brand logo

Winning the war over data

11 Apr 2021

  • Is Sri Lanka’s cybersecurity geared for the future?

  The recent Facebook data breach which involved the personal details of over 533 million Facebook users from 106 countries including over 32 million records on users in the US alone, was a hot topic of discussion last week. But this is not the first time such a breach took place, as it has happened a few times in the past few years.  Taking account of this, The Sunday Morning Business took steps to explore, understand, and analyse the situation at hand in the Sri Lankan context and the preventative measures that can be taken in order to stay safe and secured from cybersecurity issues.    What happened on 3 April?    According to Business Insider, the exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and six million on users in India. According to cybercrime intelligence firm Hudson Rock Chief Technology Officer (CTO) Alon Gal, who discovered the trough of leaked data on Saturday (3): “A database of that size containing the private information such as phone numbers of a lot of Facebook's users would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks (or) hacking attempts," Gal told Insider. Gal discovered the leaked data in January when a user in the same hacking forum advertised an automated bot that could provide phone numbers for hundreds of millions of Facebook users for a price. Motherboard reported on that bot's existence at the time and verified that the data was legitimate. Now the data set has been posted on the hacking forum for free, making it available to anyone with rudimentary data skills.   Will it impact Sri Lanka too?   To understand cybersecurity safety in Sri Lanka, we spoke to Information and Communication Technology Agency of Sri Lanka (ICTA) Chairman Prof. Lalith Gamage, who mentioned that the status of security at the present moment is exceptionally good in comparison to previous years. “As a cyber secure country, earlier we were ranked 98th, however, at present we are ranked 69th, which is a tremendous increase in the cybersecurity level in Sri Lanka with almost 30 positions up,” Prof. Gamage stated.  Clarifying whether Sri Lanka will be impacted by this breach or not, Prof. Gamage noted that Sri Lanka will not be affected. “I also spoke to the Sri Lanka Computer Emergency Readiness Team (SLCERT) on this and they are currently closely monitoring the situation. This has happened previously and there’s nothing to worry about at this point because Sri Lanka was safe during the previous breach too,” he added.   Furthermore, we also spoke to technology consultant Asela Waidyalankara, who also stated that according to his sources, Sri Lanka is out of the danger zone at the present moment. “Fortunately, I think, from the security researchers I've got in touch with, it has affected all major countries such as Austria, Australia, the US, the UK, Japan, Italy, etc., and not Sri Lanka,” Waidyalankara said.    What should you do from your end?   From a very young age in life, we have learned the importance of having a strong password in any account we open online to prevent hackers or any other external threats from gaining access to our accounts.  Speaking in this context, Waidyalankara emphasised the importance of “digital hygiene”, which focuses on maintaining passwords. Explaining in detail, he stated that firstly, passwords shouldn’t be easy or personal to guess, as the degree of vulnerability is at a higher risk in terms of people penetrating the account. Secondly, passwords should be changed regularly. “What I always say is to consider the rule of thumb when you're changing your toothbrush; meaning, changing the password with strong characters just as you would change your brush after a few months.”  Thirdly, is to not recycle passwords among all accounts, for example, Facebook, work, banking, or maybe what you use for other networks. “If you do this, the password gets compromised since, when an attacker finds a way to exploit one account, then it would also mean that the attacker will have access to multiple platforms, simply due to recycling the password.”  Giving a solution to the password concern people face right now, Waidyalankara stated that users who find it difficult to remember passwords can always use applications or consult password managers with paid services to generate strong, long, and secure passwords.    What are the preventive measures?   Completely avoiding these breaches at this present moment is beyond our control. However, it is not impossible to take precautionary measures. One of them is, of course, leaving social media, which may be hard to do for some people, as almost everyone is attached to it. Speaking on preventing hacks into your account, Prof. Gamage noted that people should change their credentials (passwords) from time to time to prevent hacking at a lower level.  Commenting in this context, Waidyalankara said there are several ways in which precautionary measures can be taken to prevent such unfortunate occurrences.   “I always recommend that you please not share personal information on social media. For example, people those days used to put a picture of their boarding pass on social media. Once, this act resulted in an individual’s boarding pass becoming invalid, as someone had instantly hacked into the system. Social media is a good tool but make sure you don’t compromise your personal information,” he added.  Furthermore, another option is to personally check the breaches on and off when it’s possible from the site https://haveibeenpwned.com/. “You can enter your email address and it will show you a list of breaches that particular email address has been involved with, which will give an understanding on whether your details have been leaked or not,” he said.    Acts in Sri Lanka    Reflecting on this subject, Prof. Gamage stated that a new Cybersecurity Act will be introduced to focus on monitoring online activity. “This is currently being drafted by SLCERT in collaboration with the ICTA presently,” he added.  Meanwhile, disappointed at the current laws on data protection in Sri Lanka Waidyalankara stated that Sri Lanka has a huge void in this context, as there is no clear mandate, no clear law, or no clear regulation on how digital data of individuals is managed. “Every day, Sri Lanka’s data is being exploited. For instance, if you look at the election period, people were suddenly bombarded by propaganda from different parties through SMS, calls, etc., but we don't know how they found the phone numbers nor will they disclose the information – which means that people’s data has been treated badly,” he elaborated.  Explaining the situation further, he stated that he can see a light at the end of the tunnel as the Data Protection Act will be presented to the Cabinet and Parliament. However, even if the Act is passed today, it will take at least two years for that Act to kick in, as time would need to be given for organisations to change their internal processes or system to make sure they're up to the mark with the Act. “This is not acceptable to me, as it should be enforced as quickly as possible,” he stated. “If we had a Data Protection Act, we could write to Facebook for mishandling people’s data under ‘Data Sovereignty’. We are missing out on an opportunity to protect our citizens and their data. Hence, the big gap should be addressed,” he added.  Clarifying on both the Cybersecurity Act and Data Protection Act, Prof. Gamage stated that both  these acts are different.  Furthermore, speaking to The Sunday Morning Business, ICTA Director and Legal Advisor Jayantha Fernando stated: “A high-level implementation task force has recently been appointed to define the roadmap for the implementation of the Data Protection Bill, and to identify options for the Data Protection Act (DPA) models.” The ICTA Director pointed out that at this stage it would be a formal public document, and further modifications are to be made, while several changes have currently been made to the substantive provisions of the original Draft Bill released in December 2019, including the rearrangement of key provisions. “The changes were based on the feedback of several stakeholders, including the Central Bank of Sri Lanka (CBSL), Attorney General’s Department, and Ministry of Justice,” he said. According to Fernando, the Data Protection Management Programme requires government departments, banks, telecom operators, and organisations to be accountable for processing personal data as a self-regulatory mechanism, while also instructing government and private sector entities on processing personal data, and impose penalties in the event of non-compliance.   Conclusion    Sri Lanka’s internet penetration is going to have a critical mass of users online. The internet is sure to see a drastic improvement in the future, as the youngsters right now are named “digital natives” who will require and be dependent on the internet service.  Giving the concluding remark, Waidyalankara stated that the Government currently plans to digitise the National Identity Card (NIC) and other personal information into the cloud system, which is a clear initiative. “But what happens if our data is breached?” he questioned. All our information will be available online and if that happens to Sri Lanka, what measures will be taken and are we ready?   "We are in the Fourth Industrial Revolution and we are playing with fire. We have to move fast. Otherwise, there'll be grave, grave consequences,” he warned.  


More News..