The COVID-19 pandemic created an immense humanitarian crisis that severely affected almost all countries in the world. Due to the health security measures taken by the governments, it forced organisations and individuals to adopt new practices such as social distancing and working from home.
As a result, more and more people began to carry out their daily transactions, purchases, office administration and even for education digitally and thus became very vulnerable for cyber-attacks. Globally, a majority of the countries including developed as well as developing countries have created their cyber security strategies to prevent or minimise cyber-attacks.
The Institute of National Security Studies conducted a webinar on ‘The Challenges of Cyber Security in Sri Lanka’ with a platform that was sponsored by MAC holdings. The public lecture on the webinar was held on 17 June from 3 to 4 p.m. via Zoom and the guest speaker was Sri Lanka Computer Emergency Readiness Team (SLCERT) Chief Executive Officer Lal Dias. The webinar was moderated by INSSSL Director General Admiral (Prof.) Jayanath Colombage.
Colombage stated that especially during the lockdown period due to spread of COVID-19 the dependence on digital technology by the societies had changed the paradigm of the entire world, with the challenge of being vulnerable to cyber-attacks on individuals, governments and organisations. He cited that recently, there were two major cyber-attacks on government establishments in Sri Lanka. He stated that the Colombo Port was s thriving to become fully digitalised, but one must not forget the vulnerability of stalling the port activities within a very short period if struck by a single cyber-attack. With this preamble Colombage invited the guest speaker Dias to go ahead with his presentation.
Dias initially highlighted that for the last 10 years Sri Lanka has been subjected to several cyber-attacks, but comparatively he sees a decline in the attacks when compared to last year which was 13 compared to this year only three up to now since a task force has been activated to monitor and deal with it.
He stated the reason behind this is, due to weak construction of Government websites with less concern for adapting protective security measures and due to the use of simple and obvious passwords. As a solution, he suggested that sustainable cyber security methods should be adapted by all institutions, companies and Government.
Dias also described the three components of the World Wide Web (www), the surface web which everybody can access, the dark web and deep web. The deep web cannot be accessed by normal browsers and used by companies for crypto transactions, etc. and that it is about 500 times larger than the surface web.
He went on to say that, on the other hand the dark webs are used primarily (80%) for shady illegal activities such as child phonography, sale of drugs, stolen credit card numbers, etc. by the underworld to make money. He also mentioned that it is also used to pass information by whistle blowers and to bypass censorship on social media thus having a few advantages as well.
He then discussed a few preventive measures that could be taken, such as making the staff/employees aware of pitfalls and especially phishing attacks through emails, WhatsApp, etc. which are commonly used. As another preventive measure he discussed that all organisations should have a Cyber Security Policy in place where SLCERT can help to develop them.
He also emphasised that organisations should have a mechanism to continuously monitor their websites, networks, firewalls and do traffic analysis and internal audits and have periodic reviews to overcome such cyber-attacks on their websites. He also added that all Government institutions should have a manager appointed for cyber security who should be independent of the employees dealing with IT in the organisation.
Then Dias discussed the National Information Cyber Security Strategy, stating that Sri Lanka had taken a step ahead than other developing countries in cyber security. He stated that CERT was established in year 2006 and that it was a full member of the Asia Pacific CERT.
The Government of Sri Lanka, committed to keeping the nation safe, secure, and prosperous, introduced the first National Cyber Security Strategy in 2018 to be implemented over five years from 2019 to 2023. Establishment of a Government framework for overall implementation of cyber security in Sri Lanka has been one of the initial thrust points in this endeavour.
He also stated that Sri Lanka has the relevant legislation, policies and standards in place now, such as the Payment Device Frauds Act in 2006, Electronic Transaction Act in 2006, Computer Crimes Act in 2007 and a fully functional Cyber Crimes Unit at the Police CID to investigate cybercrimes.
Sri Lanka CERT has established sector based CERT. As examples CERT for the banking sector, Cert for the Education sector. As a part of the strategy a resilient digital governance and infrastructure was another thrust area that was discussed. With the global shortage of cyber security professionals he stated that he intends capacity building by training employees both in the public and private sector to have a competent workforce for cyber security.
Also another thrust area discussed was the awareness and empowerment of citizens and to improve on public private and international partnerships by developing cooperation among these three segments concerning cyber security
During the Q&A session, it discussed further about the right to privacy, militarisation of cyber security, the advantages and threats of cyber space, measurements and strategies to reduce the vulnerability of the cyber space.