention and sanction of crimes committed against such systems or any of its components or those committed with the use of said technology. This Law categorizes the following crimes:

• Crimes Against Systems Using Information Technology;

• Crimes Against Property;

• Crimes against the privacy of individuals and communications;

• Crimes against children or adolescents;

• Crimes against economic order.

Currently, cyber security has increased in importance given the changing conditions and new computer platforms available. The possibility of connecting through networks has opened new horizons to explore beyond national borders, a situation which has brought about the rise of new threats to computer systems. This has led many governmental and non-governmental organizations to develop documents and directives that provide guidance in the proper use of these technological skills, as well as recommendations to obtain the maximum benefit from these advantages and avoid improper use of the same, which could lead to serious problems in the goods and services of the business enterprises of the world. In this sense, cyber security policies rise from the Superintendence of Services of Electronic Certification SUSCERTE, as an organizational tool to raise awareness among each of the members of an organization regarding the importance and sensitivity of the information. In keeping with the above said, in Official Journal No. 345.394 dated April 6, 2006 the Organic Law on Public Administration was published in accord with the Organic Law on Science, Technology and Innovation, which considers that the Ministry of Science and Technology must establish policies for a better use, protection and conservation of the information that is processed and stored in the computer equipments of the State, where the Cyber Security Policies will be directed at implementing necessary controls aimed at preserving the operability and continuity of the Bodies and Entities of the National Public Administration.

The manual presented by the Superintendence of Services of Electronic Certification SUSCERTE includes almost all the policies currently considered part of the non-military professional standard in cyber security. The standard of professional care defines the minimum set of cyber security measures expected from an institution. In this material many additional policies have been included which go beyond this standard of due diligence, because they provide a higher degree of security.

Although currently there is no worldwide standard that defines the specific policies of cyber security, the closest is document number 17799 of the ISO, which defines a scheme and provides high level guidance on cyber security policies. The policies in this manual are organized on the basis of ISO scheme 17799. Given the speed of significant developments in the legal, business, state and information areas, still a number of people wonder if we will ever have a specific set of standardized policies at the international level.

Domenico Pirillo y Karina Da Costa
CONATEL-Venezuela