The frequency of cyber threats in Sri Lanka has become a serious concern for State infrastructure and systems, private organisations, and individuals alike. Several recent high-profile financial scams targeting Government systems, with a rise in individual bank account compromises/hacking, have exposed critical vulnerabilities in the cybersecurity environment as well as vulnerabilities in relation to people that need addressing.
In an interview with The Sunday Morning Business, cybersecurity professional and International Information System Security Certification Consortium (ISC2) Colombo Chapter President Roshan Chandraguptha explained that while Sri Lanka was seeing positive progress in cybersecurity development, addressing these risks required a coordinated focus on people, process, and technology, as well as a coordinated, layered effort by all stakeholders, where proactively safeguarding, readiness, and incident-handling played central roles.
He noted that while digitalisation was advancing at a rapid pace, cybersecurity measures must improve at a similar pace in order to ensure proper resilience.
Following are excerpts:
How would you describe Sri Lanka’s current state of cybersecurity in terms of people, processes, and technology?
Whenever new technology arrives, the natural impulse globally is to move fast, digitise, and streamline services. Sri Lanka is no different. But for that to work securely, the three pillars mentioned – people, processes, and technology – must all move together.
People must understand the technology they are using – not just how to use it, but how to use it safely and securely. At the same time, in order to protect people, legal and regulatory frameworks need to keep pace. Moreover, technology itself must be made accessible, which is partly a question of investment, and that varies significantly depending on the financial capabilities of a country or organisation.
In Sri Lanka, progress has been gradual but visible. Very recently, for example, vehicle insurance has gone fully digital, which is a very meaningful shift. We were nowhere near this level of digitisation 10 years ago. Therefore, it is moving in the right direction, but there is still ground to cover.
Given the increase in cyber-related issues and looking at Sri Lanka’s overall cyber resilience, what needs the most attention moving forward, people, processes, or technology?
All three need attention, and they need to advance together; it can be problematic if one gets too far ahead of the others. You can deploy sophisticated state-of-the-art technology, but if the users are not trained or aware of security implications, it is only as good as its weakest user.
In practical terms, I think awareness comes first – understanding not just what to do and how to do it but why they are doing it, and understanding the security process behind it. On the technology side, the first investment need not be the most sophisticated setup imaginable, but it is often a gradual build, starting with what you can reasonably manage, and maintaining strong monitoring and training as you grow.
Cybersecurity is a continuous process; as threats keep evolving, habits need to match that pace.
When a significant breach occurs, what tends to fail first and which areas are the most vulnerable? Is it a matter of early detection, internal escalation, or decision-making at the senior level?
It usually comes back to those same three areas. From a people perspective, many users do not fully understand why certain security measures exist and a function as basic as a One-Time Password (OTP) confuses people. Banks have started including warnings in such OTP messages since the gap in awareness is very real and exploitable.
Beyond the end user, monitoring is critical, and there are two layers to it. The first is internal; where monitoring systems are in place, it is possible to detect unusual activity in one’s own systems before real damage is done. The second is what is known as threat intelligence, which is essentially tracking incidents globally, even if one has not been targeted yet. For example, if a bank learns that other banks are being attacked using a particular method, that is information/intelligence to act on immediately.
It is important that all elements work together. Even if the best technology is available, if the people maintaining it are not properly trained, there is room for accidents and mistakes, which in turn leaves room for further issues. A cybersecurity breach implies that systems are not available for legitimate users, data is stolen, or sometimes money is stolen. From an organisational point of view, there could be penalties from regulators as well.
How effective is coordination between organisations, specifically in the public sector, when it comes to cybersecurity incidents?
The Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT), which is the main coordinating body, is tasked with gathering threat intelligence from foreign CERTs and global networks, distributing that information locally, and coordinating cybersecurity incidents.
However, effectively coordinating cybersecurity posture and incidents requires sectorial supporting organisations. Thinking along those lines, Sri Lanka CERT initiated the Financial Sector Computer Security Incident Response Team (FinCSIRT), which connects banks/financial institutes in a shared network, so that incidents or threats targeting one bank can be flagged to others banks/financial institutes quickly.
A similar structure could work for telecommunications, manufacturing, and Government services as well. The idea is a layered model, a national coordination centre with sector-specific groups under it, each focused on their own sector but contributing to the same intelligence network.
Moreover, the pace of change in technology requires policy and process updates to happen rapidly, and therefore a slow, drawn-out review cycle is a liability when the threat environment is changing this fast.
On that point, how well organised is intelligence sharing in Sri Lanka at present?
While it is taking place to a certain extent, it can be more efficient and better structured.
As a country, proper cyber threat intelligence gathering, validating, and sharing mechanisms should be present. One key factor with intelligence sharing is quality control. This can be valid cyber threat intelligence and timely information sharing.
If organisations receive threat intelligence that repeatedly turns out to be false alarms, they might stop trusting the source, and when a real threat arrives, the instinct is to disregard it. Therefore, validation matters in such instances, and information needs to be verified before it is circulated and shared with relevant parties/stakeholders.
How frequently is critical digital evidence already compromised or lost by the time an investigation begins? What can be done to improve the process?
