If you are having trouble viewing this email, click here to view this online



   ISSUE 81

26 April 2018

Article of the Month Around the World


National Information and cyber security strategy

Previously discussed topics:

1. Cyber Security Landscape in Sri Lanka

2. Overview of the National Information and Cyber Security Strategy

The second pillar of the strategy:

Thrust # 2: Legislation, Polices, and Standards

Our Strategy

The number of reported incidents involving cybercrimes against individuals and organization in Sri Lanka is increasing day by day. These include cybercrimes against individuals such as credit card fraud, revenge porn, crimes again property such as worm attacks, hacking, and intellectual property theft, and crimes against governmental and other organizations such as cyber terrorism, hacking of websites, processing of unauthorized information, and hacking into sensitive financial data. To battle cybercrimes against individuals and organizations effectively, it is necessary to enact and formulate appropriate legislation, policies, and standards for ensuring protection of sensitive data, digital transactions, electronic communications, privacy, and freedom of expression in the cyber space.

The government of Sri Lanka has taken a number of steps in this regard such as the introduction of the government security policy (2009) based on ISO 27000, and data sharing policy, and the enactment of relevant legislation such as the Electronic Transactions Act No. 19 of 2006, Payment Devices Frauds Act No 30 of 2006, the Intellectual Property Rights Acts, and Computer Crimes Act No 24 of 2007. Sri Lanka ratified the Budapest Convention on Cybercrime in 2015 and became the first country in South Asia to join this convention. Moreover, a Computer Crimes Division was established in the Criminal Investigation Department of Sri Lanka Police in line with the enactment of Computer Crimes Act.

To further strengthen our regulatory framework to effectively battle emerging cybercrimes, gaps in the existing policies and laws will be identified, and new legislation, policies, and standards will be drafted and implemented to create a secure cyberspace for individuals and organizations.


Our Initiatives

2.1. Introduce a New Cyber Security Act

2.1.1. The government will introduce a new Cybersecurity Act for the establishment of the NICSA and for equipping the agency with the necessary powers to effectively address increasingly sophisticated threats to the nation 2007. The existing Computer Crimes Act is inadequate for addressing modern day cybercrimes.

2.2. Data Protection and Privacy Laws, and Data Sharing Policy

2.2.1. Currently, the number of cases on stealing customer data is on the rise. However, Sri Lanka lacks appropriate laws to protect customer data. We will, therefore, introduce a data privacy and protection law which governs the collection, use, and disclosure of citizens� personal data by government and private sector organizations.

2.2.2. Through this act, we will ensure that all government organizations and private sector firms which maintain citizens� data have adequate security controls in place and make them liable for privacy violations.

2.2.3. We will also introduce a data sharing policy for government organizations

2.3. Baseline Security Standards

We will facilitate the Sri Lanka Standards Institute to develop baseline information and cyber security standards for information systems, hardware, and software applications.

2.4. Critical Infrastructure Protection Policy

We will introduce Critical Infrastructure Protection Policy which will identify and declare infrastructure as critical infrastructure and provide measures necessary for protecting, safeguarding and increasing resilience of critical infrastructure.

2.5. Information Security Policy

We will facilitate organizations to develop security policies based on the maturity of their information systems. The information security policy of each organization shall be developed aligning with international standards.

To be continued.....

Invitation to Public Comments on Cyber Security Strategy. Please add your thoughts here:



Dr. Kanishka Karunasena,

Research and Policy Development Specialist, Sri Lanka CERT|CC

























1 Statistics on the Internet growth in Sri Lanka
2.The Dragon Research Group (DRG)
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
4.Shadowserver Foundation
5. Team Cymru

  RSA 2018: IoT security comes of age


"...The Internet of Things (IoT) has long been a game of rush-to-market, with production speed trumping security in the stampede. Now, with a swarm of devices � often under-defended � the RSA show floor is rife with vendors aiming to help secure it all.

Securing millions of non-standard devices as disparate as home thermometers, smart TVs and cars is no trivial task. It is somewhat simpler if they have simple stripped down embedded processors, but often they contain full-fledged and powerful network-connected operating systems, with all the security problems those present...."


How many threats hit the mainframe? No one really knows


"...Mainframes are the definition of mission-critical for countless businesses. Mainframes can run 1.1 million transactions per second and are at the core of the technology strategies within the worldwide financial markets. In 2017, IBM launched a new mainframe capable of running 12 billion encrypted transactions a day....."

  Hackers Figured Out a Way to Demand Ransom Without Sending Email


'...Security researchers noticed a new twist in a recent spate of distributed denial-of-service attacks�when servers are overwhelmed to knock a site or service offline.

This rash of incidents, known as memcached reflection attacks, have included ransom demands hidden within the attack payload, internet services company Akamai researchers revealed in a blog post Friday. ....'




'...Millions of apps leak personal identifiable information such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers......'



'....Two advanced persistent threat groups managed to sneak apps onto the Google Play marketplace earlier this year. Both were designed to conduct surveillance on targets located in the Middle East region, according to Lookout security researchers.....'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in March 2018
  Statistics - Sri Lanka CERT|CC

Safe Browsing Now On by Default on Android

'...The Drupal core updates, scheduled for April 25 between 16:00 and 18:00 UTC, will deliver a follow-up patch for the highly critical vulnerability tracked as CVE-2018-7600 and dubbed �Drupalgeddon2.�...'

10 Things You Should Know About Deep Learning

"...Deep learning burst onto the public consciousness in 2016 when Google�s AlphaGo software, which was based on deep learning, beat the human world champion at the board game Go. Since then, deep learning has begun appearing in news reports and product literature with more frequency, but few organizations are actually using it today.... .."
Facebook shuffle brings a new head of US policy and chief privacy officer

�...Trying times in Menlo Park, it seems: Amid assaults from all quarters largely focused on privacy, Facebook is shifting some upper management around to better defend itself. Its head of policy in the U.S., Erin Egan, is returning to her chief privacy officer role, and a VP (and former FCC chairman) is taking her spot, at least temporarily.....�
Lawsuit Over Government�s Kaspersky Ban Hits A Turning Point

."...Kaspersky�s legal battles against the U.S. government could be hurtling toward a conclusion or a tipping point after legal filings last week.

The government filed documents April 16 that mark an end to the first phase of legal briefings in two separate cases in which the Russian anti-virus provider is challenging the federal government�s efforts to ban it from federal contracts. ...."

Notice Board

Training and Awareness Programmes - April  2018


Brought to you by: