Lanka Government Cloud and Sri Lanka’s deepening digital fragility

Neville Lahiru
By Neville Lahiru
11 Min Read

Last week, several e-government services went offline following a technical issue with the Lanka Government Cloud (LGC). The Government of Sri Lanka currently hosts a chunk of its digital infrastructure. The outage impacted critical systems, including:

Contents
What’s Lanka Government Cloud?What went wrong?Redundancies and backupsA recurring issueProtecting the dataThe digital priority questionLanka Government Cloud, data, and eroding trust
  • Birth, Marriage, and Death Certificate System (Registrar General Department)
  • e-Revenue License system (Department of Motor Traffic)
  • Police Clearance System (Department of Police)
  • Country of Origin Certificate Issuance online system (Department of Commerce)
  • Pension system (Department of Pensions)
  • e-Local Government System
  • Department of Meteorology website
  • Registrar of Companies website
  • Sri Lanka Accounting and Auditing Standards Board website
  • ICTA website

The outcome was that Sri Lankans had to rely on manual services, resulting in long queues at government offices. For some, this also meant traveling across the country to access these services.

What’s Lanka Government Cloud?

The Lanka Government Network’s origins, where LGC is a part of, date back as far as the ICTA itself. In 2009, ICTA had reportedly connected 325 locations as part of LGN’s physical network. It also launched Lanka Gate, its flagship software infrastructure at the time.

By 2012, the Government of Sri Lanka soft-launched “Lanka Cloud” as an extension of the project. LGN officially came under the Lanka Government Information Infrastructure. It was mandated with the “management and maintenance of the institutional infrastructure of the Government of Sri Lanka”. ICTA stated the Lanka Cloud setup was designed to create over 150 servers (VMWare virtualization).

The Government of Sri Lanka launching the upgraded Lanka Government Cloud (LGN 2.0)
Government of Sri Lanka launching Lanka Government Network 2.0

In 2018, the platform was upgraded and relaunched as LGC 2.0/LGN 2.0. It moved from a private cloud to a hybrid cloud model. The idea was that an open-source platform like OpenStack would be scalable and more efficient than the previous VMWare platform. Additionally, LGC 2.0 aims to set the foundation for more recent, large-scale projects like Sri Lanka Unique Digital Identity (SL-UDI) and National Data Exchange (NDX).

What went wrong?

Following the outage, ICTA issued a statement confirming that an LGC disruption caused several e-government services to crash. The Ministry of Digital Economy says an LGN capacity limit caused the disruption. The statement further pointed out that LGC is undergoing expansion throughout October, aiming to address capacity and operational constraints.

These capacity issues aren’t new to the government cloud platform. In fact, LGC 2.0 maxxed out its resource utilization by mid-2022 and was unable to expand its resources owing to the economic crisis at the time.

The ICTA statement on the recent Lanka Government Cloud outage and the impacted government services.

However, a report from The Examiner points the actual reason to a system migration issue. The current system is being migrated to a managed cloud setup, which the government contracted to SLT in May. The report further states that the contracts of the providers for the old system weren’t extended for months leading up to the outage. This made these services unavailable during the migration.

SLT itself has been iffy about its relationship with the LGN project. Despite providing critical infrastructure for years, the ISP has gone as far as to state that it doesn’t provide any hosting services to Lanka Government Cloud. In 2016, SLT was selected to provide a high-speed optical fiber communications network for LGN as part of its upgrade to LGN 2.0. The upgrade was carried out over two years, at LKR 12.7 billion.

Redundancies and backups

At the time, the government also gave SLT the green light to negotiate with other service providers to facilitate infrastructure support for LGN 2.0. While there were attempts at a split-managed cloud between SLT and Dialog later on, the plans reportedly never materialized.

Additionally, the nature of government digital procurements meant ICTA itself owned and managed the servers, set up at SLT’s Internet Data Centre in Pitipana.

