News
Digitised govt. sector vulnerable to cyberattacks, but countermeasures woefully inadequate
View(s):- Health information systems require the most urgent attention
By Mimi Alphonsus
“Sorry for unauthorised access to your website but your website has some security flaws,” read a message, purportedly from an A/ Level student who hacked the Education Ministry website earlier this month. The embarrassing incursion that drew attention to cyber security concerns revealed only the tip of the iceberg.
Dileepa Lathsara: CEO of TechCert
The government, encouraged by the International Monetary Fund (IMF) and other agencies, has adopted a policy of digitisation. The state is increasingly storing data such as on health and welfare in electronic format, initiating e-services for payments, applications, taxation and information requests. But with increased digitisation comes the increased propensity for cyber-attacks and experts worry that the government’s “lethargic” attitude to cyber security is putting the public at risk.
Data from the Computer Emergency Readiness Team (SLCERT) shows a rise in cyber security incidents, especially after COVID-19 enhanced digital dependence. The government too experienced notable cyber security incidents including when some domains lost six months’ worth of emails following a ransomware attack last year.
An official at SLCERT who requested not to be named said that lack of awareness is a huge contributor to poor cyber security. “We conducted a survey last year and identified seriously low knowledge about cyber security,” he said. “Additionally, government organisations rarely prioritise and invest in this area.” SLCERT is pushing for every government department, especially those storing data, to appoint an Information Security Officer. While some cyber security measures can be costly and require constant maintenance, others are low-hanging fruit. Getting SSL certification, installing antivirus guards, backing up data, having internal policies on access to data and updating software are basic steps.
But the Sunday Times found that some government websites lacked SSL certification and were using software that had not been updated in years (in one case, even as old as 2016). Lack of up-to-date applications and operating systems is one of the key reasons for website defacement such as the one at the Ministry of Education, according to Dileepa Lathsara, the CEO of TechCert, a private cyber-security company.
The Sunday Times spoke to three experts in the cyber security field. All of them warned that health information systems require the most urgent attention. “The financial sector is somewhat okay, particularly after the Central Bank created new requirements for digital transactions,” explained Mr. Lathsara, “but the health sector is really slacking.”
The theft, manipulation or loss of data such as medical information can have severe consequences on people’s lives. In addition to violating their privacy, compromised health information makes it difficult for experts to notice medical trends in the population and provide care according to individual medical history. Easy access to identity card details and passport numbers, which The Sunday Times, too, found were exposed, can lead to identity theft and the tarnishing of reputations.
Worryingly, the government does not have complete information about cyber security systems at its own institutions. SLCERT conducts security audits on government information systems, but only at the invitation and consent of the relevant department. A cabinet decision from May 2023 requires that these organizations adhere to cyber security measures as laid out by SLCERT, but without the capacity to enforce an audit and penalise violators, websites without even the most basic security measures abound.
It was to address this lack of regulation that a Cyber Security Bill was drafted. After over five years of consultations, the bill has been submitted to the Attorney General’s Department and will soon be implemented, said the SLCERT official. It will create a Cyber Security Regulatory Authority with powers to monitor and enforce security measures.
There has been some movement on legislation. The Cyber Security Bill follows close behind the Private Data Protection Act (PDPA), which passed last year. The PDPA defined the ways in which data can be used and measures that must be taken to protect it.
According to Thanuki Goonesinghe, an attorney-at-law who specialises in technology law, the PDPA enforces data security by penalising those who do not comply to security guidelines with fines. “There is an intentionally open-ended section that requires the Personal Data Protection Authority to set guidelines for data protection from time to time,” she said. “This is a noteworthy step as it allowssome freedom to address emerging concerns.”
Although the PDPA has been passed, it is not yet fully operational as the Personal Data Protection Authority is yet to be established. President Ranil Wickremesinghe appointed the board of directors late last year. “I think the law will become fully operational by March next year,” said Ms. Goonesinghe. “Although it complements the Cyber Security Bill, the question remains how it can coexist with the recently enacted Online Safety Act which contradicts the PDPA.”
The PDPA is meant to be gradually implemented, giving companies time to comply. Ms. Goonesighe feels this is a reasonable approach. But Mr. Lathsara believes the situation is urgent and that there is much to be done outside of regulations.
“There is hardly any budget in the government for IT, let alone cyber security,” he said. “Moreover, professionals are migrating abroad due to the huge demand for cyber security specialists.”Currently, even systems that collect and store large amounts of sensitive data do not have full-time staff dedicated to security.
SLCERT and TechCert both said they struggle to hire and retain employees due to high demand abroad. Some measures have been taken to build capacity for cyber security through education. The University of Moratuwa is the first state higher education institution to introduce a cyber security stream in 2021. It is yet to be seen how the first batch will perform.
Whilst experts push for investments in cyber security alongside the government’s digitisation projects, the public remain largely in the dark. Neville Lahiru, a technology journalist at readme.lk, has followed cyber security in Sri Lanka for many years. He says government institutions and private companies lack transparency with their clients.
“Cyber security incidents have taken place in the government and private sector but a lack of transparency and regulatory pressure gives little incentive for institutions to report these incidents to the public,” he explained. “The general attitude is to sweep things under the rug and pretend it never happened. For incidents on government sites, like the one at the Ministry of Education, SLCERT could share updates with the public on security measures taken in the aftermath.”
Transparency is also crucial when it comes to building IT infrastructure, which is expensive and prone to corruption and mismanagement at the expense of security.
