Digital technology is fast becoming the foundation of the future of our society. Setting alarms, trips to the bank, calculations, finding directions on maps; we can do all of these on a single device. Our phones. And it isn’t restricted to phones.
From the government to the military, to private and public businesses as well as individuals, all factions of society are becoming increasingly dependent on technology and using digital means to complete tasks, ranging from simple to complex. This inadvertently results in a lot of sensitive data and information being transferred and stored for operations and development. If such sensitive information becomes compromised and falls into the wrong hands, it could not only cause privacy issues for citizens but may also affect the nation’s national security and cause severe economic losses for the country.
Cyber threats cut across domains ranging from military, citizens, to private and public organisations across the globe. There has been a hike in cyber-attacks during the past five years and occurrences have become frequent in the recent past causing colossal losses to institutions and countries across the world. Research shows that the global number of cyber security incidents recorded in 2015 alone is 59.06 million. A study by Juniper Research estimates that the total annual cost of all data breaches by 2019 will be $2.1 trillion, which is almost four times the estimated cost of breaches in 2015.
Like any other country in the digital era, Sri Lanka also faces many cyber threats. The Sri Lanka Computer Emergency Readiness Team| Coordination Centre (Sri Lanka CERT|CC) received 3907 cyber security related incidents in 2017, which is a significant increase from 2010. This number includes incidents that rose from reported social media-related incidents, which increased from 80 incidents in 2010 to a staggering 3685 incidents in 2017.
Sri Lanka is in a vulnerable position. Currently there is a lack of data privacy laws in Sri Lanka, and cyber security experts say there is no room for Sri Lanka to be complacent and that adequate safeguards through national strategies and policies should be enforced to avert such attacks.
In 2006, the government of Sri Lanka established Sri Lanka CERT|CC as the single trusted source of advice on the latest threats and vulnerabilities affecting computer systems and networks. They are charged with the responsibility of providing technical support in responding to and recovering from cyber-attacks. Sri Lanka CERT was established under the Information and Communication Technology Agency (ICTA) of Sri Lanka, and now operates directly under the purview of the Ministry of Telecommunication and Digital Infrastructure.
As the government has a constitutional responsibility to protect its people, they have commissioned the Sri Lanka Computer Emergency Readiness Team| Coordination Centre with Sri Lanka’s first Information and Cyber Security Strategy to be implemented over a period of five years from 2019 to 2023. The strategy is an institutional framework that aims to create a resilient and trusted cyber security ecosystem that will enable Sri Lankan citizens to have access to safe digital exposure and a facilitate a better future without harm. Sri Lanka CERT has worked with multi-sectoral institutions, banks and utility organisations to create this cyber security strategy.
The Digital Status Quo In Sri Lanka
The detailed analysis of Sri Lanka’s ICT readiness can be found in the strategy brief at slcert.gov.lk. A synopsis shows us that Sri Lanka’s IT Literacy is growing fast, and as a digital government, Sri Lanka is ranked 94 in the United Nations e-government development index (EGDI) among 193 member countries . Sri Lanka’s scores in the online service index and the human capital index are above the global average while the score in the telecommunication infrastructure index is below the global average.
Among the 193 ITU member countries, Sri Lanka is ranked 72 in the Global Cyber security Index (GCI) in the year 2016. The GCI assesses a country’s overall commitment towards cyber security in relation to five different dimensions; namely (a) legal, (b) technical, (c) capacity building, (d) organisational, and (e) cooperation dimensions. Performance in each area is assessed and rated as initiating, maturing, or leading. Sri Lanka’s overall performance is rated as maturing.
The Six Pillars on which the Sri Lanka Cyber Security Strategy rests.
The vision of the comprehensive strategy is to create a resilient and trusted cyber security ecosystem that will enable Sri Lankan citizens to realise the benefits of digitalisation and to facilitate growth. In order to achieve the vision, the strategy looks at 6 areas which have actionable sub operatives for each objective that encompasses the areas that are evaluated against the Global Cyber security Index. These objectives are the following.
- Establishment of a governance framework to implement National Information and Cyber Security Strategy
- Enactment and formulation of legislation, policies, and standards to create a regulatory environment to protect individuals and organisations in the cyberspace
- Development of a skilled and competent workforce to detect, defend and respond to cyber attacks
- Collaboration with public sector authorities to ensure that the digital government systems implemented and operated by them have the appropriate level of cyber security and resilience
- Raising awareness and empowering citizens to defend themselves against cybercrimes
- Development of public-private, local-international partnerships to create a robust cyber-security ecosystem
The strategy implementation is governed by a high-level committee which comprises of the Ministry of Telecommunication and Digital Infrastructure, Sri Lanka CERT|CC, and other key ministries. According to Dr Kanishka Karunasena, the research and policy specialist for CERT|CC, the organisation has begun running nationwide surveys to assess the readiness of the public service infrastructure through the subsidiary NICSA, which is spoken about in the first objective. They have also deployed the plans to use this survey to assess the needs of public servants, from system users to senior management, in terms of awareness, training and education. They have also begun working on creating a network of support from the private sector and donor nations that are willing to invest in the strategy’s next steps.
Having gone through the detailed objectives and the action points set out in the strategy, we find that the strategy is very dependent on the reform of various systems that are not functioning at its best. Therefore there is a cause to question as to what extent is the strategy feasible and whether the set objectives can be completed by 2023. However, Dr Kanishka says that “they are working with a body of legal and technical specialists to compile and formulate an information security policy for government standards and to reform a data protection act that is pragmatic and actionable”. While the first step in a cyber-security initiative is to create this strategy, it is important to see the strategy being carried out within the scope and mandate of the Sri Lankan CERT body.