A few weeks ago, a complaint was brought to my attention involving a young girl from the plantation sector near Hatton. Like many young Sri Lankans searching for financial opportunity in a difficult economy, she had reportedly been drawn into an online investment and earning platform promising quick returns through mobile-based transactions. What began with a small deposit gradually escalated into repeated payments, manipulation, and financial loss for the family. Unfortunately, this is no longer an isolated incident.

Across Sri Lanka, particularly among vulnerable youth and low-income communities, digital scam platforms, fraudulent investment schemes, and organised cyber fraud operations are quietly expanding. Some incidents are reported to law enforcement. Many are not. Shame, fear, lack of awareness, and the absence of confidence in obtaining legal remedy continue to keep a significant number of victims silent.

At the same time, the country is witnessing cyber incidents at the highest institutional levels. From financial fraud and payment diversion cases involving State institutions to major data breaches affecting banks and public systems, Sri Lanka’s digital vulnerability is no longer theoretical. It is real, expanding, and increasingly dangerous.

Following the recent incidents involving the Treasury cyber payment diversion, the Cargills Bank data breach, and a series of financial system failures across both State and private institutions, it is becoming increasingly difficult to dismiss Sri Lanka’s cybersecurity crisis as a collection of isolated incidents.

Digital system failures

In recent months alone, Sri Lanka has witnessed millions of Rupees and foreign currency losses linked to digital system failures, fraudulent transactions, payment diversions, and alleged cyber intrusions affecting banks, welfare systems, public institutions, and State-linked entities. The alleged diversion of nearly US$ 2.5 million linked to the Treasury’s External Resources Department sent perhaps the strongest warning yet: even the financial machinery of the State itself is vulnerable.

In 2025, the Cargills Bank breach exposed the scale of the problem. Sensitive customer information, including personal identification documents and internal records, were reportedly compromised in what has been described as one of the largest cybersecurity incidents in Sri Lanka’s history. Yet, despite the seriousness of the breach, Sri Lanka lacks a comprehensive Cybersecurity Act with mandatory disclosure obligations, institutional accountability mechanisms, and an independent regulatory authority capable of enforcing national cyber protection standards.

This is no longer merely a technical issue confined to information technology (IT) departments and software systems. It is rapidly evolving into a question of economic security, public trust, digital sovereignty, and governance itself. At a time when Sri Lanka is modernising public services, expanding digital financial systems, and pursuing technology-driven economic reforms, the country appears to be building its digital future on an increasingly fragile legal and institutional foundation.

At the same time, Sri Lanka is witnessing a deeply concerning trend involving organised foreign cybercrime networks allegedly operating within the country through legal and immigration loopholes. Since early 2026, Sri Lankan authorities have arrested hundreds of foreign nationals linked to alleged scam centres, cyber fraud operations, and immigration-related violations. The suspects reportedly include nationals from countries such as China, Vietnam/Viet Nam, India, Pakistan, Bangladesh, and Myanmar, with several large-scale raids carried out in Colombo and surrounding areas.

Scam centre operations

In one recent operation alone, more than 150 foreign nationals were detained in connection with an alleged scam centre operating from a hotel facility, while subsequent raids across Colombo reportedly resulted in over 200 additional arrests linked to cyber-related activities. Authorities have also warned of increasingly organised transnational syndicate structures operating through rented apartments, hotels, and temporary business networks.

Reports indicate that many of these individuals entered Sri Lanka through short-term tourist visas before allegedly establishing operational networks targeting victims both within Sri Lanka and internationally. In certain instances, concerns have also emerged regarding attempts to extend or convert visa status while continuing illicit digital operations through locally coordinated structures.

Sri Lanka unquestionably needs tourism, foreign investment, international connectivity, and a globally competitive digital economy. However, a distinction must be made between genuine economic engagement and organised criminal syndicates exploiting gaps within immigration, cybersecurity, and regulatory systems.

The Computer Emergency Readiness Team recorded over 12,650 cybersecurity and social media-related complaints in 2025, a dramatic increase compared to previous years. The trajectory is no longer gradual. It is accelerating.

The growing presence of such operations should not be viewed merely as a law enforcement issue. It is increasingly becoming a broader strategic and regional security concern. Sri Lanka occupies a strategically sensitive position within the Indo-Pacific region, where cybercrime, digital espionage, financial fraud, and transnational illicit networks are rapidly evolving into major geopolitical challenges.

If the country fails to establish robust cybersecurity governance, stronger digital enforcement systems, and coordinated immigration oversight, it risks unintentionally becoming a permissive operational space for transnational cybercrime networks. Such a trajectory would not only damage Sri Lanka’s international reputation, but could also create wider regional implications affecting neighbouring countries, strategic partners, financial systems, and digital trade relationships.

At a moment when Sri Lanka is actively positioning itself as a future digital hub for South Asia, the country cannot afford to operate without the legal and institutional guardrails necessary to protect its citizens, institutions, and sovereignty in cyberspace.

Cybersecurity Act

Despite the scale of the threat, Sri Lanka continues to operate without a dedicated Cybersecurity Act. While the country has introduced laws such as the Computer Crime Act, No. 24 of 2007, the Personal Data Protection Act, No. 9 of 2022 and the Online Safety Act, No. 9 of 2024, these frameworks are either outdated, limited in scope, or primarily focused on areas that do not adequately address the realities of modern cyber warfare, organised digital fraud, critical infrastructure protection, and transnational cybercrime.

The Computer Crime Act itself was enacted nearly two decades ago, long before the emergence of ransomware economies, artificial intelligence (AI)-assisted cyber fraud, cryptocurrency-linked scam ecosystems, cloud-based infrastructure attacks, and large-scale digital financial operations that define today’s threat environment. The Online Safety Act has generated substantial debate largely around content regulation and freedom of expression concerns, rather than establishing a comprehensive cybersecurity governance framework capable of protecting State institutions, financial systems, and ordinary citizens.

