Cybersecurity and its step motherly treatment in Sri Lanka
By Imesh Ranasinghe
We have come across cyber attacks and hacks of government websites or even social media accounts of people we know but it is a human trait to not to take anything that is shocking the world seriously, till it happens to himself.
You might not understand the value of your personal data until it’s breached.You might think you are an ordinary person and certainly not a VIP, but cybercriminals could use your data to cover up their real identities which will put you in trouble. Globally, cybersecurity is taken as a serious matter as predictions for losses from cybercrimes reached a $ 1 trillion mark in 2020 with the Covid-19 pandemic.
What is a cyber attack?
A cyber attack can maliciously disable computers, steal data, or use a breached computer as a launch point for other attacks. The most common type of cyber attacks are;
- Malware: It is a type of application that can perform a variety of malicious tasks. Some strains of malware are designed to create persistent access to a network, some are designed to spy on the user in order to obtain credentials or other valuable data, while some are simply designed to cause disruption
- Phishing: It is where the attacker tries to trick an unsuspecting victim into handing over valuable information, such as passwords, credit card details, intellectual property, and so on
- Man-in-the-middle attack (MITM): It is where an attacker intercepts the communication between two parties in an attempt to spy on the victims, steal personal information or credentials, or perhaps alter the conversation in some way
- Distributed Denial-of-Service (DDoS) attack: It is an attack where an attacker essentially floods a target server with traffic in an attempt to disrupt, and perhaps even bring down the target. However, unlike traditional denial-of-service attacks, which most sophisticated firewalls can detect and respond to, a DDoS attack is able to leverage multiple compromised devices to bombard the target with traffic
Cyber attacks in Sri Lanka
Sri Lanka was identified as a soft target for cybercriminals by the Microsoft Security Intelligence Report for 2019 as Sri Lanka was continuously subjected to cyber attacks annually on the Independence Day and Victory Day on 18 May for the past few years.
On Victory Day 2020, the website of the Chinese Embassy in Sri Lanka and the website of the Cabinet of Ministers were victims of a cyber attack while a leading new website was also breached.
On the same day in 2021, the websites of the Health Ministry, Sri Lankan Embassy in China, Energy Ministry and the Rajarata University came under a cyber attack. Both these attacks were launched by a group named as Tamil Eelam Cyber Force.
A report from Sri Lanka Computer Emergency Readiness Team (SLCERT) revealed that websites belonging to Sri Lanka Police, Health Ministry, the Ceylon Electricity Board, the Hector Kobbekaduwa Agrarian Research and Training Institute, and the Southern Provincial Council were subjected cyber attacks by a group of Turkish hackers on five different occasions between 5 February and 5 May in 2021.
Also in February 2021 after Independence day, the LK domain registry was hacked where all the .lk domain sites were redirected to a site titled “Really Freedom?”, where photographs and content criticising the Sri Lankan Government and raising concerns of estate workers, human rights and media freedom, and Tamil political prisoners, among other issues, were displayed.
Cybersecurity in Sri Lanka
Speaking to The Sunday Morning Business, Asela Waidyalankara, a cybersecurity consultant who has been in the field since 2015 said that cybersecurity in Sri Lanka has matured over the past five years simply because companies are moving to digital while the pandemic has really fast-forwarded that process.
He said a lot of organisations in Sri Lanka have faced cyberattacks where their operations were affected which he and his team has professionally dealt with.
“I know companies that were hit by ransomware where they were out for about a week as certain business functions were not available,” he said.
Cyberattacks are a continuing thing as part of a global trend which has increased by 200-300% over years specially because ransomware has really taken off.
This is partially because the value of Bitcoin is rising and since it is very easy for cybercriminals to get the ransom money in bitcoins.
He noted that ransomware is established as a service now where an individual doesn’t need to have any technical knowledge, an individual can simply go to some of these sites and direct a criminal enterprise to target an institution from which the individual is also given a cut from the ransom money.
“That is how matured cybercrimes are now, and the manner in which these types of attacks have become. No longer do we think of them as single guys operating out of the basement doing these attacks, that is not the case anymore, it is very sophisticated and very organised,” Waidyalankara said.
