Two incidents over the last few days, in which bomb threats were made against a critical connectivity node and an administrative services centre by unknown entities, have raised concerns about Sri Lanka’s preparedness to weather cyber intimidation and related disruptions as the island nation traverses a challenging period.
Sri Lanka, recovering from an economic crisis and battered by an unprecedented cyclone, is in a fragile state. Cyclone Ditwah has shown just how vulnerable Sri Lanka is to disruptions. 2026 is destined to be a pivotal year for the island, as hard-won stability and economic gains remain vulnerable to natural and manmade shocks.
Emailed threats received by the Bandaranaike International Airport (BIA) yesterday (28), claiming threats aboard an inbound passenger flight from a Middle Eastern country, had prompted a special security operation and the aircraft was subjected to an inspection on arrival. In a similar incident on Friday (26), the Kandy District Secretariat was targeted by a similar hoax email, which triggered another security sweep of the premises. According to information available in the public domain, initial investigations have pointed to the hoax email sent in the Kandy incident originating from overseas. With Kandy being a tourist magnet, and the BIA being the key entry point for tourists to arrive safely in Sri Lanka, such disruptions, if continued, could create anxiety about Sri Lanka’s ‘Safe’ status, and have a domino effect on the vital industry the Government has pinned its hopes on to aid in economic recovery.
Cyber intimidation incidents should not be taken lightly, nor should a State overreact to them. Effective governance requires the State to be prepared for a range of conventional and non-conventional threats by a range of actors, which aim to disrupt national stability or challenge national interests. As harmless as they seem, cyber bomb threats are increasingly part of the toolkit in ‘Grey Zone’ warfare tactics, globally. They are used to disrupt, distract, and harass. Perpetrators generally want to disrupt normal operations, and threats of violence that generate panic can be an effective method to achieve such. They can be used by a range of State and non-State actors, and emails, due to their scalability and ambiguity, can cause significant psychological and operational impact on soft targets such as public institutions. Such emails can be easily generated, with their origins clouded and layers of jurisdictions added to aid in plausible deniability. As such, it is an attractive tool for a range of actors, from special interest groups to nation-states, to affect a target country or institution. As for the authorities who have to deal with such challenges, they are (especially if unprepared and unaware of such threats) often compelled to respond with maximum capacity, even in low-risk instances, as they can’t comprehend a threat level. As a result, even a perceived low-level threat can trigger a full-scale emergency response, including evacuations and extensive on-site searches, disrupting normal operations and causing significant stress and anxiety among the public.
With efforts underway in Sri Lanka to evolve the State institutions and machinery into the digital age, and create more accessible, easy-to-get services from public services, we are likely to see more cybersecurity threats, attacks, intimidation, and scams. As the public becomes more digitally oriented, they would also be more susceptible to cyber narrative campaigns if they are not adequately made aware of cybersecurity and misinformation challenges.
With both cyber intimidation attempts, though no bombs were found, disruptions did take place. Let us hope that is the last of it. However, it would be naive to think that such disruptions won’t happen again. Sri Lanka must be conscious about the broader threat environment in the region and globally, and be prepared to face such challenges persistently. In doing so, we should ask the Government some important questions: What is Sri Lanka’s playbook on how to deal with such disruptions and cyber intimidation tactics? Do we have one? Do we have a national security threat level that the public and officials can use as a gauge to calibrate their situational awareness? Sri Lanka signed the Budapest Convention on Cybercrime and became a Party in 2015, yet have we developed the required structures and capabilities to use it effectively to fight cybercrime?
Has the State made it mandatory for every public institution or critical infrastructure agency to build institutional awareness on the playbook and the guidelines in it? Should we not have training and drills on how to respond to such issues? Does Sri Lanka have the right cybersecurity, response and digital forensics capacity to effectively detect, deter, and disrupt such operations? Are our national institutions still stuck in their own silos, thinking ‘this is not my job’? The answer to such a question will determine how well we will be prepared for whatever is in store for 2026 and beyond. It is time for the Government to wake up and answer these questions.