Cybersecurity legal frameworks in Vietnam and Japan: A Comparative Analysis

b In the Cybersecurity Law in 2018 of Vietnam, the term “cybersecurity” can be understood as “assurance that activities in cyberspace do not harm national security, public order, the law

VIETNAM NATIONAL UNIVERSITY, HANOI VIETNAM JAPAN UNIVERSITY

VU PHUONG LINH

CYBERSECURITY LEGAL FRAMEWORKS IN VIETNAM AND

JAPAN:

A COMPARATIVE ANALYSIS

MASTER’S THESIS MASTER OF PUBLIC POLICY

Hanoi, 2019

VIETNAM NATIONAL UNIVERSITY, HANOI

VIETNAM JAPAN UNIVERSITY

VU PHUONG LINH

CYBERSECURITY LEGAL FRAMEWORKS IN VIETNAM AND

Associate Prof KOBAYASHI TAKAAKI

Dr BUI HAI THIEM

Hanoi, 2019

CONTENTS

LIST OF FIGURE iii

ACKNOWLEDGEMENTS iv

ABBREVIATION v

CHAPTER 1: INTRODUCTION 1

1.1 Overview: 1

1.2 Why choose this topic? 2

1.3 Definitions: 3

1.4 Purpose of the research: 6

1.5 Research questions: 6

1.6 Methodology: 6

1.7 Literature review: 6

1.8 Limitation of the research: 10

CHAPTER 2: COMPARISION BETWEEN VIETNAMESE AND JAPANESE CYBERSECURITY LEGAL FRAMEWORKS 11

2.1 Japanese cybersecurity legal frameworks 11

2.1.1 Overview: 11

2.1.2 Characteristics of Japanese cybersecurity legal framework 12

2.2 Vietnamese cybersecurity legal framework 16

2.2.1 Overview: 16

2.2.2 Characteristics of Vietnamese cybersecurity legal framework 17

2.3 Similarities between Japanese and Vietnamese legal frameworks: 25

CHAPTER 3: EXPLANATION WHY THERE ARE DIFFERENCES BETWEEN TWO LEGAL FRAMEWORKS 27

3.1 Background of Japan: 27

3.1.1 Situation in Japan: 27

3.1.2 History of modern law of Japan 29

3.1.3 The theory of “Rule of Law” 29

3.2 Background of Vietnam: 33

3.2.1 Situation about cybersecurity in Vietnam: 33

3.2.2 History of modern law in Vietnam: 36

3.2.3 Theory of Socialist state ruled of law 37

CHAPTER 4: THE EFFECTS FROM LEGAL FRAMEWORKS 41

4.1 The effects from Japanese cybersecurity legal framework 41

4.2 The effects from Vietnamese cybersecurity legal framework 45

CHAPTER 5: RECOMMENDATIONS AND CONCLUSION 49

5.1 Recommendations: 49

5.2 Conclusion: 52

REFERRENCES 53

LIST OF FIGURE

Figure 3.1: The percentage of total population and number of aging people over 70

years old in Japan (1990 – 2018) ……… 28

Figure 4.1: The organization of agencies in charge of cybersecurity before and after

the Basic Act on Cybersecurity……… ……….42

Figure 4.2: Current framework of cybersecurity policy in Japan………….…….43 Figure 4.3: Proactive measures taken to guard against cyberattacks……….… 45 Figure 4.4: Top risky online behaviors in Vietnam.……… 47 Figure 4.5: Weakness of enterprises in Vietnam about information security ….48 Figure 5.1: Promoting cybersecurity through anime in Japan……… 50

ACKNOWLEDGEMENTS

From the bottom of my heart, I would like to thank my supervisors, Prof Kobayashi and Dr Thiem, for their wonderful supports Despite the fact that both of them are very busy, they always try to spend their time to help and give me valuable ideas While Prof Kobayashi has helped me with the methodology and made me understand my research topic better, Dr Thiem has pointed out for me which theories should I use in this thesis and give me advices to improve my paper Without their guidance, this thesis cannot be finished

Next, I want to send my gratitude to Dr Thuy Anh and Dr Hoang Linh for giving me helpful comments and supporting me mentally at VJU I also want to give my special thanks to all teachers and everyone at Tsukuba University, especially the staffs at Global Initiative Office for their warmly welcome and helping me with my internship in Japan Through the internship, I had had the opportunities to collect documents for this thesis and had time to understand Japan better Moreover, I would love to thanks all the teachers at VJU and our program assistant, Mrs Ha, for helping me with the procedure related to this thesis and other works

Last but not least, there are my family and my friends – all the people who has supported me from the beginning until the end of this thesis Thank you, for always stay by my side and encourage me

ABBREVIATION

AI: Artificial Intelligence

APT: Asia-Pacific Telecommunity

CII: Critical information infrastructure

IoT: Internet of things

NISC: National center of Incident readiness and Strategy for Cybersecurity

NSC: National Security Council (Japan)

