- Govt. to implement comprehensive cybersecurity strategy
- Proposed Cyber Security Bill at AG’s Dept.; to P’ment within a few months
Sri Lanka is at a pivotal moment in its digital transformation journey, with ambitious plans to digitise public services, integrate secure payment gateways, and protect citizens’ data. However, the rising threat of cyberattacks, exemplified by recent hacking incidents, poses significant challenges.
To address these risks, the Government is implementing a comprehensive cybersecurity strategy, strengthening legal frameworks, and fostering public awareness, which includes a Cyber Security Bill which is currently in its final stages.
Hacking and risk to Govt. digitisation plans
Recent incidents, such as the hacking of the Department of Government Printing website and the Police official YouTube channel, have highlighted vulnerabilities in Government systems. Hackers have added unauthorised information, exposing lapses in regular security updates and assessments.
Sri Lanka Computer Emergency Readiness Team (SLCERT) Lead Information Security Engineer Charuka Damunupola informed The Sunday Morning that the hacking of the Police YouTube channel was not formally under investigation by SLCERT, but that the incident involving the website of the Department of Government Printing was a matter of concern.
Damunupola explained that SLCERT was instrumental in restoring the Department of Government Printing website after having detected unauthorised hacking of the system. “The hacker had added information that was not supposed to be there, which we were able to trace by investigating the log files,” he said.
He revealed that these issues stemmed largely from non-compliance with cybersecurity policies and a lack of dedicated personnel to oversee information security in some institutions.
“One of the key problems is the lack of regular security assessments and updates. Websites are often left without necessary security patches, making them easy targets for attackers,” Damunupola explained.
“In response, we are undertaking immediate steps including creating awareness and providing training on how to handle cybersecurity-related matters. We have also undertaken restoring compromised systems and analysing log files to identify vulnerabilities,” he asserted.
He emphasised the importance of appointing information officers and assistant information officers in all Government organisations to ensure compliance with cybersecurity policies, explaining that most Government entities had now conformed to the cybersecurity policy of the country.
He further explained that for many of the issues relating to data security and digital platforms, the Cyber Security Strategy 2024-2027, which was in its final stages, would be pivotal.
Speaking to The Sunday Morning, Deputy Minister of Digital Economy Eranga Weeraratne emphasised: “This strategy provides clear guidelines for securing Government systems, conducting regular assessments, and implementing continuous monitoring to counter cyber threats.”
It also includes capacity-building initiatives for Government officials to handle security breaches effectively, according to Weeraratne.
Securing payment gateways in Govt. institutions
With plans to integrate payment gateways into Government institutions, the protection of financial data remains a top priority. Weeraratne outlined stringent measures, including the implementation of strong encryption, secure protocols, and multi-factor authentication.
“These measures align with website security guidelines and the Central Bank of Sri Lanka’s (CBSL) standards for financial payment applications. We also conduct regular assessments for penetration testing to identify security weaknesses, which may significantly reduce the risk of cyberattacks on our systems,” he noted.
Regular penetration testing and security assessments are conducted to identify and rectify vulnerabilities. These efforts aimed to minimise the risk of cyberattacks on payment systems, ensuring secure and reliable transactions for citizens, Weeraratne emphasised.
Safeguarding citizens’ data in digital transactions
When asked about the vulnerability of citizens’ data on Government platforms, Weeraratne observed that the protection of citizen data was fundamental to building trust in digital platforms.
According to him, strong encryption methods and secure coding practices are employed to safeguard personal information, which comply with information and cybersecurity policies and website security guidelines.
In addition to technological safeguards, the Government focuses on educating stakeholders and the public about best practices for data security. “Public awareness is crucial in ensuring that citizens’ information remains safe during online transactions,” he emphasised.
Cybersecurity Strategy 2024-2027
The recent hacking incidents targeting Government websites, including the Department of Government Printing, underscore the urgent need for robust cybersecurity measures.
Both Damunupola and Weeraratne highlighted the Government’s multifaceted approach to addressing these threats through the Cybersecurity Strategy 2024-2027. This strategy, which will be implemented over the next few years, serves as a national roadmap to strengthen cybersecurity across all sectors, according to Weeraratne.
“This strategy aims to secure critical national infrastructure, protect Government digital systems, ensure the safety of citizen data, and build the necessary cyber capacities and legal frameworks to combat evolving cyber threats effectively,” he noted, adding: “The strategy is in its final stages of review and is expected to be gazetted within the next couple of months.”
Damunupola revealed that he expected Cabinet approval for the strategy within the first quarter of 2025. The strategy provides a structured framework for continuous improvement, aligning with the Government’s broader digital economy agenda.
Cyber Security Bill: A legislative milestone
Deputy Minister Weeraratne also discussed the status of the Cyber Security Bill. The bill, which has been in development for a few years, represents a critical step in establishing a robust legal framework.
“This bill will enable the creation of the Cybersecurity Regulatory Authority, vesting with it the authority to enforce regulations, respond to cyber threats, and enhance data protection standards,” he explained.
Now at the Attorney General’s Department for final review, the bill is expected to be tabled in Parliament within a few months, according to Weeraratne. It will complement the Cybersecurity Strategy, ensuring comprehensive legal and operational measures to combat cybercrime.
Balancing net neutrality and cybersecurity
The introduction of a cybersecurity legislation has raised concerns over the sustenance of net neutrality, which means that all users of the internet will be accorded equal treatment regardless of the content, website, or platform. Weeraratne quashed this fear, stating that SLCERT and the Government were committed to maintaining net neutrality, ensuring open and accessible internet for all.
However, the Cybersecurity Strategy emphasises the need to protect data from cyber threats. “While we support an open internet, safeguarding personal and national security is equally important,” added Weeraratne.
While the Cyber Security Bill focuses primarily on enhancing the security of digital systems, it indirectly impacts how data is protected. For direct regulation of data collection and usage by companies, including social media and online marketing platforms, the Personal Data Protection Act (PDPA) remained the governing framework, the Deputy Minister explained.
“The PDPA outlines rules for collecting, storing, and sharing personal data by corporate entities including social media platforms and online marketing companies, ensuring responsible practices by companies,” he clarified.
A unified approach to cybersecurity
The insights from Damunupola and Weeraratne illustrate a unified approach to strengthening Sri Lanka’s cybersecurity framework. Through strategic planning, legislative action, and public engagement, the Government is taking significant strides to secure its future through digital infrastructure.
The Sunday Morning also questioned Damunupola on whether SLCERT was adequately funded to address the concerns of cybersecurity, to which he responded affirmatively, stating that the Ministry of Digital Economy, falling under the ministerial responsibilities of President Anura Kumara Dissanayake, was the entity under which it operated.
He also claimed that several more projects were in line to be implemented, such as the National Security Operations Centre which is required for monitoring Government organisations. He however noted that SLCERT currently lacked a mechanism to monitor cyber-related risks and patterns in Government organisations actively.
Further, the National Certificate Authority which is in place will be playing a significant role in digital-related infrastructure in Government hardware and information security, including passport-related information, according to Damunupola.
He further shared that when the Cyber Security Act was in place, the Cybersecurity Regulatory Authority would have a vast amount of powers and would be capable of handling all matters related to information security.
As the nation accelerates its digitisation efforts, ensuring the safety and reliability of digital systems is paramount. The proactive measures outlined in the Cybersecurity Strategy and the anticipated enactment of the Cyber Security Bill will play a crucial role in achieving this goal. With continuous improvements and collaboration among stakeholders, Sri Lanka is poised to build a secure and resilient digital ecosystem.