Thursday Dec 12, 2024
Friday, 10 December 2021 01:59 - - {{hitsCtrl.values.hits}}
ICTA Chairman and TRCSL Director General Oshada Senanayake
By Hiyal Biyagamage
Information and Communication Technology Agency (ICTA) Chairman and Telecommunications Regulatory Commission of Sri Lanka Director General Oshada Senanayake speaking at the Daily FT-CICRA 8th Annual Cyber Security Summit, highlighted the importance of understanding the imperatives of cybersecurity as a nation as Sri Lanka is currently engaged in digitally transforming every facet of people’s lives. Irrespective of being a public or private sector company, Senanayake mentioned that focusing on cybersecurity readiness has to be ticked off with greater clarity and concentration.
A world beyond 5G
Although we are looking at 5G and the new phenomena surrounding 5G and other emerging technologies, Senanayake said it is also important to focus on the key imperatives of the baseline security readiness we have today. He pointed out that the boardroom should be the first to initiate the conversation around prioritising information risk and cybersecurity readiness.
“In terms of corporate governance, typically we have been looking at risk assessment and all other specifics of transparency but how many organisations today put key impetus and prioritise the information risk aspect and the cybersecurity readiness of an organisation? I believe the country has a long way to go on that front and a lot more prioritisation that has to be made from an organisational perspective which has to start from the boardroom.”
“The adage of trusting and ensuring that the IT team of the company should only focus on these matters with a limited budget has long gone. I think if we do not focus on the concept of prioritising information risk, businesses will face significant repercussions,” said Senanayake.
During his presentation, Senanayake recalled the unfortunate events of Sri Lankan websites being defaced by hacktivists. Last May, the official websites of the Ministry of Public Administration, Home Affairs, Provincial Councils and Local Government, Sri Lanka Foreign Employment Bureau (SLFEB) and several other local websites were hacked.
“We all know that for many years, Sri Lanka as a country has faced issues of several Government websites being defaced. This continues to happen. Why is it continuously happening? What is its impact as far as Sri Lanka’s reputational risk is concerned? If your main touchpoint is the consumer, what is the point as an organisation if you cannot protect your digital assets? These are the simplest cybersecurity readiness we can point out as far as our country is concerned.”
Further commenting on the issue, Senanayake said, “Let us not kid ourselves. It is not only the websites. Today, we are part of a digital transformation journey. As we look at the recent black swan situation paradigm, which is COVID-19, what about the application layer? What about the orchestrations of other public services which use technology? How resilient are they?”
“I think what we need to understand is that the risk of your digital infrastructure is real,” he highlighted.
Getting ready from a legislative perspective
Regarding addressing cybercrimes, Senanayake pointed out that the country’s next issue is how ready the state is from a legislative point of view.
“If you look at legislations that require for cybersecurity were not implemented in Sri Lanka up until recently. However, we have been making breakthroughs to get approval from the Cabinet in terms of moving into the next level of cyber defence,” he said.
Last October, the Cabinet approved a proposal by President Gotabaya Rajapaksa to draft a ‘Defence Cyber Commands’ bill and a separate bill of cybersecurity laws outside the defence purview. The two bills, proposed by President Rajapaksa in his capacity as minister of defence and minister of technology, are expected to keep criminal and terrorism-related activity online in check.
The second bill proposed by Rajapaksa is intended to create a regulatory framework for ‘national information’ and a national cybersecurity strategy. This bill will also provide for establishing a Sri Lanka Cyber Protection Agency to work in conjunction with other agencies.
“I believe it is not just about legislation coming in. Now it is the time that organisations also need to reimagine a culture change and how these legislative parameters can be infused into the organisational culture,” Senanayake mentioned.
However, Oshada said Sri Lanka still has a very poor cyber resilience framework in public and private sector organisations.
“If you look at the country threat vectors, you will understand these threat vectors are not siloed only to the institutional networks. You have to look at the consumer level as well. We have a high mobile internet penetration in Sri Lanka. If you look at mobile broadband connections, we are at 17.9 million connections. We have 2.6 million fixed broadband connections. These numbers mean that there are a significant number of devices that could be exposed to these threats. If you take a Zero Day threat, it could be all set to exploit millions of devices across the country.”
Sri Lanka has advanced in the National Cyber Security Index from 98th in 2020 to 69th in 2021. The National Cyber Security Index (NCSI) is a global index that measures countries’ preparedness to prevent cyber threats and manage cyber incidents. Sri Lanka has secured 69th place this year out of 160 countries. This is an improvement of 29 positions compared to last year.
Accordingly, Sri Lanka has developed its capacity in Cyber security policy development, education and professional development, fight against cybercrime and Military cyber operations capacities. The Index report said that Sri Lanka had recorded the 83rd position in the Global Cyber security Index, 117th position in the ICT Development Index and 63rd ranks in the Networked Readiness Index.