VGCA: Vietnam Government Certification Authority

VNISA: Vietnam Information Security Association

CHAPTER 1: INTRODUCTION

1.1 Overview:

Nowadays, cybersecurity has become one of global issues since Internet has been the center of many crucial activities of human beings due to its convenience, including connecting with other people, online shopping, entertainment… and collecting information However, this environment is totally not safe as it seems: The more people using Internet, the more of their private information will be put onto it and this information can be used for cybercrime and malicious cyberattack, threatening human rights and properties of the owners The target could be any legal person, from individuals to groups, organizations, and even government agencies Cybercrime are also creating more heavy damages than ever before: According to the report from McAfee (2018) – One of worldwide security companies, the cost of cybercrime in 2016 was $4.2 trillion; In the case of WannaCry ransomware attack only in 2017, the losses could reach $4 billion with more than 100.000 groups over

150 countries had been affected (CBS News, 2017)

Consider the number of cyberattacks which increases sharply in these decades, together with the awareness about the possible damages which cyberattack can create, many governments have made their moves by built cybersecurity legal framework, including Vietnam On June 12th 2018, Vietnamese Cybersecurity Law was officially passed with the approval of 423 Assembly members (86,86% of the total members of the National Assembly), and has been enforced from January 1st

2019 After being approved by the Assembly, there are many people who has raise their voice referring to the content of this law Many people worried that their basic human rights will be violated, including the freedom of speech, the right of access

to information and their privacy since the law has mentioned about the responsibilities of Internet service providers and other enterprises provide their services on the Internet, which includes verify the identification of the users, provide the information regarding the users to the professional cybersecurity force

of the Ministry of Public Security when they request, prevent and delete the

information which is considered as illegal, including: Against the Vietnamese government, disturbing the public, national secrets A large number of organizations, groups and activists in Vietnam are also shown their concerns regarding how the Cybersecurity Law will affect their activities in the future, including UN Human Rights, American Chamber Commerce, and so on

1.2 Why choose this topic?

a) Cyberspace is important to our current life:

With the increasing of Internet users and activities which are happening on the cyberspace, it is clear that the cyberspace is becoming an inseparable part of our life According to Statista (2019), approximately 4.4 billion people were active Internet users as of April 2019, encompassing 58% of the global population In some countries such as UAE, Iceland, Norway, Qatar… the online usage rate is 99% (Statista, 2019) Being able to store and exchange a massive amount of information without limitation of time and space are also some of the strongest characteristics of cyberspace Over the last two years alone, 90 percent of the data

in the world was generated and each day, there are 2.5 quintillion bytes of data created at our current pace (Marr B., 2018) Thanks to these amounts of information and the speed of information flows, human being can connect to each other, despite

of distance and time, together with doing other activities such as online shopping, mobile banking, studying through online classes and so on Regarding the number

of possibility activities are increasing, the barrier between cyberspace and real space

is also become blur This also means that the attacks come from cyberspace can also create heavy damage in reality, with a larger scale and it is much harder to find out the culprit In order to prevent and keep the damage at minimum, governments have been put many efforts in improving cybersecurity and building a cybersecurity legal framework is one of them

b) There is no proper research about current Vietnamese cybersecurity legal framework in general and comparative research about Vietnamese

cybersecurity legal framework and Japanese cybersecurity legal framework

in particular:

While Vietnamese Cybersecurity Law was just passed last year and the concept of cybersecurity still new to the people, Japan is the first country in G7 (including France, Germany, the U.S, England, Canada, Italy and Japan) implemented “Basic Act on Cybersecurity” as a specific law for cybersecurity (Kazuyasu S and Masaya H., 2018) Therefore, Japan has had a long time in implementing cybersecurity law than other countries Moreover, Japan is also well-known as a country with high technology, thus this country may have more experiences about dealing with cyberattack

1.3 Definitions:

In this paper, some inportant key terms will be applied definitions as below:

- Cybersecurity legal framework:

Legal framework can be understood as a set of specialized legal regulations which manage same kind of social relations to ensure these relations can work in unity and maintain the social order Cybersecurity legal framework is a set of specialized legal regulations manage relations between all the stakeholders which are related to cybersecurity This can include the Constitution, Criminal Law, Cybersecurity Law and other legal documents

- Cybersecurity:

In order to point out what are the differences between two legal frameworks, this paper will use two definitons of cybersecurity which are mentioned in the main cybersecurity law of each system

a) In the case of Japan, the definition of cybersecurity will be taken from

the Basic Act on Cybersecurity, which is “the necessary measures that are needed to be taken to safely manage information, such as prevention against the leak, disappearance, or damage of information which is stored, sent, in transmission, or received by electronic,

magnetic, or other means unrecognizable by natural perceptive functions (hereinafter in this section referred to as "Electronic or Magnetic Means"); and to guarantee the safety and reliability of information systems and information and telecommunications networks (including necessary preventive measures against malicious activities toward electronic computers through information network

or storage media for information created by electronic or magnetic means (hereinafter referred to as "Electronic or Magnetic Storage Media")), and that those states are appropriately maintained”

b) In the Cybersecurity Law in 2018 of Vietnam, the term “cybersecurity”

can be understood as “assurance that activities in cyberspace do not harm national security, public order, the lawful rights and interests of any organization or individual”