It doesn’t help that LGC seemingly has no effective backups in place either. Disaster recovery plans are a critical part of data-centric infrastructure, particularly at the scale of LGC. But despite multiple calls on the need for backups by the government, ranging from ICTA meeting minutes to bidding documents, the outage only proved the poor state of LGC’s overall disaster recovery plan.

A recurring issue

Unfortunately, this isn’t the first time an LGN issue has impacted Sri Lanka’s e-government services. The Foreign Ministry’s Electronic Document Attestation System has failed at least twice over the past five years. The e-Revenue License system has suffered a similar fate multiple times, with the portal crashing even after a system upgrade.

In 2021, LGC was also caught up in the NMRA controversy. Terabytes of pharmaceutical companies’ data to the National Medicines Regulatory Authority (NMRA) went missing from LGC servers.

Two years later, a ransomware attack impacted all of LGN’s gov.lk emails, losing months of government emails with no backups. ICTA CEO Mahesh Perera stated that no backups were available at the time owing to administrative problems.

Then there’s the security problem. Sri Lanka’s government websites are infamous for suffering cybersecurity attacks, whether due to operating without SSL certificates or being left vulnerable enough for teenagers to deface them. But even when hacks have left hundreds of thousands of personal records compromised, the government has rarely bothered to address the severity of a fundamental problem with its digital infrastructure.

Protecting the data

Ironically, all this comes at a time when the government approved the Personal Data Protection Act amendment bill. The amended bill is to be adopted into law on October 21, following its third reading. The Act was officially passed into law in 2022. But it’s only set to become active once the Data Protection Authority is established and operational.

On paper, this would prompt every organization to comply legally with how personal data is processed and stored. As to how effectively the Act will be enacted, particularly around State Operated Enterprise personal data violations, remains to be seen.

Alongside the Personal Data Protection Act, Sri Lanka is also looking at pushing the cyber security bill into law, though the Ministry of Digital Economy has stated it will be delayed until next year.

The digital priority question

On top of this, the ICTA launched a public consultation on Cloud Policy and Strategy for Sri Lanka early this year. The call comes as the government looks to formulate a regulatory framework for its sovereign cloud strategy.

digital id sri lanka
How will LGC handle the added baggage that comes with a digitalized ID at mass?

The idea is local data storage and governance while allowing global cloud providers to operate under a strong regulatory framework. It proves critical for the government’s more ambitious projects like SL-UDI. “We need a sovereign cloud for the country which can meet all local and international security standards,” says ICTA Director Sanjaya Karunasena about Sri Lanka’s sovereign cloud plans. “We’re currently in discussions with potential parties to establish a mechanism for all qualified local and international players to participate in the cloud setup process”, he further said.

Alongside a national framework for a sovereign cloud, the Government of Sri Lanka has set its eyes on building a superapp. It hopes to streamline fragmented government services and build awareness. The ICTA expects to get through its first phase before the end of 2026.

Lanka Government Cloud, data, and eroding trust

So, it’s worth asking what protection mechanisms are set in place, be it data redundancy or regulatory frameworks. How is the infrastructure managed to ensure smooth operations? Who is held accountable when thousands of citizens are locked out of accessing vital government services? Now, with more government functionalities set to come online, these questions only seem to grow bigger.

Projects like GovPay, Pravesha, and the National Air Quality Network have shown what successful e-government services look like and how effectively they can serve the citizenry. But a digital infrastructure that keeps glitching at critical levels not only undermines these successes but also puts the spotlight on the government’s misguided digital priorities.

More importantly, incidents like the LGC outage inconvenience citizens at large and erode whatever trust the government is trying to build with its digitalization plans.

After all, what does it say about a country’s digital infrastructure where critical government services go offline due to poor administrative practices? What does it say about a country with ambitions of a digitalized future that includes digital ID and AI, but fails to build reliable and functioning systems? What does it say about a country that refuses to take accountability for its digital failings beyond just an online statement?

TAGGED:
Share This Article
Previous Article An excavated skeletal remains at the Chemmani mass grave Chemmani: Technology’s pursuit of accountability for war crimes in Sri Lanka
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings