As Sri Lanka deals with the second wave of the coronavirus and its economic impacts, a somewhat novel aspect of the new status quo is our increasing dependency on Digital Services. Many of which, we have come to stability, continuity, and convenience. A notable change in this aspect is the shift of key private and government services to digital. However, as we keep shifting our critical operations to cyberspace, we must impress upon and be cautious about the impact of cyber crime. More extremely, we must address the risk of cyber terrorism towards business continuity and national security.
In my professional capacity, I have been fortunate to interact with many business leaders, corporate tycoons and Boards of Public Listed companies. Sadly although regular lip service is paid towards cybersecurity; the proof is in the pudding, and our pudding is the stuff of Gorden Ramsey memes. Don’t get me wrong Sri Lanka has capable and talented cybersecurity professionals. Many of whom are regularly picked up by Fortune 500 companies for their excellence. However, it’s the reluctance of top leadership to appreciate and understand the threat of cyber crime & cyber terrorism leaves Sri Lanka vulnerable.
Understanding the threat of cyber crime and cyber terrorism
Sri Lanka has been already marked as a soft target for cyber criminals. According to the 24th edition of Microsoft’s Security Intelligence Report, Sri Lanka recorded the second-highest malware encounter rate at 9.07 per cent in 2019. Despite a 14% decrease, this was 1.7 times higher than the regional average. The report further identified that Sri Lanka recorded the highest crypto-currency mining encounter rate across the region. While a 45 per cent decrease was recorded, from 0.46 in 2018 to 0.25 in 2019, this remained five times higher than the regional and global average. It should be noted that there is an absence of local studies on the subject, which itself is a shortcoming.
The threat remains not only from deadly cyber criminals but also a weakened regulatory system in Sri Lanka. One that will be unable to rise to the challenge. The much-touted Cyber Security Bill proposed under the National Cyber Security Strategy of Sri Lanka, is yet to be presented to parliament. The process that entails publishing it as a Gazette, opening it to be challenged by the public, first, second, and third readings etc. But judging by the quality of parliamentary debates this writer has his reservations whether any viable intellectual debate on this bill.
Addressing the looming threat on the horizon
IF passed the Cyber Security Bill would create the legal framework for setting up a National Cyber Security Agency (NCSA). This would serve as the central apex body responsible for all cybersecurity activities. Even the Computer Crimes Act No 24 of 2007 which is the main piece of legislation on cyber crime in Sri Lanka needs an update. The now 13-year-old act only covers computer-related crimes & hacking offences. It lacks any mention of cross border cyber-attacks. Nor does it define/identify key terms as Phishing/Ransomware. Importantly, it fails to expand on novel cyber crimes that will inevitably occur as technology progresses.
“There are many loopholes under that section. Even though the law is very powerful, it doesn’t have a practical or procedural aspect because of the poor investigating process.” (Ekanayake,2019)
Additionally, Ekanayake (2019) in his research paper highlights another vital aspect. Too often investigative officers and agencies are unprepared and undertrained for cyber crime and cyber terrorism. So, what is apparent is that Sri Lanka underappreciates the threat of cyber crimes both in private organizations and at a state level? We’re setting up a ripe atmosphere for danger to loom.
Back in 2019, just after the horrific Easter Sunday attacks, this writer made a prediction that Sri Lanka is open for a large-scale cyber-terror attack, there are many sectors that could be targeted. Unfortunately, this prediction still stands even at the tail end of 2020. Critical infrastructure such as power and other utilities, telecom networks, financial service providers, etc. They are all still vulnerable to a mass scale coordinated cyber-attack, which would cripple the country.
To overcome this challenge, we as a country must embark on a purposeful measure with public-private partnerships, Cyber Security Education programs and capacity building projects across the state and private sector. There is no box, tool, company or a tender that can fix this threat. It will take a collective effort, political leadership and hard work, and even at the end of that, we can never comfortably say we are safe. But we can say we are prepared.