Sri Lanka has, through much strife, reached some economic stability and is aiming to push forward towards growth and greener pastures. Almost everyone in Sri Lanka has suffered in some form or the other over the last five years, and many continue to battle austerity measures and poverty. There has been a great emphasis by the new Government and the previous one to ‘digitise’ Sri Lanka rapidly. And rightfully so, most of Sri Lanka’s state services and systems are manual, outdated, and labour intensive. For Sri Lanka to evolve and prosper it must digitise. However, Sri Lanka can ill-afford to not to be vigilant and reactive in the digital world, the slow phase of troubleshooting and responding to threats, disruptions and crises of the bygone bureaucratic era has no place in the fast-moving digital world.
Today, Sri Lanka's critical infrastructure remains highly vulnerable to cybersecurity attacks due to weak systems, outdated practices, culture of operation, an increasingly sophisticated range of threats, rising ransomware and state-sponsored cybercrime. The interconnected nature of these vital systems, making them prime targets for disruptions. Increasingly, Sri Lankan digital State systems, and critical infrastructure are facing more advanced persistent threats (APTs), and data breaches. These threats are becoming more frequent, sophisticated, and targeted. State institutions, their websites and digital-services platforms have all become victims of cyber attacks recently. Banks, both State-owned and Private, and major private corporations have not been spared as well.
Following a spate of such attacks earlier this year, senior cybersecurity officials said: “One of the key problems is the lack of regular security assessments and updates. Websites are often left without necessary security patches, making them easy targets for attackers. In response, we are undertaking immediate steps, including creating awareness and providing training on how to handle cybersecurity-related matters. We have also undertaken restoring compromised systems and analysing log files to identify vulnerabilities.” In early 2025 they emphasised the importance of appointing information officers and assistant information officers in all Government organisations to ensure compliance with cybersecurity policies, explaining that most Government entities had now conformed to the cybersecurity policy of the country, adding that for many of the issues relating to data security and digital platforms, the Cyber Security Strategy 2024-2027, which was in its final stages, would be pivotal. In July, Sri Lanka also launched a National Cyber Security Strategy for 2025-2029.
Sri Lanka needs to pay close attention to our speed of digitalisation, and not try to play ‘catch up’ with the required security measures, that need to progress in tandem to the expansion of our critical digital infrastructure, be it in our telecommunications backbone, core State systems and their networking, or at the retail end, with the platforms, Apps and websites which the public connects with. It is also vital that the island’s critical energy systems, storage-refining-and distribution systems, communications, coastal and national transportation infrastructure, and the banking systems are also looped into a national programme, where vulnerabilities are continuously probed, identified and fixed.
To do so, Sri Lanka must develop a robust set of national cyber security protocols and procedures, built to world-class standards, and with technical expertise from the region and beyond. Sri Lanka can no longer risk considering the ‘lowest price’ during bidding in tenders regarding systems and equipment, infrastructure for our national digital backbone. We need to select vendors based on proven technology, growth potential, and impeccable credentials – which will help the island nation secure our national interest through our digital systems. Sri Lanka should also move to build a multilateral and regional cybersecurity mechanism and legislature. Make no mistake, our digital infrastructure and service will become our new ‘front line’ for security, safety and governance. It would be prudent for Sri Lanka to watch how nations like Estonia, Latvia, Sweden, Finland, Singapore, Israel, and Lithuania have dealt with similar challenges and learn from them. In the future, cybersecurity will be one of the cornerstones of sovereignty, nationhood, governance, State autonomy, order management, democratic practice, and community resilience. That is inevitable as more and more of the younger demography increasingly network, work and play online. Sri Lanka cannot afford to get cybersecurity and resilience wrong; we may not get a second chance to fix it.