Private sector of Sri Lanka
Waidyalankara said that the private sector has been looking at digitisation anyway as something that is necessary, when the pandemic hit they realised this plans have to be fast forwarded and certainly big listed companies have been going ahead with it. Traditionally, he said cybersecurity is allocated as a portion of the IT budget in the companies.
“So, we always see cybersecurity seen as an afterthought security, only once an incident happens then you spend money sometimes 10 times or 15 times more than what you have allocated to mitigate the incident,” he explained.
He said in 2020, Sri Lanka Telecom was part of the attack while a big garment manufacturer in Sri Lanka was also attacked.
On 25 May 2020, a section of internal servers at Sri Lanka Telecom was subjected to a cyberattack.
As cybersecurity professionals in Sri Lanka, he said they want cybersecurity to be seen as a prevention and not something that is dealt with after an incident happens.
“Still in Sri Lanka corporates view cybersecurity as something the IT division should handle but it’s not,” he added.
He said discussions about cybersecurity of a company should happen on the board level and not at the IT division.
Moreover, he said at the recent G7 summit, cybersecurity and ransomware attacks was one of the top things on the agenda that was discussed because the US suffered a colonial pipeline attack where half of the west coast did not have gas for a week.
“This is the level cybersecurity is at globally,” he added.
Talks about a Cybersecurity Act in Sri Lanka have been in the country since 2017, and when President Gotabaya Rajapaksa took office in 2019, the Ministry of Defence started working on the bill along with a National Cybersecurity Strategy.
However, the bill has not yet been presented to the Parliament after almost two years.
Waidyalankara said Sri Lanka needs a Cybersecurity Agency which will provide policy, and direction etc. for cybersecurity in Sri Lanka.
When contacted by The Sunday Morning Business, Ravindu Meegasmulla, Information Security Engineer at SLCERT said that the Cybersecurity Bill will be tabled at Parliament before the end of year, while the Act once passed will create a Cybersecurity agency under which SLCERT will serve.
However, even though an Act is passed, Waidyalankara said that cybersecurity should be given the urgency and the attention it requires.
He said the World Economic Forum (WEF) considers cybersecurity one of the top 10 things that are important for the next decade.
But Sri Lanka has failed to see that, he said although certain organisations are initiating discussions about cybersecurity, discussions should also happen at Presidential and Cabinet level about cybersecurity.
Further, he said that it is likely through the Cybersecurity Act, each state entity will be asked to appoint a Chief Information Officer or a Cybersecurity person.
“But the law and the acts can do so much, it is only when you get the attention of the top there will be meaningful change,” he further added.
He noted that each individual should personally be aware of their online security as most of the important things such as education, work and financial transactions are now done via online.
“So you also must have some sort of awareness of your security, of your details and your personal data,” he said.
He added that a lot of people suffer financial loss or harm because they haven’t taken necessary precautions for cybersecurity, personally in their lives.
Waidyalankara said all the three stakeholders, government, private sector and people, need to focus on cybersecurity as if neglected could lead the country to a bigger disaster.
“This is why we keep on saying this is an issue that requires focus, priority and bigger national level discussion and this is what we need to do. Personally this is something that your family should also be discussing,” he said.
Role of SLCERT
Waidyalankara said SLCERT which was created in 2006 as a proactive measure is currently doing more than they were originally mandated to do.
From taking social media complaints, looking into cyberbullying, harassment and monitoring national level threats, the scope of SLCERT has increased over the years.
He said SLCERT is a very small team and being a Government agency they are not upto private sector level payments as cybersecurity skills are one of the world’s most sought after skills.
Moreover, he said detecting and flagging cybersecurity attacks takes a lot of technology and training.
“The question we must ask is that are they equipped with the technology, the people and the processors to handle such a load,” he said.
He added that for a cybersecurity company, training their staff is one of the biggest challenges the company faces.
