Director Communication and Publications Institute of National Security Studies Sri Lanka

INSSSL’s Threat Lens on Cyber Security: The Evolving Threat Landscape in Sri Lanka” was held on Thursday, 18th May at the Ministry of Defence with the presence of experts in cyber security and information technology in the country. Representatives from the Ministry of Telecom and Digital Infrastructure, Central Bank of Sri Lanka, Informatics, Sri Lanka CERT, CICRA, and senior officers of the tri forces were invited for the discussion. Secretary Defence, Eng. Karunasena Hettiarachchi Chaired the discussion while Additional Secretary Defence, Mr. R.M. Sarath Kumara were also present.

In the wake of last week’s Ransomware cyber attack using the malicious software WannaCry that created mayhem with more than 200,000 attacks recorded in countries such as UK, Russia, India and China crippling several industries, the Institute of National Security Studies Sri Lanka believed that conducting a discussion among experts on this very relevant topic was of the utmost importance. The main purpose of this forum was to obtain expert views to instigate research that will assist in producing a framework for the country’s potential cyber threat to national security. It is hoped that the framework will provide as assessment mechanism that will enable the Sri Lankan government to determine their cyber security capabilities, set individual goals and establish a plan for improving and maintaining cyber security programs. The framework is also expected to contribute to cyber security awareness and education as it is evident that knowledge is viewed as an important factor that contributes to the cyber threat.

In recent years, Sri Lanka’s greater dependence on critical infrastructure, industrial automation and cyber based control systems has resulted in a growing unforeseen vulnerability to a cyber security threat. Protecting and assuring the availability of critical infrastructure is thus vital to for both the Sri Lankan and South Asian economies. It is therefore crucial that cyber security professionals understand  and have the knowledge to address these issues. INSS’s Director General Asanga Abeyagoonasekera provided an introduction to the day’s theme and its scope whilst the institute’s Research Analyst Ms Priyanka Moonesinghe presented the forum with recent data and statistics with regard to cyber crime. Her presentation focused on what defence strategies and mechanisms can be applied to counter cyber attacks and touched upon a national mechanism; legal mechanisms; an efficient legal framework; as well as intelligence and military mechanisms, the convergence of all of which are required to combat this type of threat.

Several expert views were shared in the discussion that ensued. The fact that a cyber attack can destabilise the whole country including the armed forces, Head of State, a country’s electrical grid, communication systems, media and telecommunication gateways was a point that was highlighted. While Sri Lanka fortunately encountered just one attack from Ransomware, there is a greater possibility that more severe damage could take place in the future as hackers would keep developing new systems that can penetrate any firewall. The most sensible and practical approach to such attacks is by educating users through comprehensive and simple awareness training from user level. It is also important as to how soon an attack can be detected and responded to. There was a suggestion to introduce a national cyber security strategy with inter-agency cooperation and cyber operation command centers. A collaborative effort and an implementation mechanism was recommended as right now in Sri Lanka, different components of cyber security fall under the purview of different ministries. An institute to train youth on this very crucial subject is also of the greatest importance.

On a positive note, it was pointed out that the tri-forces in the country, specifically the Army conducts workshops and sessions on cyber security as it is not believed that this non-traditional threat carries as much security hazards as traditional threats. The fact that implementation of such measures should be top-driven with higher authorities and policy makers making this subject a priority is of paramount importance. Government departments and staff using confidential information that is not secure itself is a threat to security, therefore users themselves and individuals should have adequate knowledge and awareness to be proactive and not just reactive. It was also pointed out that rather than concentrating on external attacks, it is necessary to pay attention to possible internal threats and leaks. Protecting mobile phones as well as computers is of importance in the present day. A suggestion for the government to set up a task force in collaboration with the private sector and formulate an action plan which includes sharing of and disseminating knowledge was well received.

Finally, it was reiterated that every institute should have an ICT policy. The new Counter Terrorism Act proposed by the government to replace the existing Prevention of Terrorism Act consisting sections on cyber terrorism is expected to be implemented in the near future. Thus, the government itself has made this security threat a priority.