VOLUME 81

   ISSUE 81

26 April 2018

Previously discussed topics:

1. Cyber Security Landscape in Sri Lanka

2. Overview of the National Information and Cyber Security Strategy
 

The second pillar of the strategy:

Thrust # 2: Legislation, Polices, and Standards

Our Strategy
 

The number of reported incidents involving cybercrimes against individuals and organization in Sri Lanka is increasing day by day. These include cybercrimes against individuals such as credit card fraud, revenge porn, crimes again property such as worm attacks, hacking, and intellectual property theft, and crimes against governmental and other organizations such as cyber terrorism, hacking of websites, processing of unauthorized information, and hacking into sensitive financial data. To battle cybercrimes against individuals and organizations effectively, it is necessary to enact and formulate appropriate legislation, policies, and standards for ensuring protection of sensitive data, digital transactions, electronic communications, privacy, and freedom of expression in the cyber space.

The government of Sri Lanka has taken a number of steps in this regard such as the introduction of the government security policy (2009) based on ISO 27000, and data sharing policy, and the enactment of relevant legislation such as the Electronic Transactions Act No. 19 of 2006, Payment Devices Frauds Act No 30 of 2006, the Intellectual Property Rights Acts, and Computer Crimes Act No 24 of 2007. Sri Lanka ratified the Budapest Convention on Cybercrime in 2015 and became the first country in South Asia to join this convention. Moreover, a Computer Crimes Division was established in the Criminal Investigation Department of Sri Lanka Police in line with the enactment of Computer Crimes Act.
 

To further strengthen our regulatory framework to effectively battle emerging cybercrimes, gaps in the existing policies and laws will be identified, and new legislation, policies, and standards will be drafted and implemented to create a secure cyberspace for individuals and organizations.

Our Initiatives

2.1. Introduce a New Cyber Security Act

2.1.1. The government will introduce a new Cybersecurity Act for the establishment of the NICSA and for equipping the agency with the necessary powers to effectively address increasingly sophisticated threats to the nation 2007. The existing Computer Crimes Act is inadequate for addressing modern day cybercrimes.

2.2. Data Protection and Privacy Laws, and Data Sharing Policy

2.2.1. Currently, the number of cases on stealing customer data is on the rise. However, Sri Lanka lacks appropriate laws to protect customer data. We will, therefore, introduce a data privacy and protection law which governs the collection, use, and disclosure of citizens� personal data by government and private sector organizations.

2.2.2. Through this act, we will ensure that all government organizations and private sector firms which maintain citizens� data have adequate security controls in place and make them liable for privacy violations.

2.2.3. We will also introduce a data sharing policy for government organizations

2.3. Baseline Security Standards

We will facilitate the Sri Lanka Standards Institute to develop baseline information and cyber security standards for information systems, hardware, and software applications.

2.4. Critical Infrastructure Protection Policy

We will introduce Critical Infrastructure Protection Policy which will identify and declare infrastructure as critical infrastructure and provide measures necessary for protecting, safeguarding and increasing resilience of critical infrastructure.

2.5. Information Security Policy

We will facilitate organizations to develop security policies based on the maturity of their information systems. The information security policy of each organization shall be developed aligning with international standards.
 

To be continued.....

Invitation to Public Comments on Cyber Security Strategy. Please add your thoughts here:

By:

Dr. Kanishka Karunasena,

Research and Policy Development Specialist, Sri Lanka CERT|CC



 

References

"...The Internet of Things (IoT) has long been a game of rush-to-market, with production speed trumping security in the stampede. Now, with a swarm of devices � often under-defended � the RSA show floor is rife with vendors aiming to help secure it all.

Securing millions of non-standard devices as disparate as home thermometers, smart TVs and cars is no trivial task. It is somewhat simpler if they have simple stripped down embedded processors, but often they contain full-fledged and powerful network-connected operating systems, with all the security problems those present...."

How many threats hit the mainframe? No one really knows

"...Mainframes are the definition of mission-critical for countless businesses. Mainframes can run 1.1 million transactions per second and are at the core of the technology strategies within the worldwide financial markets. In 2017, IBM launched a new mainframe capable of running 12 billion encrypted transactions a day....."

'...Security researchers noticed a new twist in a recent spate of distributed denial-of-service attacks�when servers are overwhelmed to knock a site or service offline.

This rash of incidents, known as memcached reflection attacks, have included ransom demands hidden within the attack payload, internet services company Akamai researchers revealed in a blog post Friday. ....'

MILLIONS OF APPS LEAK PRIVATE USER DATA VIA LEAKY AD SDKS

'...Millions of apps leak personal identifiable information such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers......'

'....Two advanced persistent threat groups managed to sneak apps onto the Google Play marketplace earlier this year. Both were designed to conduct surveillance on targets located in the Middle East region, according to Lookout security researchers.....'

Training and Awareness Programmes - April  2018