Neville Lahiru
At the 8th edition of the annual Cyber Security Summit, Director General at TRCSL Oshada Senanayake commented that over seven million devices in Sri Lanka are already infected by some form of ransomware. The Director General made these comments as Sri Lanka gets ready for 5G while more connected devices join the internet.
It’s no secret that Sri Lanka doesn’t top the list of cybersecurity resilient countries. The past couple of years alone has shown just how unprepared Sri Lanka is as a country, be it a contact tracing app with security vulnerabilities or the LK Domain Registry hack, it’s clear cybersecurity needs to come higher up the priority list at a national level.
Now, as 5G is approaching commercial adoption on the island, the question of Sri Lanka’s cyber readiness has a more daunting answer. Why? Because 5G means more connected devices, bigger infrastructure, and the utilization of technologies such as Software-Defined Networking (SDN) and Network Function Virtualization (NFV). That expands the exposure to cybersecurity threats significantly.
Therefore as per Senanayake, it’s imperative that Sri Lanka “develop a comprehensive national strategy to enhance our cyber readiness.”
What do you mean a comprehensive national strategy?
What does a comprehensive national cybersecurity strategy even look like? Singapore’s cybersecurity strategy 2021 report is a good indication of what that could shape up to be on a high level. Senanayake himself admits that the current institutional setting in Sri Lanka is inadequate to tackle national cyber risks. This ranges from lack of preparedness in responding to cyber incidents to lack of capacity at the government level in handling cybersecurity matters.
As such, building a comprehensive national strategy translates to,
- Developing an institutional framework to define and execute the strategy
- Creating a legal framework to enable enforcement
- Designing a governance model to align cyber priorities across government and private organizations
- Overseeing execution and investing in capacity building strategy that will enable the execution
But strategy means little without proper implementation in place. This is where a National Cybersecurity Agency with the right mandate comes into the picture. Here, the agency would be key in establishing the required legal framework for a nationally inclusive cybersecurity setting.
In the context of 5G Senanayake also pointed out the need for implementing global network security standards in carriers. After all, 5G comes with a whole new set of technologies and infrastructural changes, both physical and digital. Each component of the overall ecosystem requires varying security requirements. Additionally, it presents new security concerns with technologies like SDN and NFV, along with more IoT use-cases.
Wait, what about 4G?
While there’s a lot of consideration for 5G and its potential, 4G will continue to play a pivotal role in markets like Sri Lanka. In fact, as 5G gets commercially implemented the previous generation technologies 2G, 3G, and even 4G will continue to co-exist. Thereby, previous generation vulnerabilities such as geotracking, Denial of Service, or call and SMS interception attacks will still be a problem. In other words, security considerations need to be made for all of these generations of networks while facilitating transition and interworking among them.
This is where frameworks like the Network Equipment Security Assurance Scheme (NESAS) are important. NESAS, defined by 3GPP and GSMA in collaboration, is an industry-wide security assurance framework that’s aimed to improve the security levels across the mobile industry, including 5G. Hence Senanayake’s appeal to implement global network security standards.
Of course in Sri Lanka’s context, it goes a few steps further. The subject of cybersecurity needs to be undertaken by all stakeholders ranging from the government and enterprises down to the individual.
The CERT’s six-area security focus
To this end, the Sri Lanka Cyber Emergency Readiness Team’s (SL CERT) Head of Research, Policy and Projects, Dr. Kanishka Karunasena emphasized that its organization has already identified six key areas for the island’s Information and Cyber Security Strategy for the 2019-2023 period. This includes,
- Establishment of Governance Framework
- Public Private Local-International Partnerships
- Legislation, Policies and Standards
- Awareness and Empowerment of Citizens
- Competent Workforce
- Resilient Digital Government and Infrastructure
This is the basis for the establishment of a Cyber Security Agency (CSA) through the Cyber Security Act. According to Karunasena, the CSA will be the primary institution for all things civilian cybersecurity matters. The Cyber Security Act along with the data protection bill is currently in the process of getting passed to law. Most recently, the data protection bill was approved and published in the parliament gazette.
Going digital and going cybersecurity
While this is an important and healthy direction to go in terms of pushing for a digital future, Sri Lanka has a lot of ground to cover in terms of cybersecurity. Senanayake acknowledged this as he talked about the country’s state of cybersecurity. Though he’s hopeful that Sri Lanka should make it to the top-20 list of cyber resilient countries in the world. As per ITU’s 2020 report, Sri Lanka currently stands at 84 in the Global Cybersecurity Index from over 180 countries. Even within the APAC region, Sri Lanka stands 15th out of 19 countries.
It’s imperative that focus continues to be drawn in this field in a landscape where the APAC region experiences a higher rate of malware and ransomware attacks than the rest of the world. In fact, countries in the APAC region are 80% more likely to be a target for cyber-attacks. Now, with 5G on the horizon, the need for a holistic cybersecurity approach from all stakeholders, including the users is more important than ever.
GIPHY App Key not set. Please check settings