“COPE (Committee on Public Enterprises) hearings found last year that a staggering Rs. 644 million was used by the Medical Supplies Division of the Ministry of Health for an inventory management software that took years to build and doesn’t even work,” Lahiru said. “When the whole thing is problematic, cyber
security concerns are often left as an
afterthought.” By Mimi Alphonsus
“Sorry for unauthorised access to your website but your website has some security flaws,” read a message, purportedly from an A/ Level student who hacked the Education Ministry website earlier this month. The embarrassing incursion that drew attention to cyber security concerns revealed only the tip of the iceberg.
The government, encouraged by the International Monetary Fund (IMF) and other agencies, has adopted a policy of digitisation. The state is increasingly storing data such as on health and welfare in electronic format, initiating e-services for payments, applications, taxation and information requests. But with increased digitisation comes the increased propensity for cyber-attacks and experts worry that the government’s “lethargic” attitude to cyber security is putting the public at risk.
Data from the Computer Emergency Readiness Team (SLCERT) shows a rise in cyber security incidents, especially after COVID-19 enhanced digital dependence. The government too experienced notable cyber security incidents including when some domains lost six months’ worth of emails following a ransomware attack last year.
An official at SLCERT who requested not to be named said that lack of awareness is a huge contributor to poor cyber security. “We conducted a survey last year and identified seriously low knowledge about cyber security,” he said. “Additionally, government organisations rarely prioritise and invest in this area.” SLCERT is pushing for every government department, especially those storing data, to appoint an Information Security Officer. While some cyber security measures can be costly and require constant maintenance, others are low-hanging fruit. Getting SSL certification, installing antivirus guards, backing up data, having internal policies on access to data and updating software are basic steps.
But the Sunday Times found that some government websites lacked SSL certification and were using software that had not been updated in years (in one case, even as old as 2016). Lack of up-to-date applications and operating systems is one of the key reasons for website defacement such as the one at the Ministry of Education, according to Dileepa Lathsara, the CEO of TechCert, a private cyber-security company.
The Sunday Times spoke to three experts in the cyber security field. All of them warned that health information systems require the most urgent attention. “The financial sector is somewhat okay, particularly after the Central Bank created new requirements for digital transactions,” explained Mr. Lathsara, “but the health sector is really slacking.”
The theft, manipulation or loss of data such as medical information can have severe consequences on people’s lives. In addition to violating their privacy, compromised health information makes it difficult for experts to notice medical trends in the population and provide care according to individual medical history. Easy access to identity card details and passport numbers, which The Sunday Times, too, found were exposed, can lead to identity theft and the tarnishing of reputations.
Worryingly, the government does not have complete information about cyber security systems at its own institutions. SLCERT conducts security audits on government information systems, but only at the invitation and consent of the relevant department. A cabinet decision from May 2023 requires that these organizations adhere to cyber security measures as laid out by SLCERT, but without the capacity to enforce an audit and penalise violators, websites without even the most basic security measures abound.
It was to address this lack of regulation that a Cyber Security Bill was drafted. After over five years of consultations, the bill has been submitted to the Attorney General’s Department and will soon be implemented, said the SLCERT official. It will create a Cyber Security Regulatory Authority with powers to monitor and enforce security measures.
There has been some movement on legislation. The Cyber Security Bill follows close behind the Private Data Protection Act (PDPA), which passed last year. The PDPA defined the ways in which data can be used and measures that must be taken to protect it.
According to Thanuki Goonesinghe, an attorney-at-law who specialises in technology law, the PDPA enforces data security by penalising those who do not comply to security guidelines with fines. “There is an intentionally open-ended section that requires the Personal Data Protection Authority to set guidelines for data protection from time to time,” she said. “This is a noteworthy step as it allowssome freedom to address emerging concerns.”
Although the PDPA has been passed, it is not yet fully operational as the Personal Data Protection Authority is yet to be established. President Ranil Wickremesinghe appointed the board of directors late last year. “I think the law will become fully operational by March next year,” said Ms. Goonesinghe. “Although it complements the Cyber Security Bill, the question remains how it can coexist with the recently enacted Online Safety Act which contradicts the PDPA.”
The PDPA is meant to be gradually implemented, giving companies time to comply. Ms. Goonesighe feels this is a reasonable approach. But Mr. Lathsara believes the situation is urgent and that there is much to be done outside of regulations.
“There is hardly any budget in the government for IT, let alone cyber security,” he said. “Moreover, professionals are migrating abroad due to the huge demand for cyber security specialists.”Currently, even systems that collect and store large amounts of sensitive data do not have full-time staff dedicated to security.
SLCERT and TechCert both said they struggle to hire and retain employees due to high demand abroad. Some measures have been taken to build capacity for cyber security through education. The University of Moratuwa is the first state higher education institution to introduce a cyber security stream in 2021. It is yet to be seen how the first batch will perform.
Whilst experts push for investments in cyber security alongside the government’s digitisation projects, the public remain largely in the dark. Neville Lahiru, a technology journalist at readme.lk, has followed cyber security in Sri Lanka for many years. He says government institutions and private companies lack transparency with their clients.
“Cyber security incidents have taken place in the government and private sector but a lack of transparency and regulatory pressure gives little incentive for institutions to report these incidents to the public,” he explained. “The general attitude is to sweep things under the rug and pretend it never happened. For incidents on government sites, like the one at the Ministry of Education, SLCERT could share updates with the public on security measures taken in the aftermath.”
Transparency is also crucial when it comes to building IT infrastructure, which is expensive and prone to corruption and mismanagement at the expense of security.
“COPE (Committee on Public Enterprises) hearings found last year that a staggering Rs. 644 million was used by the Medical Supplies Division of the Ministry of Health for an inventory management software that took years to build and doesn’t even work,” Lahiru said. “When the whole thing is problematic, cyber
security concerns are often left as an
afterthought.”
The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!