What makes the current situation even more concerning is that Sri Lanka has already recognised the urgency of cybersecurity reform at the policy level. The Government has approved the National Cyber Security Strategy 2025–2029, launched the National Cyber Security Operations Centre, and committed billions of Rupees towards digital governance infrastructure, including the Unique Digital Identity project. However, strategy without enforceable law creates a dangerous governance vacuum.

Cybersecurity regulatory authority

For nearly seven years, Sri Lanka’s proposed Cybersecurity Bill has remained trapped within institutional processes despite repeated cyber incidents, growing warnings from experts, and increasing public vulnerability. As a result, the country still lacks an independent cybersecurity regulatory authority, mandatory breach disclosure obligations, sector-specific cybersecurity compliance standards, and clearly enforceable institutional accountability mechanisms.

In practical terms, this means that even when serious cyber incidents occur, there remains no comprehensive legal structure compelling institutions to disclose breaches transparently, implement minimum cybersecurity standards, protect critical digital infrastructure, or face meaningful penalties for negligence and non-compliance.

At a time when Sri Lanka is rapidly digitising its economy, public administration, banking systems, welfare platforms, and citizen services, the absence of a comprehensive Cybersecurity Act is no longer merely a policy delay. It is becoming a governance risk.

Countries across Asia have already recognised that cybersecurity is no longer simply an IT issue, but a matter of economic credibility, sovereignty, and strategic stability. Sri Lanka does not need to reinvent the wheel. The regional models already exist.

Singapore, widely regarded as one of Asia’s leading digital governance frameworks, enacted its Cybersecurity Act in 2018 and strengthened it further through major Amendments in 2024. The Legislation established strict protections for critical infrastructure sectors, mandatory incident reporting obligations, expanded oversight over third-party digital service providers, and strong enforcement powers backed by financial and criminal penalties. Singapore understood early that investor confidence in a digital economy depends directly on institutional trust and cybersecurity resilience.

India has similarly accelerated its own digital governance reforms through the Digital Personal Data Protection framework, banking cybersecurity directives, and stronger regulatory obligations imposed through institutions such as the Reserve Bank of India. Financial institutions are required to comply with strict digital security protocols, mandatory reporting mechanisms, and layered accountability systems designed to protect both citizens and national financial infrastructure.

Sri Lanka itself was the first South Asian country to accede to the Budapest Convention on Cybercrime, demonstrating that the country has historically shown willingness to engage with international cyber governance standards. The challenge today is no longer about understanding the problem. It is about translating policy ambition into enforceable institutional action.

Legislative commitment

Sri Lanka still has an opportunity to act before the situation escalates further. The country possesses the intellectual capacity, institutional foundations, regional partnerships, and international access necessary to build a modern cybersecurity governance framework aligned with global best practices. However, that requires urgency, political will, and serious legislative commitment.

Constructive collaboration

Sri Lanka must begin treating cybersecurity not merely as a technical subject, but as a core pillar of governance and economic resilience. AI, digital public infrastructure, and automated governance mechanisms will increasingly shape the future of the State itself. Without strong cybersecurity architecture, these systems become vulnerabilities instead of opportunities. Sri Lanka has access to valuable global expertise, comparative policy research, and emerging governance models that can assist the country in shaping future-ready cybersecurity legislation and digital governance strategies. Constructive collaboration between policymakers, researchers, technology experts, international partners, and political institutions will be essential in addressing the scale of the challenge ahead.

Progressive political movements should continue supporting constructive reforms that strengthen citizen protection, institutional accountability, responsible digital governance, and long-term national resilience.

Ultimately, the fight against corruption, institutional vulnerability, financial fraud, and organised exploitation is no longer confined only to courtrooms, Parliament debates, or traditional law enforcement operations. Increasingly, these battles are unfolding in cyberspace.

Cybersecurity vacuum

The digital economy presents enormous opportunities for Sri Lanka, from modernised public services and financial innovation to technology-driven entrepreneurship and emerging AI-based industries. However, digital progress without cybersecurity protection creates exposure instead of empowerment.

Sri Lanka cannot aspire to become a trusted digital hub while simultaneously operating within a dangerous cybersecurity vacuum. A country that cannot adequately protect its citizens, institutions, financial systems, and young people from digital exploitation cannot credibly position itself as a secure digital economy.

The urgency today is not simply about passing another piece of legislation. It is about protecting sovereignty, public trust, economic credibility, and regional stability in an increasingly interconnected world. The proposed Cybersecurity Act must therefore move beyond delay and become an immediate national priority. Sri Lanka requires a modern legal framework with enforceable cybersecurity standards, mandatory breach reporting obligations, institutional accountability mechanisms, stronger immigration and digital enforcement coordination, and independent regulatory oversight capable of responding to evolving cyber threats.

At the same time, this conversation must remain constructive. The Government’s ambition to modernise Sri Lanka through technology and digital reform is important and necessary. But, ambition alone is not enough. Strong institutions, enforceable laws, secure digital infrastructure, and strategic foresight must form the foundation upon which that transformation is built.

Sri Lanka still has time to act decisively. But, the window to act before deeper institutional, financial, and reputational damage occurs is rapidly narrowing. The choice before us is becoming increasingly clear: whether Sri Lanka emerges as a secure and respected digital hub in the region, or develops a far more dangerous reputation as a permissive hub for cyber fraud and digital exploitation.

The writer is the Co-Chair of the Millennium Project Sri Lanka, and a doctoral researcher in AI governance and digital systems

------

The views and opinions expressed in this column are those of the author, and do not necessarily reflect those of this publication