Similar to the term “cybersecurity”, other related terms such as cyberspace,

cyberattack and cybercrime will also use two definitions from both countries:

- Cyberspace and National cyberspace:

a) In the Cybersecurity Strategy in 2015 of Japan, cyberspace has been

defined as “an artificial domain for the free exchange of ideas without being constrained by national borders” and “an intangible frontier of infinite values generated by intellectual creations and innovations inspired by the ideas globally exchanged”

b) In Vietnam, “cyberspace” means a network of information technology (IT) infrastructure which includes telecommunications network, the Internet, computer network, communication systems, information processing and control systems, databases; cyberspace is where people’s activities are not limited by space and time (National

Assembly, 2018)

Beside the definition of cyberspace, Vietnamese Cybersecurity Law also

mentions the term “national cyberspace”, which has been defined as “a cyberspace established, managed and controlled by the Government”

- Cyberattack:

a) In the Cybersecurity Law of Vietnam, “cyberattack” has been

explained as “the use of cyberspace, information technology or electronic devices to sabotage or interrupt the telecommunications network, the Internet, computer network, communication systems, information processing and control systems, databases or electronic devices”

b) In Japan, while this terms is not defined in the cybersecurity law, according to Japanese Ministry of Defense (n.d.), “cyberattack” can

be understood as “abuse of information and communications networks, information systems to make an unauthorized access, steal, falsify or destroy information, cause information systems to cease functioning or to malfunction, execute a malicious program or implement a DDoS attack (distributed denial of service attack) through cyberspace”

- Cybercrime:

a) The term “cybercrime" has been defined as “a crime that involves the use of cyberspace, information technology or electronic devices as

defined in Criminal Code” in Vietnamese Cybersecurity Law

b) On the contrary, instead of giving a general definition, the National Police Agency of Japan only mentions that cybercrime consists of

three categories; "Violation of Unauthorized Computer Access Law",

"Crime against computer/data" and "Internet Crime" (National Police

Agency, 2003)

1.4 Purpose of the research:

This research purpose is to find out the differences between cybersecurity legal frameworks in Japan and Vietnam and the reasons why they happen From that point, the author will find out the effects which caused by these two legal structures and analyze what is the strong points and weaknesses from both flameworks, and how to improve both of them

1.5 Research questions:

- What are the differences between Vietnamese and Japanese cybersecurity legal frameworks?

- Why these differences happen?

- What are the effects caused by these differences?

1.6 Methodology:

In this paper, comparative research method will be used to compare and analyze Japanese and Vietnamese cybersecurity legal frameworks in general in order to find out the differences and similarities between these frameworks Later, these characteristics will be explained base on the background information of each country, the theory of Rule of Law – Separation of powers for Japan and the theory

of Socialist state ruled of law in the case of Vietnam Through these explanation, this thesis will show the advantages, disadvantages and effects of each legal framework

1.7 Literature review:

2 Cyberspace, cybersecurity, cyberattack and cybercrime:

In order to be able to analyze each legal framework referring to cybersecurity,

it is necessary to know how these governments define four keywords: Cyberspace, cybersecurity, cyberattack and cybercrime since these terms are strongly related to each other and the government will build legal documents related to cybersecurity base on their definitions

For the definitions of “cybersecurity”, this paper will mention the definitions which are used in Basic Act on Cybersecurity (2014 – Amended 2018) of Japan and Cybersecurity Law (2018) of Vietnam In the Basic Act on Cybersecurity,

“cybersecurity” has been defined as “the necessary measures that are needed to be taken to safely manage information, such as prevention against the leak, disappearance, or damage of information which is stored, sent, in transmission, or received by electronic, magnetic, or other means unrecognizable by natural perceptive functions (hereinafter in this section referred to as "Electronic or Magnetic Means"); and to guarantee the safety and reliability of information systems and information and telecommunications networks (including necessary preventive measures against malicious activities toward electronic computers through information network or storage media for information created by electronic

or magnetic means (hereinafter referred to as "Electronic or Magnetic Storage Media")), and that those states are appropriately maintained” - which means

Japanese government has seen cybersecurity in technical aspect while in the case of

Vietnam, the definition of “cybersecurity” is “assurance that activities in cyberspace do not harm national security, public order, the lawful rights and interests of any organization or individual”– which means Vietnamese government

has seen cybersecurity in political and legal aspect Outside of the term

“cybersecurity”, Vietnamese government also defined “cyberspace”, “cyberattack”, and “cybercrime” in Cybersecurity Law, while Japan define these terms in different documents: The definition of “cyberspace” can be found in Japan Cybersecurity Strategy 2015, “cyberattack” was defined by Ministry of Defense (Ministry of Defense, n.d.) and “cybercrime” was defined by National Police Agency(National Police Agency, 2003)

3 Japanese and Vietnamese cybersecurity legal frameworks:

Outside of main legal documents which are directly dedicated to cybersecurity

in Japan are Basic Act on Cybersecurity (2014 – Amended 2018) and Cybersecurity Strategy (2018), other regulations related to cybersecurity are:

• Penal Code (1907 – Amended 2017) – which mentions about Computer Fraud (Article 246-2), Damaging of Documents for Government Use (Article 258) and Private Use (Article 259);

