• Cyber Security Authority to enforce mandatory security standards for critical data
• Real-time threat monitoring centre to be set up under SL CERT
• 33 Govt. institutions identified for initial surveillance, including CBSL, IRD
• New authority to be empowered to take non-compliant platforms offline

The Government has revealed plans to establish the Cyber Security Authority and the National Cyber Security Operations Centre (NCSOC) under the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) in order to counter threats to the country’s critical digital infrastructure.

Speaking to The Sunday Morning Business, Deputy Minister of Digital Economy Eranga Weeraratne revealed that, in light of recent controversies surrounding data breaches at several major local companies, the Government was considering the establishment of a Cyber Security Authority to enforce cybersecurity standards. 

He also revealed that the Government was considering the development of the NCSOC under Sri Lanka CERT as an institution equipped with real-time threat monitoring capabilities. 

“We are considering bringing the Cyber Security Bill, which will look to enforce the implementation of security measures to protect critical data in the country. For that purpose, the Cyber Security Authority will be established to enforce the application of the rules for the protection of all critical data,” he said. 

He added: “Sri Lanka CERT can only provide guidelines at present; it can perform an assessment and issue recommendations to those entities. However, it cannot mandate this without fixing existing security issues – the relevant businesses cannot go live.”

Accordingly, he stated that the Cyber Security Authority would be empowered to mandate the resolution of cybersecurity issues and, where necessary, to enforce compliance by taking offenders offline. 

“Sri Lanka CERT will continue to make recommendations to address existing security threats. The Cyber Security Authority will enforce the application of these security measures in all these entities,” he said. 

The Deputy Minister further revealed: “We are going to build the NCSOC, which will have real-time detection facilities. For this purpose, we will be procuring software solutions to monitor in real time the security and threats to platforms of all critical systems in Sri Lanka.”

According to him, the NCSOC will be established under Sri Lanka CERT and will be its monitoring unit.

He further revealed that 33 Government institutions, such as the Inland Revenue Department (IRD) and the Central Bank of Sri Lanka (CBSL), had been identified as custodians of what he described as “critical” data. 

As an initial step, the NCSOC will implement real-time monitoring of these critical systems. Over time, this capability will be expanded to include real-time surveillance of critical data infrastructure across both the public and private sectors.

Weeraratne further highlighted the need to commence the full operation of the Personal Data Protection Act No.9 of 2022, claiming that the Data Protection Authority would be mandated to ensure that the public data collected would be used for appropriate purposes rather than undesirable ones.