Sri Lanka recently experienced cyberattacks on Government portals, raising concerns over public data security once again. Under these circumstances, many experts advocate for stronger safety measures, along with stronger post-attack measures and better awareness as necessary steps.

Prominent among the recent attacks were the ransomware attack on information technology systems of the Department of Pensions and the National Water Supply and Drainage Board’s (NWSDB) SMS gateway being compromised. 

The Department of Pensions has confirmed that the recent cyberattack targeting its IT infrastructure has not resulted in data loss or a disruption to services. The NWSDB has also confirmed that no data breach occurred during the attack on its SMS gateway.

Confidentiality not preserved

Digital Trust Alliance President Lakmal Embuldeniya highlighted the challenging nature of preventing cyberattacks in today’s digital landscape. From a Government perspective, he emphasised the need for a comprehensive audit of existing information systems and services within every Government organisation, which would provide a clear understanding of the embedded systems and applications.

He noted that before the Covid-19 pandemic, software development in Sri Lanka had not adequately prioritised security, focusing instead on performance. The Security-First or Security by Design approaches emerged more prominently in the post-Covid-19 era.

“No one is completely secure at any given time with how the world is evolving and data breaches can sometimes be unavoidable. However, it’s essential to have a mechanism to share that information with the public and take necessary actions afterwards to minimise the impact,” he said. 

Referring to the recent incident involving the Department of Pensions, Embuldeniya explained that sensitive information, including bank details, contact information, and even family data, were now exposed. He stressed the necessity of building public awareness while acknowledging that a breach had occurred. 

This includes notifying individuals about the specific information compromised and advising them on precautionary steps, such as implementing additional security measures and changing any compromised security details.

He also observed that in recent attacks, across both private and public sectors, arguments had been made that there was no threat to operations and no data loss.

“When it comes to ransomware attacks, the CIA triad (Confidentiality, Integrity, and Availability) must all be addressed. While recent incidents may have preserved the availability element, the information has already leaked, meaning the confidentiality aspect has not been preserved or addressed. In ransomware, various backend activities occur, such as selling or using compromised information for subsequent attacks,” he noted. 

Infrastructure, resources and human capital

Commenting on infrastructure and resources, Embuldeniya explained that the public sector faced a shortage of cybersecurity resources.

“One suggestion I have made to the Government is to convert Sri Lanka’s ICT service staff into information system auditors so they can begin auditing their own systems. Currently, the process often involves simply procuring systems. It’s crucial to upskill or even re-skill where necessary, to a certain level, as the Government lacks the capacity to effectively tackle these cyberattacks,” he added. 

According to Embuldeniya, while key ministries are equipped with appropriate infrastructure, the weakest link in cybersecurity remains the human element. Therefore, state-of-the-art equipment alone is ineffective without suitably qualified human resources to manage it.

He also noted that even the Central Bank of Sri Lanka (CBSL) needed to address incidents more effectively. The CBSL’s role primarily involves regulation and reporting, rather than necessarily focusing on preventive actions.

Lack of enforcement, development and compliance

Meanwhile, speaking to The Sunday Morning Business, cybersecurity expert Asela Waidyalankara highlighted the importance of recognising the value of public data. He stressed that the security of this data was essential and that the lack of system upgrades was a significant concern. 

The private sector, he noted, typically upgraded technology on a five-year lifecycle, investing to ensure information, technical environments, and infrastructure were secure and adhered to international standards.

The baseline international standard for data security for Sri Lankan organisations is ISO 27001. According to Waidyalankara, pursuing ISO 27001 compliance is a viable option for minimising cybersecurity incidents for the Government sector as well, as it requires a series of external audits.

The Sri Lanka Computer Emergency Readiness Team (SLCERT) has developed Minimum Information Security Standards (MISS) to safeguard Government information and IT systems. These standards are based on global best practices, including alignment with ISO 27001. 

MISS provides advice, guidance, and security controls to help government organisations achieve cyber resilience, integrated into a broader Information Security Policy Framework for Government Organisations.

Waidyalankara pointed out that despite being included in a Cabinet decision, SLCERT lacked the capacity to enforce MISS, adding that there were no consequences for non-compliance among Government organisations. 

He added that IT  governance, which is the oversight and management of information technology systems within an organisation, was another key issue. Accordingly, many Government organisations have only marginal IT governance, or else, their IT systems are headed by non-technical officers.

“This is a recipe for disaster. There is marginal IT governance, no enforcement of standards, and no consequences. Systems are being maintained in this context. While not all Government systems showcase these deficiencies, this pattern can be observed,” he noted. 

Waidyalankara also highlighted the delay in implementing the Cyber Security Bill as a concern. SLCERT is not established as a statutory agency and with the cybersecurity landscape evolving, he highlighted the clear need for a national agency responsible for cybersecurity policy direction and enforcement in the country, which the Cyber Security Act was intended to establish.

“There is also the requirement for institutional capacity building, addressing human resource constraints within the Government sector. Unless these variables are addressed in a holistic manner, various data breaches will continue to occur,” he added.

