The recent crash of the Lanka Government Cloud (LGC) has reignited debate about Sri Lanka’s readiness to embrace the digital economy, as touted by the incumbent Government.
The incident, which crippled several key e-Government services for nearly a week, has raised pressing questions about the country’s digital infrastructure, technical expertise, and long-delayed cybersecurity framework.
The system failure, which occurred last week, disrupted vital State services across multiple departments, including the Registrar General Department’s vital records system, the Department of Motor Traffic’s e-Revenue Licence service, the Police Clearance Certificate platform, the Department of Commerce’s Certificate of Origin system, the Department of Pensions, and the e-Local Government system.
Even public-facing portals such as those of the Department of Meteorology, Department of the Registrar of Companies, Sri Lanka Accounting and Auditing Standards Monitoring Board, and Information and Communication Technology Agency (ICTA) were rendered inaccessible.
After days of scrambling, the ICTA announced in the middle of last week that all LGC services had been fully restored. The agency assured the public that no data had been lost and that the “security and integrity of data were never compromised”.
The ICTA also emphasised that the highest data protection standards were upheld during the restoration process, thanking Government institutions, the public, and industry partners for their patience and cooperation.
The agency clarified that the disruption was not linked to the ongoing migration to the new and advanced LGC environment, which had been contracted earlier and was yet to be activated. The ICTA confirmed that this new version, designed for higher resilience and capacity, was ready to take over workloads from the existing system through a planned migration exercise.
While the swift restoration of services was welcomed, the episode exposed deep systemic weaknesses in the country’s digital ecosystem — weaknesses that experts say have long been ignored.
A cloud with fragile foundations
The Lanka Government Cloud was envisioned as a foundation of Sri Lanka’s digital transformation strategy. Developed by the ICTA in collaboration with the Ministry of Telecommunication and Digital Infrastructure and other stakeholders, the second-generation LGC (LGC 2.0) was launched with the ambition of creating a centralised, hybrid cloud environment for all Government services.
The project aimed to provide a secure, cost-effective, and scalable infrastructure to host e-Government platforms, public databases, and web services. It was also meant to support big data analytics, serving as a national data management hub.
However, according to Digital Trust Alliance (DTA) President Lakmal Embuldeniya, who was one of the experts involved in the early stages of LGC development, the system’s evolution has been marred by policy instability and poor long-term planning.
“The model was not sustainable; the main purposes of establishing the LGC were different,” Embuldeniya said. “The LGC was initially developed around 2017 aiming to build a national data centre. Several private investors agreed to invest in it based on return on investment. But there was a change in government and the LGC was not properly maintained.”
He explained that the project suffered from multiple political and administrative disruptions.
“During Ranil Wickremesinghe’s presidency, his Budget unexpectedly announced that the ICTA would be closed. That decision discouraged officials who were working on policy matters, and there were no solid directions. The LGC 2.0, which was based on an Oracle solution, could not renew its licence during 2021/’22. Then, under the new Government, there were discussions about an advanced LGC 3.0 that would involve a multi-million-rupee investment.”
Embuldeniya questioned the logic of such an investment given the current limited scale of the system. “Now the question is whether such an investment is worthwhile, as it has only around 400 websites and no critical data stored except for a few key departments such as the Registrar General’s Department, Department of Motor Traffic, and the Police clearance system,” he said.
“We also hear that the Government is planning to enhance the system through a public-private partnership, but there are concerns about how the private companies will be selected.”
Human and technical capacity gaps
Beyond infrastructure, Embuldeniya pointed to a serious lack of skilled IT professionals within key State institutions.
“Most of the officials handling IT-related jobs in Government agencies, including the ICTA, are Arts-stream graduates without initial IT knowledge or expertise,” he said. “There are plenty of qualified IT experts in Sri Lanka, but hiring them would cost at least Rs. 200,000 per month for someone with 2–3 years worth of experience. The Government needs to invest in this expertise.”
He also highlighted another critical structural flaw — Sri Lanka’s dependence on a single power grid. “Once entire key departments are digitised, especially the LGC, they will rely completely on electricity. If there’s a power failure, the operation of the entire country could come to a standstill,” Embuldeniya warned.
The DTA President further noted that discussions about a Government-regulated, private sector-driven cloud model were ongoing, which he described as a positive direction. However, he stressed that the Government must first finalise the long-delayed Cyber Security Bill before expanding the LGC.
“To maintain a national cloud that stores vast amounts of data, the Government must ensure its cybersecurity. The blame game continues between institutions, but the Government has failed to finalise the Cyber Security Bill. Dr. Hans Wijayasuriya alone cannot perform miracles; he needs a proper team to get the job done,” he said.
The Cyber Security Bill
The proposed Cyber Security Bill, which has been in development for several years, is reportedly in its final stages before being presented to the President for approval.
The legislation is designed to create a national cybersecurity framework and establish a Cyber Security Regulatory Authority (CSRA) tasked with enforcing digital security standards, monitoring cyberthreats, and protecting critical infrastructure.
However, despite repeated reassurances, industry experts, legal professionals, and civil society organisations remain uneasy about the bill’s implications for privacy, governance, and digital rights. Much of this concern stems from the bill’s integration with the Defence Cyber Command Act of 2023, which has not been made publicly available despite being frequently referenced in the draft bill.
Under Section 3 of the proposed Cyber Security Bill, the CSRA would be established as a corporate body with perpetual succession and the ability to sue and be sued. Its Board of Directors would include senior Government officials and security representatives, including the Director General of the Defence Cyber Command, the Secretary to the Treasury, and the Chairperson of the ICTA, alongside four presidential appointees.
Section 20 empowers the CSRA to designate any system or network as Critical National Information Infrastructure (CNII), based on its importance to national security, health, or the economy. However, the bill grants wide discretion to the authority in making such designations, with limited transparency.
Experts argue that without access to the Defence Cyber Command Act, it is impossible to fully understand the scope of military involvement in civilian cybersecurity affairs. The lack of transparency, they warn, risks overlapping jurisdictions and may open the door to surveillance and censorship.
Nevertheless, the LGC crash has become a wake-up call for Sri Lanka’s digital governance. While the Government’s push for digitisation aligns with global trends, experts argue that ambition must be matched with robust policy, technical expertise, and institutional coordination.
As the country prepares for the next phase of its digital economy, the successful passage — and public acceptance — of the Cyber Security Bill will be pivotal.
Attempts to contact Ministry of Digital Economy Secretary Waruna Sri Dhanapala were unsuccessful as he is currently overseas. Similarly, multiple attempts to reach Deputy Minister Eranga Weeraratne were also unsuccessful.