• Installment Sales Act (1961 – Amended 2018) – which now required online businesses handle credit card data appropriately and implement faud prevention measure;

• Unfair Competition Prevention Act (1993 – Amended 2015) – showing what kinds of activity are considered as unfair competition;

• Unauthorized Computer Access Prohibition Act (1999 – Amended 2013);

• Act on the Protection of Personal Information (2003) – which mentions about collecting, retaining, handling personal information;

• Act on Protection of Specially Designated Secrets (2013) – Mentioning information which is considered as specially designated secrets and people who handle them

Similar to Japan, together with the Cybersecurity Law (2018) as main legal document dealing with cybersecurity, other law such as Criminal Code (2015 – Amended 2016), Law on E-transactions (2005), Law on Network Information Security (2015)… are also mention about cybersecurity in one way of another Since Japan is the first country in G7 promulgated a specific law which is dedicated to cybersecurity, there are several researches referring to Japanese cybersecurity legal system and policies which has shown how the cybersecurity

legal framework of Japan has changed from time to time, including Japan’s Changing Cybersecurity Landscape by Nir Kshetri (2014); Review of the Japan Cybersecurity Stratery by Yoko Nitta (2014); Reseach Report on Cybersecurity and Privacy in the APT (Asia-Pacific Telecommunity) member Countries from Korea

Internet & Security Agency – KISA (2016)… In the case of Vietnam, since the Cybersecurity Law has just passed on June 2018 there is still no proper research related to this legal document and cybersecurity legal framework of Vietnam in

general, only some reports from Ministry of Public Security, National Assembly or Ministry of Justice.

4 Background of each country:

It is also essential to take a look at the background of both countries to figure out why cybersecurity legal framework is needed Together with the information from the Cybersecurity Strategies from years to years and the goals of Abenomics, this paper also consider about the real situation which is happenning in Japan base

on the report and information from several newspapers, such as Reuters, Nikkei Asian Review, The Diplomat…

Based on the history and the characteristics of Japanese law and Japanese

government system which has been shown through Introduction to Japanese Law

by Yoshiyuki Noda (1976); Japanese Law and Legal Theory by Koijiro Fujikura (1996); The spirit of Japanese Law by John Owen Haley (1998) and Japanese Law

by Hiroshi Oda (2009), it is quite clear that the contemporary legal system is the result of adapting both American system and Civil law system (from France and Germany) in the context of Japan The Rule of Law, which is the fundamental principle underlying the present Constitution of Japan (Hiroshi O., 2009), also become a crucial element in the entire Japanese legal system and cybersecurity legal framework is no exception

5 Theory of Rule of Law and Socialist state ruled of law:

To understand the spirit of Vietnamese and Japanese legal framework in general and the will of the government behind the main cybersecurity legal documents, it is necessary to know more about the theory of Rule of Law which was applied in the case of Japan and the theory of Socialist state ruled of law in the case of Vietnam Outside of documents which are related to Japanese law have been

mentioned above, this paper also studied about Rule of Law from The Spirit of the Laws by Montesquieu (1748) and On the Social Contract; or, Principles of Political Rights by Jean-Jacques Rousseau (1762) For the theory of Socialist state ruled of

law, there are several papers such as Theory of Socialist state ruled of law by Le Cong Dinh (2007); Socialist state ruled of law of the people, by the people, for the people under the leadership of Vietnamese Communist Party – Achievements and development orientation by Dao Tri Uc (2008); Building socialist state ruled of law

in Vietnam at the moment by Tran Thanh (2008) …

1.8 Limitation of the research:

- Due to the lack of time and capacity, this research can mainly focus on legal documents which are having the most effects related to

cybersecurity in each country

- Since the topic is about legal frameworks, other factors outside legal aspect which are also affecting the reality will not be mentioned or be mentioned much in this paper

CHAPTER 2: COMPARISION BETWEEN VIETNAMESE

AND JAPANESE CYBERSECURITY LEGAL

FRAMEWORKS

At the first sight, it is undeniable that the legal frameworks about cybersecurity

of Vietnam and Japan are different in general: If Japanese government approached cybersecurity in a technical way then Vietnamese government tried to define what cybersecurity is in legal and political aspects; while responsibilities of the government are emphasized in the case of Japan, Vietnamese cybersecurity legal framework requests compulsory cooperation between the service providers and the users with the government However, what is the meaning lying under these characteristics? Such question will be discussed further in this chapter

2.1 Japanese cybersecurity legal frameworks

2.1.1 Overview:

Even though Japan has always well-known as a developed country with high technology, it seems that this thought is not correct in the case of cybersecurity The Japanese government has started facing cyberattacks since 2000s when Japanese government website was defaced for the first time in January, 2000 (Tomoo Y., 2017) After that, some efforts have been made such as the establishment of IT Strategic Headquarters (2000), National Information Security Center (2005) and Information Security Policy Council (2005) (Tomoo Y., 2017), together with basic strategies of information security, yearly plans, government agency and critical infrastructure measures However, at that time, Japan still did not considered cyberattacks as a national security threat, if not neglected them: Despite the fact that many Japanese government agencies, especially Ministry of Defense gets hacked every day, no one at this ministry understands cyberspace and therefore they cannot

do anything, only watch and simply report that there has been an attack (Ruairidh

