Facing the Unseen Enemy
By Shanuka Kadupitiyage
Technological advancements have made a massive impact in the way we live and function as a people. It’s hard to imagine how modern society would survive without technology. It’s been quite some time since the trend of digitisation hit Sri Lanka, and with the ongoing pandemic situation, more and more organisations in both the public and private sector are ‘going online’, shifting to digital platforms.
Although digitisation continues to happen throughout Government and private institutions, each year, news of cyber attacks on Government websites and major companies have been increasing. One of the most memorable recent events is the report of a local teenager hacking into the President’s official website, as reported back in 2016.
The latest major digital breach comes in the form of the now famously known ‘.lk hack’, where many websites under the .lk domain were subjected to malicious redirects.
Under such circumstances, a few questions would naturally arise within the inquisitive mind.
- What is a cyber attack?
- Why are they dangerous?
- Is Sri Lanka truly capable of protecting itself in the digital frontier?
- How can I protect myself from being hacked digitally and encountering a major breach in the system?
In order to find answers to these questions, Ceylon Today reached out to Asela Waidyalankara, who is one of the leading individuals in the country’s cyber security industry, acting as a consultant to many of the country’s leading organisations.
An unseen threat
Any basic school textbook on computer science would reveal that there are many kinds of cyber attacks, but each and every one of them have one thing in common; they disrupt an existing computer system or digital infrastructure from their natural function. Asela was quick to point out how devastating such an attack could be for a country.
“A country has what is called Critical National Infrastructure (CNI) which must be identified. For example, key Government websites such as the President’s, the Prime Minister’s, the Treasury’s and Finance Ministry’s are some of them,” he said.
“Then we have critical national infrastructure of the country. One of which is the national payment gateway, Lankaclear. Its function is to control all the real time fund transfers between banks. Imagine if that system is affected and inter-bank transfers come to a halt for just one day throughout the entire nation. It could completely disrupt the country’s financial system.”
Asela pointed out that the same could be said about telecommunications providers such as Dialog and Mobitel, as well as the CEB.
“Every single one of these are a critical aspect of the country’s functioning,” he said, pointing out that even if these systems are disrupted for one hour throughout the country, massive chaos would ensue.
“Imagine if there is an attack to more than one of these systems, the result will be devastating. It will be more devastating to the country than Easter Sunday was,” he added.
Needless to say, while Sri Lanka still hasn’t made the jump into being fully digitised as to the like of Singapore, it’s true that even the systems that do exist today are essential for our lives to the point that just a few hours of disruption could cause massive economic damage. The threat is even more dangerous because the disruptor seldom has to physically be present to cause the damage, able to do all this safely from a location of their liking.
Threats we cannot ignore
Sri Lanka’s movement towards digitisation is only in its initial stages. However, Asela pointed out that although going digital is a beneficial thing; not taking the proper precautionary measures to protect those systems could lead to some catastrophic incidents.
“For example, there is the electronic NIC project, which has been ongoing for a long time in digitising the peoples’ NICs. Imagine if this project is completed a few years down the line.
What security measures should be in place to protect all that data?”
Asela pointed out a similar project which was conducted by the Indian Government called the Aadhar system, which has the biometric data (fingerprints, facial recognition), bank account information and personal information of over 1 billion Indians.
“That system got hacked and all the details of those citizens were exposed online in a way which was very similar to what happened with Facebook recently,” he said. With the personal information of millions of people made public, the people were put at serious risk. Asela pointed out how crucial it is to have the proper protection and security measures in place before moving towards digitisation.
“The State must ensure that all our national digital assets and our national infrastructure are secure and not vulnerable for attacks,” he concluded.
Asela was quick to point out that Sri Lanka is very primitive in the context of cyber security protection within the State and of its citizens. He believes the lack of attention given by policy makers and State institutions is the main cause for this current state.
“There are countries, even companies that are much more advanced than us and much wealthier than us, even up to ten times the worth of Sri Lanka’s GDP. These companies spend millions of dollars, sometimes even billions on cyber security, and still they have been hacked and breached regularly,” he said.
A dangerous possibility
Asela finds this a massive danger to the safety of the Sri Lankan people.
“If you look at the history of cyber attacks in Sri Lanka, you might notice that every year around Independence Day or Victory Day we see a cyber attack usually happening in Sri Lanka,” he explained.
“The attacks we see today are very simple ones such as rerouting web traffic, and could be compared to childish pranks. But that’s just today.”
“Just as terrorist groups start from small, simple attacks, then eventually mature into becoming a major terrorist organisation with devastating, complicated attacks on people, these small cyber attacks are bound to escalate,” he pointed out.
“If this trajectory continues, it would be no surprise if a very sophisticated cyber attack does happen a few years down the line,” he warned.
