Draft Law on Cyber ​​Security: Establishing a healthier, safer cyberspace

It is strictly forbidden to use AI to fake faces, voices... to commit fraud.

National Assembly Deputy Le Thi Thanh Lam ( Can Tho ) stated that the strong development of artificial intelligence (AI) has given rise to many methods of violation such as fraud, face, voice and image forgery. Reality also shows that vulnerable groups such as the elderly, the disabled, and people with limited behavioral capacity are also vulnerable targets. High-tech criminals are exploiting the lack of cyber security skills of these groups.

Therefore, the delegate suggested that in the regulations on prohibited acts in cybersecurity in Article 9, it is necessary to add a provision prohibiting the use of AI to fake faces, voices and other fake technologies to impersonate organizations and individuals to defraud, distort or confuse, infringe upon the legitimate rights and interests of people.

At the same time, continue to review and research additional regulations to prevent, stop and promptly handle acts of using technology, AI deepfake to edit, create clips, images, sounds to fake the identity, identifying characteristics of famous people or relatives to defraud, defame, provide false information... in the draft Law.

In addition, National Assembly member Ha Anh Phuong ( Phu Tho ) also pointed out 4 "loopholes" in Article 20 on preventing and combating child abuse in cyberspace. Although this is an important and progressive content of the draft Law, according to the delegate, the current regulations do not have criteria/levels to identify "content harmful to children", so it can easily lead to excessive removal of content or inconsistent handling.

At the same time, there is a lack of privacy "fences" when implementing techniques (data minimization principles, anonymity); a large compliance burden for small units because obligations are not stratified by risk/scale; there is no mechanism for quick complaints and transparent reporting, and there is no coverage of vulnerable groups other than children.

To close the above “loopholes”, delegate Ha Anh Phuong suggested that it is necessary to study and supplement the definition and classification of the level of harm with clear criteria. Add the principle of data protection (minimization, anonymity), establish a quick complaint channel and publish data periodically. At the same time, apply the “risk/scale” obligation model with a roadmap for small/educational - community services, meaning that not all services must meet the same expensive technical requirements.

For high-risk social media platforms (e.g., large social media, high number of users/spread, many children participating, sensitive content), delegates suggested that there must be filters/blocks and a quick reporting process. For medium-risk services (medium e-commerce platforms, specialized forums), a shortened set of requirements is met. For low-risk/small services (school club websites, small classroom applications), only minimum standards are required and a longer roadmap is applied.

“The tiering criteria can be based on the number of users/month, the ability to spread content, the proportion of users who are children, the type of content handled, and the history of violations. This approach helps focus resources on high-risk areas, reducing the burden on small units while still ensuring basic safety,” the delegate emphasized.

And, the delegate also noted that the provision of “applying professional measures to prevent and detect” in Article 20 of the draft Law is necessary, but does not mention the principle of protecting children’s personal data when collecting and analyzing information. “Cyberspace monitoring” can lead to “risks of privacy infringement” if there are no limits and independent monitoring mechanisms. Therefore, delegate Ha Anh Phuong proposed to add the principle “All professional activities related to children’s data must comply with the principle of minimizing and protecting personal data”.

Faced with the fact that the elderly account for about 50% of victims in online fraud cases, National Assembly Deputies Le Thi Thanh Lam and Le Thi Ngoc Linh (Ca Mau) proposed expanding the group of protected subjects to include vulnerable people such as the elderly, people with lost or limited civil capacity... to ensure comprehensiveness in the provisions of Chapter III on preventing and handling acts of violating network security. Supplementing regulations on the responsibilities of network platforms, telecommunications service providers, and banks in detecting, warning and coordinating the handling of acts of harm and fraud against this group.

The Government specifies in detail the responsibilities of ministries, branches and agencies.

Regarding the cyber security protection force, National Assembly Deputy Nguyen Quoc Duyet (Hanoi) stated that cyberspace has now become a new territory, an inseparable strategic space of national sovereignty, an environment that contains extremely complex security risks and challenges.

Cyberspace has become the fifth front and combat environment, alongside the traditional combat environments on land, in the air, at sea and in outer space. Cyberspace is considered a part of the national territory, holding a special position in the cause of building and defending the Fatherland. Therefore, protecting the Fatherland in cyberspace is an urgent, permanent and long-term task, closely linked to the cause of building and defending the Fatherland.

“The cross-border, asymmetric, and non-traditional nature of cyber threats makes protecting national sovereignty in cyberspace complicated and requires close coordination among forces, especially those playing a core role in the Ministry of National Defense and the Ministry of Public Security.”

Emphasizing the above requirement, delegate Nguyen Quoc Duyet suggested that the draft Law should clearly and transparently define the roles of the Ministry of National Defense, the Ministry of Public Security and the Government Cipher Committee; at the same time, the division of tasks and powers of agencies should be based on the functions and tasks of state management by sector and field.

National Assembly Deputy Nguyen Minh Quang (Hai Phong) also said that the provisions in Articles 15, 16, 22, 23, 24, 25 and Article 32 stipulate that the Ministry of National Defense has the responsibility and authority to manage and deploy a number of measures to protect cybersecurity for military information systems. Thus, the scope of the draft Law regulating the authority and management responsibility of the Ministry of National Defense is very narrow and does not cover all areas of national defense. The delegate suggested that it is necessary to inherit the 2015 Law on Network Information Security and the 2018 Law on Cyber ​​Security.

However, National Assembly Deputy To Van Tam (Kon Tum) agreed with the regulation that the specialized force for cyber security protection is arranged at the Ministry of Public Security and the Ministry of National Defense as shown in Article 42 of the draft Law. At the same time, he proposed to study and supplement regulations on functions and tasks of specialized training in technology and equipment, as well as have reasonable policies and regimes to serve as a basis for building a specialized force for professional and modern cyber security protection in our country.

In response to different opinions on this issue, in the conclusion of the discussion session, Vice Chairman of the National Assembly, Senior Lieutenant General Tran Quang Phuong requested the Government and the drafting agency to continue reviewing all provisions on specific responsibilities of ministries, branches and localities in the draft Law. Thereby, ensuring that only management contents are stipulated in the law, while the responsibilities of ministries and branches are generally stipulated in Chapter III of the draft Law; assigning the Government to specify details according to the scope of management and protection of network security of ministries, branches and localities.