News
Mandatory SLCERT recommendations for state websites
View(s):By Sandun Jayawardana
The government is to make it mandatory for state organisations to strictly enforce security checks and recommendations made by the Sri Lanka Computer Emergency Readiness Team (SLCERT) regarding the security of their websites and to fix all identified vulnerabilities.
At present, SLCERT, now under the Ministry of Digital Economy, conducts vulnerability assessments on government websites on request, and makes recommendations to fix identified vulnerabilities. However, adoption of these recommendations is purely dependent on the owner of that website, Deputy Minister of Digital Economy Eranga Weeraratne told the Sunday Times. “We are going to change that and make it mandatory to enforce the security checks and recommendations made by SLCERT, and to fix all the vulnerabilities before the website goes live. There will also be periodical assessments,” he said. He added that it will still take the government some time to properly implement these changes.
It has been found that failure to follow security guidelines recommended by SLCERT had led to many of the hacking incidents and malware attacks targeting government websites, the deputy minister revealed.
Hackers targeted the website of the Department of Government Printing and social media channels of Sri Lanka Police this week.
The Police’s official Facebook, Instagram, X, TikTok and YouTube accounts were all targeted. Police Spokesman Senior Superintendent of Police (SSP) K B Manathunga said their IT officers were able to regain control of all social media accounts bar the YouTube channel within the span of a few hours. However, the YouTube channel remained offline even as of yesterday. Regaining control of the channel was proving complicated since Google, YouTube’s parent company, does not have a presence in Sri Lanka and there is no direct line of communication with them, the SSP said.
Asked why Police are not simply starting up a new YouTube channel, SSP Manathunga said the previous channel already had about 85,000 subscribers. “Creating a new channel would mean we would loose all those subscribers and we would have to start from scratch. That’s why we are very keen to get our old channel back.” 
Police were able to identify certain vulnerabilities with their social media channels following the hacking incident and fixed those, he claimed. While action has been strengthened to prevent further attacks, hackers were always trying to exploit the smallest vulnerability, he added, pointing to attacks targeting government agencies in India and the US.
Initial investigations point to the hacking of the Police’s social media accounts to have been carried out by hackers operating from overseas, he further said, adding that hackers advertised a cryptocurrency platform on the social media pages. The matter was being further investigated. The Government Printer too had lodged a Police complaint with regard to the hacking of their website, and a probe into this matter is also underway.
The Department of Government Printing website remained offline yesterday. Those visiting the page were met with the message “This website is under construction.” Government Printer K G P Pushpa Kumara said they were yet to get the go ahead from SLCERT to upload documents to the site and go back online. He said certain vulnerabilities were identified with the site, and that the department was going to do more work towards securing the website. Mr Pushpa Kumara said he and other officials are hoping to meet with those from the Ministry of Digital Economy next week to figure out long-term solutions to better secure the website. He expressed confidence that the website will be back online in the next few days.
This week’s hacking incidents are the most recent among a number of such incidents targeting government websites. The Met Department’s website was offline for several days in November last year after a cyber attack. Meanwhile, the Education Ministry’s website was also hacked in April.
Though there is more media attention on hacking of government websites now, the situation a few years ago was far more serious, said Charuka Damunupola, SLCERT’s Lead Information Security Engineer. He pointed out that some years ago, even the President’s official website and Defence websites were hacked.
He said SLCERT has also identified special dates where hackers will look to target government websites. These include Independence Day, the LTTE’s ‘Mahaviru Day’ and the anniversary of the Easter Sunday attacks. A number of websites have gotten hacked during these periods.
Regarding this week’s hacking of the Government Printing Department, Mr Damunupola said SLCERT was working on introducing a new website to replace the old one as their security audit identified “critical vulnerabilities” in the old website. “There’s a high chance of the website being hacked again if we continue with the old site. Because of that, we recommended not to go with the old site and to develop a new site and launch that to the public.”
SLCERT has already issued website security guidelines for government organisations which also have technical guidelines to the developer for developing the website from scratch, Mr Damunupola added. “If they contain any government information or citizen information, we have issued guidelines that need to be followed by that organisation. In government organisations, some of the web applications are developed by private parties. Even if that’s the case, if those applications contain government and citizen data, they must follow those guidelines.”
One major issue is that most government websites had been developed years back long before SLCERT set up these guidelines. Many contain older technology and software versions that are now outdated, Mr Damunupola revealed. “They have not kept up to date with the current technology.”
Among the guidelines already issued by SLCERT are web application security guidelines, website security guidelines and minimum information security standards for government organisations. These documents are also publicly available to private organisations through SLCERT’s website and its supplementary website, Onlinesafety.lk.
The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!