V., 2013) While there is opinion that the cyberattacks on Lower House Diet and defense contractor Mitsubishi Heavy Industries in 2011 had helped raising concerns and open the eyes of both Japanese policymakers and business executives (Kshetri N., 2014), cybersecurity was only officially recognized as national security and crisis management problem from 2013, started with Cybersecurity Strategy which was determined on June 10, 2013, by Policy Council (Tomoo Y., 2017) In 2014, by promulgating Basic Act on Cybersecurity in 2014, Japan become the first country in G7 which has a separate law dedicates to cybersecurity From that point, this country continues to invest more in cyberspace in general Through several Cybersecurity Strategies, reforming and strengthening the system which is in charge

of applying and promoting cybersecurity, Japan is moving toward the goal of creating Society 5.0 and prepare for Olympic and Paralympic Games Tokyo 2020

2.1.2 Characteristics of Japanese cybersecurity legal framework

Today, the Basic Act on Cybersecurity is the main law about cybersecurity After this law was enforced, legal documents which were used to stipulated part of cybersecurity before such as Telecommunications Business Act (1984), Penal Code (1907 – Amended 2007), Act on Prohibition of Unauthorized Computer Access (1999 – Amended 2013), Basic Act on the Formation of an Advanced Information and Telecommunications Network Society (2000) and Act on Protection of Specially Designated Secrets (2013) are still valid and having important role in supporting the Basic Act on Cybersecurity With the Basic Act on Cybersecurity as the centre, some features of Japanese cybersecurity legal framework can be seen, includes:

• Maintaining cybersecurity while trying to protect the nature of cyberspace

Japan wants to aim for cybersecurity with the minimum of interfering the flow

of information and the nature of cyberspace Starting with the way the term

“cyberspace” was defined in Cybersecurity Strategy in 2015 as “an artificial domain for the free exchange of ideas without being constrained by national borders” and

“an intangible frontier of infinite values generated by intellectual creations and innovations inspired by the ideas globally exchanged” Base on this definition, cyberspace in Japanese Government point of view has two features:

- Cyberspace is not constrained by time or space: In the real world, the

space is limited and each country is separate from each other by national border On the cyberspace, such limitation does not exist at all Thanks to such nature, people can communicate and enjoying services from other places in the world without being hold down by physical factors

- Cyberspace contains unlimited resources and free flow of information: As mentioned above, the capacity of cyberspace is

unlimited due to the fact that it is not constrained by time and space Since cyberspace has a large number of users and demands for exchange information/knowledge on cyberspace are tremendous, the amount of information which is uploaded and exchange on cyberspace is also

of information or assets are not allowed

By choosing to maintain these characteristics of cyberspace, the Japanese

government can guarantee that the right of expression and right of access to information of the people will be ensured This allow people to freely express their

own ideas and arguments, especially when their ideas are against the others In this way, controversial problems can be discussed and everyone can see the issues in

different aspects, therefore people can understand the problems better and having more advantages in finding solutions Moreover, since people can access to information freely, they will have more change to gain knowledge they needed in several sources so that they could compare them to each other and finding which one is true and which one is not accurate For people who are in academic environment, such condition is the best for them to pursue their study further For the citizen, they can give their own opinions (even if such opinion is negative) from the bottom of their heart to make their nation better without worry about being punished For the government, they can receive feedbacks from their people as fast

as they could and think about how to improve the situation

• Responsibility of maintaining cybersecurity mainly belongs to the public sector, but cooperation between all stakeholders are highly recommended

The responsibilities of all stakeholders are mentioned from Article 4 to Article

9 of the Basic Act on Cybersecurity However, while the public sector entities (central government, local governments, critical information infrastructure (CII) operators) must take the responsibility about cybersecurity, other parties (Enterprises, educational and research organizations, citizens) are encouraged to voluntary and cooperate with the government in applying cybersecurity The reason

is also come from the nature of cyberspace: Since cyberspace is not restricted by time and space, cyberattacks can come anytime without any caution and it is difficult to find out who is the attacker Therefore, prepare and prevent cyberattacks are easier and effective rather than tracking the culprit And then, due to the fact that cyberspace is crucial for contemporary Japanese economy and national security, the government must take the main role in making a secure cyberspace Again, since cyberspace is a place which doe not have any border and anyone can become targets

of cyberattacks, no one can protect the cybersecurity by themselves alone and because of that, cooperation between stakeholders is needed

• Cybersecurity in the context of Japan is in technical aspect rather than political aspect

In the case of Japan, cybersecurity in general and methods to secure cyberspace has been mentioned in technical aspect rather than political aspect - this can be seen not only in the Basic Act of Cybersecurity but also other legal documents Starting with the definition of cybersecurity: Article 2 of the Basic Act

on Cybersecurity defined cybersecurity as “the necessary measures that are needed

to be taken to safely manage information, such as prevention against the leak, disappearance, or damage of information which is stored, sent, in transmission, or received by electronic, magnetic, or other means unrecognizable by natural perceptive functions (hereinafter in this section referred to as "Electronic or Magnetic Means"); and to guarantee the safety and reliability of information systems and information and telecommunications networks (including necessary preventive measures against malicious activities toward electronic computers through information network or storage media for information created by electronic

or magnetic means (hereinafter referred to as "Electronic or Magnetic Storage Media")), and that those states are appropriately maintained.” Next, in two

