Sri Lanka’s cyber security personal, just like their military counterparts, may work in different teams, but they all share a common objective. Here, cyber forensics training are being conducted for law enforcement officers at the CID Computer Crimes lab, organised by Sri Lanka CERT|CC and sponsored by the British High Commission
Gamini Fonseka’s ‘Nomiyena Minisun’ (Immortal Folks) was perhaps the first movie tribute to Sri Lanka’s war heroes. Screened in 1994, this movie which featured the veteran actor in its lead role too, started with scenes that showed General Ranjan Wijeratne, then Minister of Defence, inspecting the troops. In a way, the movie also hailed General Wijeratne, having been the victim of a terrorist bomb, didn’t live to see victory over the same terrorists in 2009.
Sri Lankans have constantly been respectful and grateful towards the sacrifices made by security forces in difficult periods of history. Fonseka’s movie was the best evidence that respect was there always; it was a genuine feeling and not something initiated by the Government towards the end of conflict through a hastily done advertising campaign.
When national security was at stake, Army, Navy, Air Force and Police leaderships and personnel have gone far beyond their typical duties to bring normalcy to the nation. Given that everybody can be or should be on battleground, we all can do the next best. Collectively appreciating the efforts of those who make such commitments, that is.
The battleground, please note, is not just any more on the ground. It has been moving over the time. In the wake of current digital transformation, what happened on the ground is increasingly progressing to cyber platforms. While sophisticated Information and Communication Technology applications assist us in multiple ways of ensuring security, less focus on the same seems to result in catastrophes as terrorist have been too smart in using such loopholes for their heinous objectives.
Cyber security misadventures
The 9/11 attacks, which took over 3,000 lives in 2001, could have been easily avoided if technology – or rather its users – didn’t let the free world down. They have, in many ways, been a particular disappointment with regard to security.
Before 9/11, there wasn’t a comprehensive terrorism database in USA. There was no wide-ranging data on terrorist organisations and little systematic data on what the government was doing to fight terrorism. Data mining could have shown patterns of the works of terrorists and triggered red lights. Airport scanners were supposed to detect explosives. The operators were probably looking for machines guns, not batteries or trigger devices in particular. Bulletproof and locked cockpit doors simply didn’t exist in commercial air travel so the terrorists took the control of airplanes with least effort. Simply if everything worked right in that digital battleground 9/11 wouldn’t have happened.
The other, perhaps less discussed, aspect is safeguarding the information systems of national importance. These can be military or otherwise. Proper air traffic control, for instance, is essential in ensuring safety in air travel. Commercial banks, following financial regulatory guidance, are constantly in vigil for possible security loopholes in their networks. Information systems of equal importance in the departments of Immigration and Emigration, Personal Identification, Customs, Motor Traffic, Railways, etc. can be manipulated by interested parties, local and international, for their vicious intentions. We do need committed soldiers guarding these. They may not be in uniform or officially a part of a military force. That does not make their task unimportant. They are warriors of a different breed: the cyber troopers.
Computer Emergency Response Teams (CERTs)
Sri Lanka’s cyber security personal, just like their military counterparts, may work in different teams, but they all share a common objective. On 24x7 basis, they assiduously attempt to keep the systems up and running. We know them better as Computer Emergency Response Teams (CERTs).
Let’s start with SL CERT|CC as it comes directly under the Ministry of Digital Infrastructure and Information Technology. Sri Lanka CERT|CC (Computer Emergency Readiness Team | Co-ordination Center) acts as the focal point for cyber security in the island and provides advice about the latest threats and vulnerabilities affecting computer systems and networks, and a source of expertise to assist the nation, in responding to and recovering from cyberattacks. Sri Lanka CERT|CC was first established by the Information and Communication Technology Agency (ICTA) in 2006. It is registered as a Private Limited Liability Company, and since August 2018 it came directly under the Ministry.
SL CERT | CC has been attending complaints received both by organisations and individuals. That number has been rapidly increasing over the last few years. Number of cyber security related incidents only has jumped from 50 in 2012 to 212 in 2017. The types of complaints vary (table 1). One will also note an exponential increase in social media related events for the same period from 1,100 to 3,685 annually.
Then we have what is popularly known as TechCERT, which claims to be Sri Lanka’s first Computer Emergency Readiness Team (CERT). TechCERT was originally formed as a pioneering project of the LK Domain Registry and its academic partners, as a way of providing a safety net for large and small organisations against cyber-attacks and emergency situations. It mandates itself “to provide an effective response and to ensure an appropriate preparedness for computer security incidents and to implement proactive measures to protect the information infrastructure of TechCERT affiliated institutions/organisations and the general public of Sri Lanka.” TechCERT is known for its efficient solutions in the industry and also for conducting cyber security drills for its clients.
Finally, Finance Sector Computer Security Incident Response Team (FINCSIRT) is a specialised service unit that is responsible for receiving, reviewing, processing and responding to computer security alerts and incidents affecting the banks and other licensed financial institutions in the country. FINCSIRT is a joint initiative of the Central Bank of Sri Lanka, the Sri Lanka Computer Emergency Response Team (Sri Lanka CERT) and Sri Lankan Bankers Association; and is hosted under LankaClear (Private) Ltd., the national payment infrastructure provider. It is established as a not-for-profit body to coordinate security efforts within the banking and financial sector, and as an entity steered and funded by the banks, will have the prime responsibility and accountability towards them.
These three outfits currently work largely within their own client domains with little coordination. That has been perfect under normal circumstances. Still with a national security threat ahead, it is essential they work together; pooling all their technical resources.
Cyber Security Bill and strategic framework
Policy framework for such an arrangement is provided with the new Cyber Security Bill, which is current at final draft stage, once agreed by all stakeholders to be presented to parliament in mid-May. This bill, inter alia, creates the legal framework for setting up a National Cyber Security Agency (NCSA). That will be the central apex body responsible for all cyber security activities.
While NCSA is not necessarily a regulator, its power over cyber security is parallel to that of Central Bank of Sri Lanka over banking and financial activities. Under NCSA there will be a National Cyber Security Operations Centre (NCSOC) – the central point for all institutional internal Information Security Operations Centres (“ISOCs” or “SOCs”) which are facilities where enterprise information systems (web sites, applications, databases, data centres and servers, networks, desktops and other endpoints) are monitored, assessed, and defended.
In fact, NCSA too is only a part of our overall strategy. As illustrated in the policy document ‘Information and Cyber Security Strategy of Sri Lanka 2019-2023,’ our approach goes far beyond as underpinned by following six pillars:
a. Establishment of a government framework to implement the National Information and Cyber Security Strategy
b. Enactment and formulation of legislation, policies and standards to create a regulatory environment to protect individuals and organisations in cyber space.
c. Development of a skilled and competent workforce to detect, defend and respond to cyber-attacks.
d. Collaboration with public sector authorities to ensure that the digital government systems implemented and operated by them have the appropriate level of cyber security and resilience.
e. Raising awareness and empowering citizens to defend themselves against cybercrimes.
f. Development of public-private, local-international partnerships to create a robust cyber security eco-system.
(Full document can be downloaded from the site www.cert.gov.lk.)
Neither proposed Cyber Security Bill nor the policy framework are the ends. They are dynamic documents that facilitates the current Information and Communication Technology developments in a secure environment. But they themselves highlight the need for readiness. Being proactive, as they say, is thousand times being reactive.
(Ajith P. Perera is the Minister of Digital Infrastructure and Information Technology and Chanuka Wattegama is an academic cum a business writer.)