Sri Lanka is entering into a new era of digitisation. This organic growth has been buttressed by decades of Telco investments and the accessibility of smartphones to the mass market. However, this trend was catalysed during the Covid-19 lockdown period, where the Department of Census and Statistics figures place Sri Lanka’s digital literacy at 59.8% last year and which is expected to reach 70% by next year (2024). Most Sri Lankan corporates including banks chose to ride this newfound “digital wave” to provide product and service offerings to their customers. In turn, citizens growing increasingly digitally savvy, now demand public sector services to have the same level of digital first mindset. Additionally, Sri Lanka’s President publicly announced that Sri Lanka is to accelerate a programme to move the country towards a digital economy.
Therein lies that challenge for Sri Lanka: these developments all point to promising developments that digital Sri Lanka can strive to be at, however, in order to fulfill this vision, there lies a critical cog which appears to be consistently overlooked by Sri Lanka’s policymakers and that is to elevate cyber security from being treated as merely a technical issue and to graduate it to occupy its’ worthy place as a strategic one.
To fulfill its digital aspirations and to become more citizen centric, it is vital that all public sector citizen touchpoints be digital. However, recent events where the “gov.lk” domain (i.e. State electronic mail domain) was subjected to a ransomware incident and the subsequent admission by officials that industry standard backup methodologies were not used due to administrative “errors” casts doubt into the integrity of the Government’s digital infrastructure, ultimately eroding public trust in e-Government systems and initiatives.
However, this is not the first time that the Government of Sri Lanka has faced cyber incidents in their eGovernment systems. The timeline of attacks against Sri Lanka’s State digital infrastructure, since 2016, has seen regular cyber incidents with varying intensity that have been widely reported. But, what is important to understand here is that although it is reasonable to expect that Government digital Infrastructure would be under heightened risk exposure, what draws soul searching questions is what technical mitigation measures have been taken to ensure that the risk is minimised, and if elementary security controls and measures (as in the State email domain hack) have been overlooked by various Government entities that maintain these infrastructure.
In cyber security, we often discuss the three pillars: people, process and technology, as the backbone of any robust cyber security strategy. The National Institute of Standards and Technology (NIST) in the United States reiterates the significance of each pillar in achieving a comprehensive security posture. Reviewing the three pillars is not only about keeping an organisation and in this case, the Government’s own digital Infrastructure secure but to translate this strategy into building a culture of security, where every individual understands their role in defending against cyber threats. This three pillar led strategy is a vital driver to ensure that the Sri Lankan Government drives cyber security as a holistic exercise to uphold their role as the custodian of citizen and State data.
We must also focus on the geopolitical implications of sensitive government data and information being accessed by State or non-State actors. If we revisit the recent incident of the ransomware attack on the State email domain (gov.lk), the breach was detected once the ransomware incident was apparent. According to the International Business Machines, “Cost of a Data Breach Report 2023”, it takes an organisation 197 days to discover a breach and up to 69 days to contain it. Therefore, we can only hypothesise that although the breach in question was detected only when the cyber criminals executed their ransomware, then it begs the question, how long has cyber criminals had access to State email domains? How much of State sensitive information such as memos to the Cabinet of Ministers has been viewed by cyber criminals, have they already “sold” this information in the dark web to State or non-State entities? These types of incidents are not without precedent. In May, 2023, the Reuters own analysis of technical data exposed that Chinese hackers had targeted Kenya's Government in a widespread, years long series of digital intrusions against key Ministries and State institutions, as part of the targeted information was debt owed to Beijing, China, by Kenya and repayment strategies. Sri Lanka too is currently ongoing with its debt restructuring with international partners such as the Paris Club and the International Monetary Fund. Could it be that similar to the circumstances in Kenya? Was Sri Lanka’s State email domains targeted to gain intelligence and insight into the debt negotiation strategies? The answer can be found only upon conducting an intensive digital forensics exercise and dark web analysis in this regard. However, it underscores the importance that cyber security plays in protecting national security.
There have been two notable developments in the legal arena for cyber security in Sri Lanka. In 2022, the Personal Data Protection Act, No. 9 of 2022 was passed in a significant milestone of data protection and privacy, and secondly, the long delayed Cyber Security Bill was published and made open to public consultations with the drafting committee assuring that the Act will be in operation by 2024. These developments will introduce much needed legal obligations for the State and private sector to implement institutional safeguards to ensure that citizen data is both secure and not subject to misuse. However, we must go beyond the legal commitments to ensure that citizens as well as state stakeholders have awareness on the deep implications of being complacent on cyber security.
In an era where the lines between the digital and physical world are blurring, maintaining a strong stance on cyber security is not merely an option, but an imperative.
(The writer is a cyber security thought leader based in Sri Lanka, with more than 15 years of experience in progressive technology, digital strategy, and policy, and qualifications in the legal and technical spheres)
–----------------------------------------------------------------------------------------
The views and opinions expressed in this article are those of the author, and do not necessarily reflect those of this publication.