“What is important is that as a country, we have ensured that we have released baseline security standards that organisations can use. If you look at the public sector, we have dictated terms, but it is about adoption at the end of the day. If there is no adoption, no baseline security standards could be introduced. It is not going to help the country’s efforts in ensuring our cyber resiliency,” opined Senanayake.
A robust asset strategy and capacity building
The next most important factor, according to Oshada, is to develop a comprehensive asset strategy to enhance Sri Lanka’s cybersecurity readiness. He said the Cybersecurity Act would ensure that the country has the required framework to springboard from. Furthermore, he spoke about the importance of developing local cybersecurity talent, which is of utmost importance today.
“More importantly, we need to look at capacity building in terms of execution. How many cybersecurity experts could we find out if we put out an advert? We need to build capacity and train people, but that has to take a holistic approach. Cybersecurity cannot be looked at from a theoretical angle; it has to be looked at from a practical perspective. If we are facing a country-wide cyberattack, how ready are we? What sort of human capital do we have?”
He brought the example of the LK domain being attacked during the first half of 2021. He stressed why it is important for the country to have skilled professionals to assess certain situations and prepare for future attacks.
“Up until today, we have been only facing seasonal attacks on the website level that were simple exploits due to not updating your back-end system components. However, in early 2021, a mysterious group of hacktivists has poisoned the DNS records of several Sri Lankans (.lk) websites and redirected users to a web page detailing various social issues impacting the local population. These included some critical infrastructure sites of the country. .LK domain is the country’s core component, and we are talking about our national DNS servers. We need to go beyond that situational analysis and assess what we have done post mortem to be ready for the next wave of attacks,” said Senanayake.
The rise of the telcos
Senanayake also discussed how the telecommunications industry has evolved and the enormous number of services provided through telco providers, including data centre ecosystems and cloud services. Also, he spoke about the sector moving onto the paradigm of 5G.
“5G is not just about enhancing mobile broadband. It will talk about massive machine-type communications and ultra-reliable and low-level latency. Furthermore, the enablement of IoT (Internet of Things) is cutting across numerous sectors. We will be using a myriad of connected devices in the future, both in your home environment and workplace. This means that cybersecurity resilience has to cut across those facets as well.”
With 5G, he said there are new and potentially greater security risks to consider as cloud, data and IoT threats merge. Operators point to an increased attack surface as a key challenge. According to him, the pandemic has only intensified these issues, especially the risk of ransomware-related breaches. Yet, operators admit that insufficient knowledge or tools to deal with security vulnerabilities are a greater challenge.
“However, there are ways to mitigate these risks. Most importantly, organisations with a mature, security-first mindset are most ready to adopt emerging technologies like 5G. If your customers do not have a security-first culture, help them build one with solutions and services that cover all the bases, including incident response experiences that test their ability to respond to a threat. Furthermore, with 5G comes rapid innovation, change and complexity that, in turn, drives rapid innovation, change and complexity in security threats—which is where MSSPs shine brightest with innovative solutions and expert advice,” said Senanayake.
AI and its impact on cybersecurity
Senanayake also spoke about artificial intelligence and its impact on cybersecurity. Artificial Intelligence (AI) is gradually being integrated into the fabric of business and widely deployed across specific application use cases. Not all sectors are equally advanced; however, the information technology and telecommunications sectors are the most advanced in AI adoption.
“As a general-purpose, dual-use technology, AI can be both a blessing and a curse for cybersecurity. This is confirmed because AI is being used both as a sword (i.e. in support of malicious attacks) and as a shield (to counter cybersecurity risks). With an additional complication: while the use of AI for defensive purposes faces several constraints, especially as governments (and the European Union) move to regulate high-risk applications and promote the responsible use of AI, on the attack side, the most pernicious uses are multiplying, the cost of developing applications is plummeting, and the ‘attack surface’ is becoming denser every day, making any form of defence an uphill battle.”
“Machine-learning and deep-learning techniques will make sophisticated cyber-attacks easier and allow for faster, better targeted and more destructive attacks. The impact of AI on cybersecurity will likely expand the threat landscape, introduce new threats and alter the typical characteristics of threats. Besides, other than introducing new and powerful vectors to carry out attacks, AI systems will also become increasingly subject to manipulation themselves,” mentioned Senanayake.
Speaking about cloud security, Senanayake said concerns over data exposure have made cloud security a priority. However, he said cloud security is a shared responsibility between the vendor and the organisation.
“The challenge lies in balancing an organisation’s need for agility with the need to improve the security of applications as well as that of data as it moves between various clouds, gaining visibility and fighting attempts to exfiltrate data – whether from external locations or through lateral attacks – across all locations where applications and data reside. A number of different teams within an organisation could be responsible for cloud security: the network team, security team, apps team, compliance team or the infrastructure team. However, cloud security is also a shared responsibility between the broader organisation and its cloud vendor,” he said.
Global leader in payments Visa and technology giant Huawei Technologies were the Strategic Partners. Banking partner was NDB and Official payment network was LankaPay, whilst the creative partner was Triad.