Based on data from the 24th edition of Microsoft’s Security Intelligence Report, his article points out that Sri Lanka recorded the second-highest malware encounter rate in 2019 despite an actual decrease in reported numbers, which clearly indicates Sri Lanka is indeed vulnerable and an easy target for cyber attacks.
With the recent .lk domain attack, it is evident that Sri Lanka’s vulnerability to cyber attacks has yet to be addressed. Asela pointed out that a country-specific domain is that nation’s top level domain and is a signature of a product from that country. He agreed that a cyber security breach of that level is definitely a very serious one, and should be an eye opener to the people of Sri Lanka.
“This is a very big problem,” he said. “It is the country specific domain, and because of this, every website that has ‘.lk’ at the end would have been compromised by this.”
What can be done?
Fortunately, Sri Lanka has already begun taking action on addressing these many vulnerabilities. In fact, Sri Lanka’s cyber security strategy has been in the planning stages for many years now, with several initiatives such as the Sri Lanka Computer Emergency Readiness Team/ Coordination Centre (CERT/CC) which plays a vital role in the country’s cyber security strategy. There is also the creation of proper cyber security legislation, which has also been in the works for many years now.
Asela shared his thoughts on the new pieces of legislation which are yet to be enacted.
“We don’t have cyber security legislation in the country and we need it fast. It has been promised in election manifestos multiple times by both major parties, but has yet to be enacted. We need a Data Protection Act as well to have basic protection.”
Besides these, Sri Lanka does have certain legislations in place for data privacy and security, especially in terms of financial transactions over ATMs and online. However, Sri Lanka is yet to have a comprehensive Cyber Security Act legislated by Parliament.
More on this will be discussed in the next article.
Why is it important?
“Without these two Acts in place, we are missing out on a lot of Foreign Direct Investment (FDI) opportunities from global tech companies,” explained Asela.
“We speak to a lot of technology companies who are interested in establishing themselves in the country, who want to invest, but they always say that they don’t want to invest because we don’t have an operating law on data privacy and data protection and we don’t have an operating law on cyber security.”
“Without those two, how would they feel safe in coming to the country and investing? Many organisations in the country such as SLASSCOM are trying to pitch Sri Lanka as a future technology hub but these are the challenges that get in the way of that. This is a big issue.”
“If Sri Lanka is to be the tech hub of the region, we need to have these laws in place. This is especially true as Port City and other international investments start operating in Sri Lanka.
“Easter Sunday taught us that international terrorism can come to Sri Lanka, so why not international cybercriminals? Even now, cybercriminals are operating in our country. Our corporations are being hit every day, even big companies.”
Asela points out that while CERT is playing a massive role in dealing with such breaches, they severely lack the resources in order to address the many cyber security threats in the country.
“CERT plays a reactive function, reacting to cyber attacks that take place, but even then, they are punching beyond their weight,” he explained. “They are understaffed and are still doing the best they can.”
Asela notes that Information Technology is the fourth highest revenue earning industry for the country, with the potential of being the highest revenue earner in the next five years. Pointing out that while the tourism industry is dependent on attracting tourists and was crippled because of the pandemic, the IT industry is more reliable an industry, and has in fact, exploded in growth because of the pandemic. If proper laws and a framework is in place, Sri Lanka is very likely to become a hub for the IT industry and will be a reliable and massive revenue earning industry for the country, generating thousands of new jobs.
A matter of national security
Asela agrees that cyberspace is the new battleground, pointing out that even those international military alliances such as NATO agree that a cyber attack against one nation could very easily trigger a collective response by other members of the alliance.
In a world that is increasingly heading towards seamless integration because of 5G, where the barrier between the digital and real world will continue to blur, Asela points out that it is essential that Sri Lanka takes substantial action now to catch up to protect itself from threats that are imminent and can cause havoc in the country and its economy in unprecedented ways.
“We are at our infancy when it comes to cyber security. Our rankings are very low in terms of it. We must improve on this because we are not lagging behind because of lack of talent.”
“Many Sri Lankans are high level experts and are some of the most brilliant minds in the world of cyber security, working internationally with major companies,” Asela explained.
He notes that the problem lies in the gap between the experts and the State making use of the expertise at hand. Because of the lack of focus by the Government, Asela notes that Sri Lanka is losing its brilliant minds in the field of IT to countries such as Dubai and Singapore, working for either their Governments or high-level companies.
It is Asela’s wish that Sri Lanka gives more attention than the present state to its cyber security, utilising the expertise already available in the country, and providing them with opportunities to elevate the country’s capacity to defend itself from cyber attacks and threats.
He warns that if action is not taken now, Sri Lanka will continue to be vulnerable to a major cyber-terrorist attack, one that could cause long lasting damage to the country and its people far beyond the many terrorist attacks we have experienced so far.