Cybersecurity Strategy in 2015 and 2018, the role of cyberspace, together with policy approarches are very specific and highlight about the importance of new technology which are directly related to cyberspace such as artificial intelligence (AI), Internet of Things (IoT), finance services using new technology (Fintech)… and what kind of measures should be done in order to prevent risks from cyberspace toward them By explaining about cybersecurity and related topics in technical aspect, it is easier to all stakeholders to understand clearly what they should do in order to implement cybersecurity in their case

• Main authority of secure cybersecurity belongs to the Cybersecurity Strategic Headquarters and National Center of Incident Readiness and Strategy for Cybersecurity (NISC):

According to the Basic Act on Cybersecurity, the Cybersecurity Strategic Headquarter has many functions which mainly focus on improving cybersecurity mainly base on the cooperation of other national organs (Article 25) Moreover, this Headquarter can also request the submission of materials, the presentation of opinion, explanation and any other necessary cooperation from: the heads of local governments and Incorporated Administrative Agencies; the deans of national university corporations (referring to national university corporations prescribed under Article 2, paragraph (1) of the National University Corporation Act (Act No.112 of 2003)); the heads of inter-university research institute corporations (referring to inter-university research institute corporations prescribed under Article

2, paragraph (3) of the Act); the President of the Japan Legal Support Center (referring to the Japan Legal Support Center prescribed under Article 13 of the Comprehensive Legal Support Act (Act No 74 of 2004)); the representatives of Special Corporations and authorized corporations (referring to juridical persons incorporated by a special act and where the approval of a governmental entity is required for their incorporation and associated matters), the representative of the relevant entity facilitating Cybersecurity-related communication and coordination with domestic and foreign parties concerned (Article 31, Clause 1) and other parties (Article 31, Clause 2) Together with Cybersecurity Strategic Headquarters, NISC also has a big role in maintaining cybersecurity by doing cybersecurity audit, analyzing incident through investigation and cooperate with the local government

2.2 Vietnamese cybersecurity legal framework

Internet are also increasing Beside the fact that Vietnam is also a target of cyberattacks just like any country in the world and cybercrimes in Vietnam are becoming more and more complicated to the extent that current legal documents are not enough anymore, one of the biggest problems which raising concerns of Vietnamese government are the movements from anti-government groups and individuals on the Internet Since the amount of information on cyberspace is enormous, together with the fact that they are easy to be spread and hard to track the sources, it is a big challenge to the authority to control the flow of information, especially the kind of information which is negative and malicious toward them, including false information, confidential information, and information which will put them into difficult situations once it is spread In order to deal with these situations, the Cybersecurity Law was promulgated and enforced starting from January, 2019 However, this law has been criticized by several stakeholders because people worry that it will limit the freedom of expression, become a violation of privacy and decrease investment in Vietnam

2.2.2 Characteristics of Vietnamese cybersecurity legal framework

Similar to Japan, before Cybersecurity Law was promulgated there are some legal documents which are somehow related to cybersecurity such as Law on E-transaction in 2006 (specified about transaction on electronic devices), Criminal Law in 2015 (Chapter XXI, Section 2, from Article 285 to Article 294 mentions about cybercrime and punishments) and Law on Cyberinformation Security in 2015 (stipulating matters about information in cyberspace) Together with these legal documents, Vietnamese Communist Party also implemented several resolutions and directives which are about directions of developing information infrastructure such

as Resolution No 13-NQ/TW of the 4th Plenum of the 11th Party Central Conference, on January 16, 2012; Directive No 46-CT/TW of Political Bureau… Although these documents are not legally binding, they are the base of major Vietnamese laws since the content of them will be legalized into laws after that

Through these legal documents, some characteristics of the cybersecurity legal framework of Vietnam can be seen, for example:

• Law enforcement in general and cybersecurity protection in particular must be put under the leadership of Vietnamese Communist Party

The principle “enforcement must be put under the leadership of Vietnamese Communist Party” is applied for every single type of legal documents in Vietnam and the Cybersecurity Law is not an exception In the Article 4, Clause 2 of

Cybersecurity law has mentioned: “Cybersecurity protection will be carried out under leadership of Vietnam’s Communist Party and management of the State” -

This means any actions related to cybersecurity must follow the will of Vietnamese Communist Party

• One of methods which will be use for maintaining cybersecurity is

managing the information inside cyberspace

If one of basic principles of maintaining cybersecurity in Japan is secure the cyberspace while ensure the free flow of information on cyberspace, then in Vietnam, control the flow of information (or control how people can access information) is necessary for the sake of maintaining cybersecurity For more details, the idea of control information has appeared in the Resolution No 13-NQ/TW of the 4th Plenum of the 11th Party Central Conference in 2012 through