Digital evidence handling is its own field and is easy to get wrong when the response is rushed or uncoordinated.
Working with Scenes of Crime Officers (SOCOs), through training programmes run by the Council of Europe under the Budapest Convention on Cybercrime, we worked on exactly this kind of preparedness. Digital evidence can be present even in cases that initially seemed unrelated to cybercrime, and thus first responders need to know how to effectively recognise and protect digital evidence.
When an incident is detected through a monitoring system, two steps are required simultaneously. A technical expert needs to secure the digital evidence while containing the damage. At the same time, that evidence needs to be collected and handed to law enforcement agents for investigation following proper process which is accepted in a court of law.
As Sri Lanka is a signatory to the Budapest Convention, which covers electronic evidence collection, processing, and admissibility, the framework is already in place. The question is, with the increased number of reported cyber-related cases, whether there are enough trained professionals in the right places – across Government departments, private organisations, and law enforcement – to actually apply it. This brings us to the broader question of cybersecurity workforce capacity, which is a challenge in its own right.
In terms of workforce capacity, are there skill gaps in the cybersecurity workforce at the operational level? Are we attracting and retaining enough certified professionals, especially in the public sector?
There is a skills shortage globally, not just locally. While new technologies keep emerging, the pace of automation, Artificial Intelligence (AI) included, has not removed the need for human expertise.
In Sri Lanka, universities now offer cybersecurity programmes and there is a pipeline forming. Moreover, professional certifications through organisations such as ISC2 or the Information Systems Audit and Control Association (ISACA) are also covering ground to fill the gaps in workforce. From the Government and banking sectors, there are certain regulations that now specify minimum experience requirements for cybersecurity roles. These are steps forward.
However, retention is a separate problem. A skilled cybersecurity professional has options internationally and locally, and if the public sector cannot offer competitive salaries and a clear career path, they might leave in search of better opportunities. However, we can also witness that, at the same time, new talent will always come in.
Which key areas deserve more attention when it comes to cybersecurity investment in Sri Lanka?
The return on investment in cybersecurity is difficult to demonstrate until faced with an issue, which can be a concern when it comes to justifying the spend. Therefore, a better way to think about it is risk, and its potential cost if a data breach occurs. How investment can be prioritised depends on the nature of the data that needs protecting.
For example, the Personal Data Protection Act No.9 of 2022 now requires organisations to protect Personally Identifiable Information (PII), with penalties for non-compliance, while banks and regulated sectors have additional obligations. These create a baseline.
In relation to incident response specifically, the word ‘readiness’ matters, and it is not accidental. Sri Lanka CERT changed its name from ‘response team’ to ‘readiness team,’ since the goal is to be prepared prior to a cybersecurity issue, not just equipped to react after the fact. Therefore, it is important to ensure and maintain the strength of the incident response team.
When it comes to cybersecurity management services, how exposed are Government and public-sector systems to risk from third-party vendors and service providers?
No organisation today runs entirely on its own resources, with almost all organisations outsourcing at least certain services, whether it is software development, infrastructure management, or operations. When a third party is involved, it means access to the systems, data, and sometimes the most sensitive information where applicable.
From a software point of view, the risk from undisclosed vulnerabilities is significant. If a Government department is using software built by an external vendor and a vulnerability is identified, there has to be a proper Service-Level Agreement (SLAs) to fix those identified vulnerabilities in preset time frames based on the criticality of the vulnerability. If the vendor takes days to deploy a patch, there is a window of exposure.
This is why vulnerabilities should not be publicly disclosed before a fix is implemented. Therefore, in order to ensure protection, security should be assured across the supply chain.
Moving forward in an era with consistent digital advancement, what does Sri Lanka need to do to be better prepared for large-scale, coordinated cyberattacks?
Preparation is key. That means having improved cyber threat intelligence gathering and monitoring. If an unfortunate incident happens, a detailed response plan is also very much needed.
Reading through publicly available information so far, what we have seen is cyber attacks/attempted data breaches targeted at individual departments or systems. But that is not a reason to wait.
The starting point is establishing necessary basic defences across Government systems, making sure every department has a minimum security baseline and the right people to maintain/manage it, and 24x7 security monitoring in place. Threat intelligence is critical to understanding who is targeting you and how, before incidents happen.
Meanwhile, if an incident does occur, having capable professionals with each organisation who can handle the initial response and know when and how to escalate is essential in order to avoid a wider crisis.
Law enforcement plays a role here too. Sri Lanka’s Computer Crime Act No.24 of 2007 and the Budapest Convention on cybercrimes provide the legal framework to prosecute cybercrime and coordinate internationally, respectively. Law enforcement is essential as identifying and holding attackers accountable is necessary since it can act as a deterrent, although it cannot stop every attack.
In the end, a safer digital environment requires all stakeholders working in the same direction, which include the Government, private sector, professional bodies, universities, and law enforcement, as a single organisation cannot undertake it alone. It is also important to notice that people are increasingly talking about cybersecurity and taking it more seriously in Sri Lanka; a coordinated effort can effectively support this progress.