News
Critical government institution websites to be made secure after last year’s spate of cyber-attacks
View(s):By Sandun Jayawardana
As part of efforts to protect government infrastructure and information systems from cyber-attacks, 40 key institutions which have been identified as having critical systems running on their websites are to be brought under a National Cyber Security Operations Centre (NCSOC), which will be officially launched in the next few weeks.
The 40 identified key government institutions will be covered by the NCSOC in the initial phase. The role of the centre will be to monitor, detect and alert the relevant organisations regarding any potential cyber threats.
“Currently, we don’t have the capability to actively monitor cyber threats against government infrastructure or government information systems. By establishing the NCSOC, we are planning to connect the systems of those organisations to that centre. From there onwards, the NCSOC can conduct 24/7 monitoring for cyber threats,” Charuka Damunupola, Lead Information Security Engineer at the Sri Lanka Computer Emergency Readiness Team (SLCERT) told the Sunday Times.
The NCSOC will initially be an SLCERT initiative. The government however, is planning to introduce a Cyber Security Bill to Parliament soon. Once that is passed, it will enable the establishment of a security regulatory authority where all cyber security rated agencies will come under that authority, Mr Damunupola revealed.
There is a Cabinet directive that all government institutions must subject their website through a security audit conducted by SLCERT before it is launched to the public, he further pointed out, adding that this has not been done in certain instances. “Some institutions haven’t gone through us and most of those sites are outdated. They are not willing to go through with a security audit due to that reason. If you take websites which were recently popular – the national fuel pass, COVID certificate and Aswesuma website have all gone through us before launching to the public,” he explained.
There have been several hacking incidents targeting government websites in recent months, which have exposed critical vulnerabilities in those sites. In some cases, authorities have been forced to set up entirely new websites. This has been the case of the Department of Government Printing, whose website is yet to be fully restored more than a month after being hacked. The Department however, has now been able to restore some basic functions, consisting of separate tabs containing Gazettes, Extraordinary Gazettes, Acts, Bills and Forms.
Officials from SLCERT, who carried out a security audit of the website following the hacking, had identified several “critical vulnerabilities” that made restoring the old website too risky owing to the possibility of it being hacked again. As such, SLCERT had recommended that the Government Printer set up an entirely new site devoid of these vulnerabilities.
Government Printer K.G.P. Pushpa Kumara told the Sunday Times that setting up a new website will take time as they needed to follow proper procurement procedures to select a vendor to develop the new website. Once the new website is developed, it will be subjected to a security audit by SLCERT prior to going live.
“While it will take time for us to develop a new site, we have all the important documents including gazettes and bills up on the old site now for the public to access. But we obviously don’t have all the features from the previous site since we can’t revert back fully to the old website,” Mr Pushpa Kumara explained.
There was some confusion earlier this week when some who were trying to find the government’s gazette relaxing the import restrictions of vehicles couldn’t locate it on the Government Printer’s website. Mr Pushpa Kumara though, said this was not owing to any issue with the site. That particular gazette had been uploaded to the website of the Department of Imports and Exports Control and is accessible there, he noted.
Hackers targeted the website of the Department of Government Printing and the social media channels of the Sri Lanka Police in late December. This followed hacking incidents targeting several government websites earlier last year, including the website of the Department of Meteorology and the Ministry of Education.
Investigations into the most recent incidents of hacking of government websites are continuing and no suspects have been arrested as yet, Senior Superintendent of Police (SSP) and Spokesman K.B. Manathunga confirmed yesterday that. No arrests have been made over the hacking of the police’s own official social media accounts either. While the police’s IT officers were able to regain control of their Facebook, Instagram, X and TikTok accounts within hours, they were not able to get back the police YouTube channel. The YouTube channel had not been fully restored even as of yesterday, more than a month since it was hacked.
There are many issues with government websites that need to be addressed, said Dasun Sameera Weerasinghe, a software engineer and podcaster. Mr Weerasinghe recently uploaded a video to his YouTube channel revealing that an analysis he conducted on some 700 government websites registered on the ‘gov.lk’ domain showed that about half were not functioning. “Some websites haven’t been updated since 2014. They have been created and left idle. Some are completely worthless now since they don’t serve the purpose they were created for. They should be shut down.”
Mr Weerasinghe said he had made authorities aware of the matter and that the government’s stance to such issues is that it will develop an IT policy and streamline the process, enabling them to issue directives to the relevant stakeholders.
He noted that at present the Information and Communication Technology Agency (ICTA), now under the Ministry of Digital Economy, doesn’t have direct authority over government websites. “Each authority is in charge of its own website. This needs to be addressed so that a centralized body can oversee these websites. The system needs to be streamlined. The IT field is one that is constantly evolving. You can’t take time with making decisions like you would do in normal government business. You need to establish a mechanism where updated information can be directed speedily to the relevant government entities. You can’t go for ad-hoc solutions. You need permanent ones,” he noted.
Mr Weerasinghe stressed it would be unfair to blame the current government over these issues given they have only recently taken over. “We’ll have to give them about six months to see if they address them.”
The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!