“enhancing management of information on the Internet, social networks and individual blogs” (Central Executive Committee of Communist Party, 2012) Next, this feature can be seen in Cybersecurity Law through several articles, for example:

- According to Article 5, point i and point l at the first Clause,

cybersecurity protection measures also include “Request for removal of illegal or false information in cyberspace which violates national security, disrupts public order or violates lawful rights and interests of other organizations or individuals” and “Block or restrict activities of certain

information system; termination, suspension or request for termination of certain information system; revocation of domain names”.This means if

an information is considered as illegal or false and violates national security/disrupts public order/violates lawful rights and interests of other organizations or individuals will be requested to be removed, and the government also have the authority of limiting the access of people toward certain information system if they want Article 16 and Article 26 has point out that information which commits one of the acts below will

be consider as illegal information, including:

(a) Oppose the government of Socialist Republic of Vietnam;

(b) Disrupt social order and violates national security;

(c) Humiliate or slander people;

(d) Violate economic management laws

If an information has been considered as illegal, it will be not allow on website, web portals and social media pages of any organization or individual

- Article 26 mentioned that domestic and overseas providers of telecommunications services, Internet services and value added services

in Vietnam’s cyberspace must:

(a) Verify users’ information when they open digital accounts;

(b) Provide users’ information for professional cybersecurity forces of the Ministry of Public Security upon request document to serve investigation into cybersecurity violations;

(c) Block and delete information mentioned in Clause 1 to Clause 5 of Article 16 of this Law on their services or information systems within

24 hours after a request is given by the cybersecurity force of the Ministry of Public Security or a competent authority of the Ministry

of Information and Communications

- Article 26 also mentioned “Domestic and overseas providers of telecommunications services, Internet services and value added services

in Vietnam’s cyberspace that collect, analyze or process private information or data about relationships of their service users or data created by their service users in Vietnam shall retain such data for a specific period of time defined by the Government Overseas enterprises mentioned in this Clause shall open branches or representative offices in Vietnam”

• The cooperation between all stakeholders is compulsory

Although both Vietnam and Japan legal systems require cooperation from all stakeholders in implementing cybersecurity, cooperation between the government and other stakeholders is compulsory in Vietnamese law, which has been showed in Article 26 as mentioned above and other Article such as Clause 8 (Internet and online providers must cooperate with the government to handle information which

is violate the law), Clause 9 (Internet users who post illegal information must remove/delete it at the request from professional cybersecurity force) of Article 16, Point b, Clause 2 of Article 21…

• Cyberspace also has border just like a nation in real world

In the Article 2 of Cybersecurity Law, beside the definition of “cyberspace”

there is also the term “national cyberspace”, which means “a cyberspace established, managed and controlled by the government” While cyberspace is still

defined as “where people’s activities are not limited by space and time”, by define what is “national cyberspace” the Vietnamese government has shown that there is a special kind of cyberspace, or rather a part of the entire cyberspace is still be managed by the government and therefore, any entity using services or having activities on such cyberspace must follow the rules of the creator – in this case, the government Based on this logic, once people are considered using Vietnam’s cyberspace, no matter which nationality they are and what kind of services they use, they have to follow Vietnamese law just like in real life where they have to follow Vietnamese law as long as they are in Vietnam For more details, Article 26 mentions responsibility of enterprises which are providers of telecommunications

services, Internet services and value-added services in Vietnam’s cyberspace about what they have to do with information which are consider illegal, how they should treat the person who violated the law and what they have to do with their users’ data This Article also mention that these enterprises must retain users’s data for a specific period of time defined by the government and the overseas enterprises which are providers of telecommunications services, Internet services and value-added services in Vietnam’s cyberspace must open branches or representative offices in Vietnam However, this argument seems to have some problems:

- First of all, it is almost impossible to know where is the limitation of national cyberspace According to the Article 26, conpany provides

services which are related to cybersecurity on Vietnam’s cyberspace will have to follow the law of Vietnam and if they do not follow, they will have to face punishment from the government However, since cyberspace are not limited by time and space, it is possible to users in Vietnam to use online services which are provided by companies from other nations (which does not have branches or representative offices in Vietnam) and vice versa For example, A is a Vietnamese and M company is a Japanese enterprise M company makes game which allows people all over the world can play and pay by using credit card or online banking, then A find out how to download such game and play it In that case, is it possible to the government interfere in these transaction and

asking the company to follow Vietnamese law?

