The Government has been calling for greater digitalisation of public services and state institutions, citing ease of doing business, more streamlined service and reduced overheads as the troubled island nation looks to make an economic recovery in the wake of several turbulent years. However, the lofty policy goals announced by the Government have the rug pulled from beneath when long-term policy failures of not getting the basics right, come back to bite the state in its digital hind parts.
One such instance came to light last week, where the Government admitted that a month’s long ransomware attack had compromised millions of state emails, including that of the Cabinet Office was lost, between May and August of this year.
It is learnt that around 5000 state emails, which use the Lanka Government Network (LGN), came under attack, and lost its data due to the encryption used by the ransomware attackers. According to reports,when the attack occurred, the Government network was still using the 2013 Microsoft Exchange email solution, a decade later.
It is learnt that the Government, had not had in place adequate security or data backup, leaving the ransomware attackers a gold mine of state communications, which they can now unload on the darknet – if ransom demands are not met. This occurs despite numerous digitalisation’s drives over the last decade and billions spent on defence and crime fighting. It is evident that the Government hasn’t enforced the proper safeguards, redundancies, nor has effected adequate guidelines for the digital infrastructure of the State. This is also a clear example of weak prioritisation of national security and defence policy making, implementation and spending. The fact that to this date, there has neither been an official statement from the Government about the large-scale breach of state communications, nor an explanation is telling of the importance the Government and the national security agencies place on what would have been a tier-one national security concern for other countries. Similarly, the fact that there hasn’t been a public or industry outrage about the attack and the magnitude of it, is an indication of the level of social awareness of such threats.
According to reports, it seems like the decision not to have adequate backup data systems and upgrade the email system was due to ‘administrative decisions’ back in 2021. As such, the Government must have a robust investigation into the attack and be transparent about it. Why was such a critical State communication apparatus, left vulnerable for a decade, while policy makers and state officials pandering themselves with luxury vehicles and exorbitant travel, should be laid bare. Further, the recent increase in online scams which use e-Government systems will only erode public confidence in using government services online. With many Sri Lankans moving ‘online’ to obtain state services during the COVID pandemic, the stakes are high for scams to con unsuspecting citizens.
The inefficiency and neglect of duty in the state sector has been a long-standing issue with one only needing to step into one of the many state institutions to seek their services, to be reminded about how efficient the sector is. Further, many Sri Lankan ministries, and state institutions still use web-based email service providers for official communications. This is also a sign that the State doesn’t take cyber security seriously. Questions must be asked about why there was no redundancy system in place to back the email communications? Why was there no regular cyber security risk assessment done to find the loopholes exploited by these cyber criminals? Looking at the period that the ransomware attack occurred, one has to ask what institutions like SLCIRT and ICTA was doing while the systems were attacked?
Is the Sri Lankan Government incapable of establishing a robust team of tech experts who can lay out a decent cyber security system for the line ministries? What happened to the millions allocated to build a cyber-security operations room at the Ministry of Defence? And who is the apex body that handles national cyber security today, and why are they not being held accountable, are all questions Sri Lankan taxpayers should be asking.