“In the last two years, if you look at the numbers of social media complaints, they are two or three times more than what they usually deal with. On top of that we see a lot of things getting digitised, like birth and death certificates and the vaccination programme. At the rate we are digitising them, the question is are we securing them also?” questioned Waidyalankara.
Speaking about SLCERT, Meegasmulla said that roles played by them include doing awareness programmes to educate people about cybersecurity, taking social media complaints, assessing and auditing the security of government websites and applications, providing technical support to Criminal Investigation Department (CID) and being on the expert panel mentioned in the Payment Devices Fraud Act.
Further, he said SLCERT has established the National Cybersecurity Operational Centre with required software and hardware while a separate staff was recruited for the centre.
He said this was in line with the five year National Cybersecurity Strategy adopted by the Government.
Meegasmulla said that the newly established centre will try to identify places where Government’s critical information has been stored and connect them to the centre as their next objective.
Through this he said, the centre will be able to monitor traffic coming in and going out from the country’s network, to identify whether the locations where the traffic is coming from or going are reported previously as suspicious or malicious locations.
“Through this we can identify such patterns and get a visibility of the network in Sri Lanka,” he said.
However, he said SLCERT will not have access to the information that is flowing through the traffic. According to him, SLCERT had received 8,600 complaints for the first six months of 2021, out of which 75% are social media issues.
He said SLCERT most of the social media complaints which require legal attention to the CID while technical support required for others are provided by SLCERT.
He added that with the Covid-19 pandemic, the number of complaints have gone up as most of the people are engaging with the digital world more.
How people should manage their digital accounts
The management of passwords is a hard skill that only few have championed as every individual has several digital accounts from social media to other platforms.
When using different passwords to each and every account, it’s common that many forget their passwords and often reset them again and again when logging into accounts.
Waidyalankara said people use the same password for all the accounts so that it is convenient to them. “This happens to security researchers also as they keep on using the same password all over the place, but there is a danger in that,” he added.
He said, the haveibeenpwned.com website allows users to identify how many times their email address data has been breached.
Anyone can visit this website and enter their email address on the bar and check how many times their email address data has been breached.
In such a scenario, he said if the email address data has been breached and you have one password for all your accounts, it means all of your accounts have been breached.
“So, it is important to have a unique password for each service but being human, it’s in our nature to forget, and especially if you are a professional who is on the go and cannot keep track of your passwords. It is recommended to use a verified password manager,” he said.
A password manager is a service which creates a very long and complex password for each service and keeps it stored in a secure location with you and you have to remember only one password, that is the password to the password manager.
Two Factor Authentication (2FA)
“We have a theory in security, something that’s with you, something you have and something that’s yours,” Waidyalankara said.
This theory is used for Two Factor Authentication and Multi Factor Authentication when people realise that having a password is not enough for their security.
“So something that you know is your password, something that you have could be a security token, a key or something with you all the time could be your biometric,” he added.
2FA is a very simple, additional layer of security and this is used to provide protection from hackers using ‘Password Dictionaries’, a tool with all the combinations for existing passwords, default passwords, which allows them to get the password to your account.
When the password is put to login to an account, In 2FA, it sends a five or six digit code to your phone which is connected to the account as the next step, which also should be included to log in.
But make sure that the 2FA code is sent to a number you’re already using and not a number that you’re not using anymore as numbers get recycled through their network providers and go to another person.
Waidyalankara said that no matter how well you do it, cybersecurity will only mitigate the risk of a cyber attack and not stop it.
“A lot of Sri Lankan companies ask the question ‘if we do this or buy this can we not get hacked’, I said ‘no, you can get hacked but you are getting yourself an additional layer of protection and because of that you won’t fall prey to basic things’,” he said.
He said that the companies are starting to realise cybersecurity or cybercrime actually has an impact on their operation and their brand name.
He said in most cases most of the cyberattacks they have dealt within Sri Lanka had come from outside the country, and it is very rare that attacks come from Sri Lanka as there is some sort of law enforcement mechanism on computer crimes.
“If we see something within the country mostly, it’s an employee or disgruntled employee within the organisation trying to cause damage,” he explained.