- Secondly, create such border can also limit the legitimate right of access to information of the people Since information are unlimited

and very hard to control, beside of the removing information method, the government mostly will ask the Internet providers in Vietnam to block the IP address of certain websites which the government doubts that most

of anti-government information will come from them However, blocking these websites does not mean this information will disappear, it is just

that most of the people who use Internet in Vietnam cannot access to them For example, BBC is one of the online newspapers which has been blocked in Vietnam because of posting several articles which can be considered as against the Vietnamese Communist Party and Vietnamese government Other domains such as Wattpad.com, Blogspot.com are also blocked by some Internet providers due to the fact that there are some bloggers use their blogs to express their opinions against the government Although most of the people who live in Vietnam cannot access to this website, people who bypass the firewall or who are using the Internet in other countries can still access to it And while the government can ensure that not many people would know about anti-government information from these websites due to blocking, the Vietnamese citizen are constrained from accessing the knowledge in other aspects which is

shared on those websites

- Last but not least, data localization is still a controversial issue

According to the Article 26, Internet and online services provider enterprises must retain users’s data for a specific period of time defined

by the government and the overseas enterprises which are providers of telecommunications services, Internet services and value-added services

in Vietnam’s cyberspace must open branches or representative offices in Vietnam Moreover, Article 25 and Article 26 of the draft of new regulation for Cybersecurity Law mention in a more details way about what kind of enterprise must stored users’s data and open branches or representative offices, together with the minimum time limitation that these companies have to keep users’ data Even though the law is not mentioning directly, in order to saving the data base on how the law has requested, these enterprises will need to put their servers within the border of Vietnam While saving the data can help when cybercrime happen and the demand of tracking culprits are needed, not only these servers will easily become target of cyberattacks but the price for creating

them can also making more burden to companies and put them into

considering if they should continue to invest in Vietnam

• Cybersecurity in the context of Vietnam is in political aspect rather than technical aspect

While other countries such as Japan defines “cybersecurity” in a technical

aspect, the term “cybersecurity” has been explained as “assurance that activities in cyberspace do not harm national security, public order, the lawful rights and interests of any organization or individual” in Vietnamese Cybersecurity Law

With this definition, the range of actions which can be considered as cybersecurity

is very large, including both technical responses and activities which is for political purposes, including maintain national security and public order

• The power of Ministry of Public Security in maintains cybersecurity

is huge:

If the Ministry of Public Security has already had a big role in maintaining cybersecurity by preventing cybercrime through the Criminal Law, then after implementing the Cybersecurity Law the power of this Ministry has been become higher than ever with their professional cybersecurity force While having professional forces for cybersecurity is undoubtedly necessary, there are several concerns related to the authority of this team in particular and the Ministry itself in general

of the main cybersecurity forces in Vietnam, according to Article 30 of the Cybersecurity Law There are two professional cybersecurity forces in Vietnam: One belongs to the Ministry of Public Security and the other is in charged by Ministry of National Defense While these teams have to take main responsibilities

in maintain cybersecurity in Vietnam, the professional team from Ministry of National Defense is mostly focus on the infrastructure under control of the military and the other team will take control of the civil part Due to the characteristics of

their work which are related to national security, the budget and other resources for the development of both professional cybersecurity forces is prioritized (Article 3, Clause 3) Also according to the Cybersecurity Law, the professional cybersecurity force of the Ministry of Public Security has permission to do several actions, includes:

- The professional cybersecurity force of Ministry of Public Security can

do appraisal (Article 11, Clause 4, point a), assessment (Article 12, Clause 3, point a), inspection (Article 13, Clause 5, point c), supervision (Article 14), together with response and remediation of cybersecurity incidents occurring to National security information systems (Article 15, Clause 3, point a)

- According to Article 16 Clause 7, all professional cybersecurity forces and competent authorities can request individuals and organizations to suspend or remove the information which is considered as cybersecurity violations Also, they can block and restrict the information network, deny access from internet users to the information/websites which violate the law Individuals and organizations, including private enterprises shall cooperate with professional cybersecurity forces or else they will face with penalties from the government base on their behaviors (Article 9)

- The professional cybersecurity force of Ministry of Public Security can ask enterprises which handles personal information to give them information of users by formal written request (Article 26, Clause 2, point a) They can also request these companies to block, delete illegal information according to the law and stop providing or refuse to provide services for organizations or individuals whom violated the law (Article 26)

Two of the competences in this list which is highly concerned by the people is that the professional cybersecurity force of Ministry of Public Security can take personal information from service providers and request them to handle the

information which is considered as illegal While this ability allows the Vietnamese Government to manage the social order and political stability, it also limits the right

of expression and right to access to information of the people in general Next, since there is no standard for confirming if a piece of information is truly violating the law or not, therefore the barrier between criticize wrongdoings of the government and anti-government movements is not clear Furthermore, because the procedure of requesting information from these enterprises is not explicit at the moment and there is no way to check and monitor such procedure yet, it is possible for the authority to abuse of their power

2.3 Similarities between Japanese and Vietnamese legal frameworks:

While current Japanese and Vietnamese legal frameworks are different in general, there are also several similarities betweens these two structures, includes:

- Highlight the importance of cooperation between these stakeholders with each other: Both Cybersecurity Law of Vietnam and the Basic Act

on Cybersecurity of Japan mention about the responsibilities of all stakeholders and emphasize the cooperation between them

- Having law which regulates about handling personal information in general and handle on cyberspace in particular:

Right to privacy is one of the constitutional rights in both Vietnam and Japan This right has been secured not only by important legal documents such as the Constitution, Criminal Law or Civil Code but also other specific laws In addition, personal information is not only crucial for the person who has itself but also a very crucial source on cyberspace for the Government and other parties such as business entities, swindlers and hackers since it can bring a massive amount of money to these parties Therefore, secure personal information is also being considered as an important part in secure cybersecurity