Waidyalankara further noted that this was especially critical as the Government aimed to accelerate digitalisation. Furthermore, it is taxpayer money that is used to fix each cybersecurity breach within the Government sector. He stated that more emphasis must be placed on cybersecurity at least on that point.

Strengthening SLCERT

SLCERT primarily focuses on protecting Government legal infrastructure. SLCERT Senior Information Engineer Charuka Damunupola noted an increase in cyberattacks and data breaches affecting Government information systems and databases. 

According to Damunupola, a closer look reveals that a key underlying issue is the lack of regular and effective security vulnerability assessments for many of these systems. He emphasised the importance of patching these vulnerabilities promptly.

Damunupola further noted that SLCERT had already issued guidelines for developing web applications, yet added that adherence to these guidelines was not consistent.

“We have issued an information and cybersecurity policy specifically for all Government organisations, supported by a Cabinet directive for its implementation. Information policies, backup policies, password policies, and numerous other factors must also be considered when strengthening the security of information systems,” he noted.

Furthermore, SLCERT has advised heads of organisations to allocate resources, human resources in particular, for implementing these policies internally. Damunupola added that the Cabinet directive also mandated annual audits by the National Audit Office to assess the progress of these implementations. 

However, he also pointed out that Sri Lanka was still awaiting the passage of the Cyber Security Bill. Hence, SLCERT currently lacks the enforcement authority to establish these standards within Government infrastructure, which is a challenge to strengthening cybersecurity.

Damunupola further noted that SLCERT currently operated with a small team and was focused on the passing of the Cyber Security Bill. Once enacted, it will enable the establishment of a cybersecurity regulatory authority/cybersecurity agency, under which all cybersecurity-related agencies, such as SLCERT and the Data Protection Authority, will operate.

“Additionally, the National Cyber Security Operation Centre, which is already in its initial implementation phase, will be established within the coming months to enable the active monitoring of cyber threats within Government organisations, with the first phase targeting critical infrastructure organisations. 

“All these entities will be integrated and necessary resources will be recruited, contributing to the overall strengthening of Sri Lanka’s cybersecurity mandate,” he observed.

‘Data is the new oil’

Commenting on human resource capacity in cybersecurity, Government ICT Professionals’ Association (GICTPA) Chairperson Thilina Panduka observed a significant disparity between the private and public sectors, with the private sector being better equipped to ensure security.

“While the private sector invests in cybersecurity, there is unfortunately a lack of investment and Government funding in the public sector. Moreover, while prevention is certainly better than cure, once these incidents occur, it’s essential to address post-incident concerns and raise awareness regarding what to avoid and how to mitigate risks,” he noted. 

Addressing the recent attack on the Department of Pensions, he observed that the authorities had simply issued a media release stating that the data was intact and that an investigation was underway. However, a ransomware group had already copied and offered the data for sale, exposing sensitive information that malicious parties could exploit. 

This is particularly problematic for financial activities, where attackers manipulate unsuspecting individuals using leaked data to extract One-Time Passwords (OTPs). Furthermore, Panduka pointed to the NWSDB’s text gateway being compromised and the absence of clear guidance on actions to take following the incident.

“As the Government, there should be an acknowledgment of the incidents that have taken place, along with knowledge-sharing and awareness sessions for the public, outlining the dos and don’ts,” he said.

Panduka also observed delays related to policies and acts concerning data protection and cybersecurity. He added that in every institution, if customer or public data was collected, there must be compliance steps and rules to ensure its security, further noting, however, that many were not adequately informed in this regard, nor was there enforcement.

According to SLCERT, IT heads of Government institutions should be a Chief Information Officer (CIO), with Chief Information Security Officers (CISOs) at each level. He stressed that these positions must be filled by properly qualified individuals, adding that more human resources should be invested in these categories based on identified gaps.

Public data, shared institutional data and personal data

Speaking to The Sunday Morning Business, digital trust advocate and University of Sri Jayewardenepura Department of Information Technology Head Prof. Lasith Gunawardena emphasised the importance of safeguarding public data while promoting digitisation in the public sector. He stressed that sensitive information must be securely protected and encrypted to prevent cyberattacks and data leaks.

However, he also noted that data protection should not come at the cost of sharing of data among Government entities.

“Not all data is personally identifiable. Some information should remain legally accessible in the public domain for transparency and accountability. There is a lack of a uniform data-sharing policy across Government institutions at present,” he said. 

To address this, Prof. Gunawardena proposed a classification of data into three levels. These include public data, which is non-sensitive information that should be openly accessible to the public, such as the number of pension recipients, aggregated demographic statistics, or summarised datasets related to public services. He added that taxpayers had a right to access such data for accountability and informed decision-making.

He also noted that shared institutional data, which constituted data that is not personally identifiable but should be shared securely among institutions, such as between the Inland Revenue Department (IRD) and the Department for Registration of Persons, to enable system interoperability using Application Programming Interfaces (APIs).

Prof. Gunawardena also addressed restricted or personal data, including sensitive or personally identifiable information that must be protected with strong encryption and strict access controls.

“This classification allows for both protection and progress. From a technological standpoint, enabling secure API-based data-sharing, even through paid-access models, is entirely feasible today,” he said.