If you are having trouble viewing this email, click here to view this online



   ISSUE 82

31 May 2018

Article of the Month Around the World


National Information and cyber security strategy

Thrust #3: Development of a Competent Workforce

Previously discussed topics:

1. Cyber Security Landscape in Sri Lanka

2. Overview of the National Information and Cyber Security Strategy

3. Thrust # 2: Legislation, Polices, and Standards

The third pillar of the strategy:

Our Strategy

Cyber-attacks and the disruptions to information systems caused by these attacks are increasing exponentially. In this context, it is necessary to ensure the availability of a cadre of knowledgeable and highly skilled professionals in the field of information and cyber security domain to protect, detect, defend and respond to these cyber-attacks.

�Our strategy is to create a virtuous circle of supply and demand of information and cyber security experts through continuous assessment of the gap between the supply and demand of cyber professionals, increasing learning opportunities to capitalize on cyber security knowledge, and educating youth for building a pool of future cybersecurity professionals�

In 2016, skills gap analysis from ISACA estimated a global shortage of 2 million cybersecurity professionals by 20198. As per the GCI, Sri Lanka requires to expend much effort on building overall human resource capacity to combat emerging cyber threats. In Sri Lanka, to date, there is a distinct lack of initiatives to address the domestic shortage of cybersecurity experts. We will, therefore, aim to implement appropriate strategies to facilitate our workforce to gain and maintain the knowledge, skills, experience and technological capabilities needed to effectively work in the cyber environment.



Our Initiatives

3.1. Assess Supply and Demand of Professionals

We will conduct a national level survey to understand the gap between the supply of information and cybersecurity professionals and demand from the industry for such professionals in Sri Lanka. Such an analysis is important for NICSA to formulate appropriate strategies and policies to fill the supply and demand gap.

3.2. Competency Framework

3.2.1. We will develop a National Information and Cyber Security Competency Framework which outlines the core competencies that both the government and private sector should possess to effectively work in the cyber environment. In developing the framework, carder structure of the public service and private sector would be taken into account.

3.2.2. We will work with Tertiary and Vocational Education Commission to develop National Vocational Qualification (NVQ) standards for various disciplines in the Information and Cyber Security domain. The proposed National Information and Cyber Security Competency Framework shall comply with the NVQ Standards and Professional Qualification Standards as defined by International Standardization bodies.

3.3. Up-Skilling and Re-Skilling Opportunities for Public Sector Staff

A minimum NVQ standard will be introduced as a qualification requirement for each layer of staff in the Information Technology service, and in other services who are involved with ICT initiatives.

3.3.1. We will also facilitate the organizing of special training courses (based on NVQ Standards) for the staff of agencies maintaining critical infrastructure, agencies dealing with most vulnerable communities in our society, law enforcement authorities, Tri-forces and the Intelligence Services.

3.3.2. As per Information and Cyber Security Competency Framework, we will roll out information and cyber security training program for staff at grass root level organizations in the public service across the country.

3.3.3. We will offer scholarships for public sector staff to undertake specialized postgraduate degrees and to take up professional courses in this domain.

3.3.4. We will include information and cyber security for Confidence and Efficiency Bar exams in public service.
3.4. Expanding Tertiary and Vocational Education

3.4.1. We will facilitate local universities, vocational training institutes, and private educational service providers to introduce industry oriented diplomas, undergraduate and post graduate programs to provide learning opportunities to students to develop a solid foundation in both theory and practice of information security to advance their practical cybersecurity skills.

3.4.2. We will facilitate private professional entities/accreditation institutes to award professional qualifications in this domain.

3.5. Training Infrastructure across the Country

3.5.1. We will facilitate private firms to develop information and cyber security training infrastructure across the country by way of public private partnership arrangements.

3.5.2. We will empower government training institutes (e.g. Sri Lanka Institute of Development Administration, Sri Lanka Institute of Local Governance, Miloda) to conduct information and cyber security training for government staff.

3.6. e-Learning Modules

We will encourage the Distance Learning Centre (DLC) to design and deliver e-learning modules on Information and Cyber Security which government staff can take up upon their convenience.

3.7. Opportunities for Government Staff to Attend International Conferences

Continuous participation and contribution to international conferences on information security is essential to state our position and deepen communications with various actors around the world. We recognize that participation at such conferences would not only help to capitalize on cybersecurity expertise knowledge but also to build networks with cyber security professionals from around the globe. Through our international partnerships and the External Resource Department of Sri Lanka, we will seek such opportunities for Chief Innovation Officers (CIOs) and Chief Information Security Officers of the public service.

3.8. Future Career Paths

3.8.1. We will advocate for inclusion of information and cyber security into the school curriculum with the aim of creating a talented pool of cyber security professionals in future.

3.8.2. We will facilitate career guidance workshops at schools across the country to raise awareness of the emerging career opportunities in this domain. Students who are completing GCE A/L shall be the target group.

3.8.3. Women are globally underrepresented in the cybersecurity profession. Globally it is at 11%, much lower than the representation of women in the overall global workforce

Women in Cybersecurity Workforce (Asia Pacific Region)10

Special attention will be given to creating an interest in cybersecurity among female school students as there is inadequate women participation in this domain.


To be continued.....

Invitation to Public Comments on Cyber Security Strategy. Please add your thoughts here:



Dr. Kanishka Karunasena,

Research and Policy Development Specialist, Sri Lanka CERT|CC

























1 Statistics on the Internet growth in Sri Lanka
2.The Dragon Research Group (DRG)
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
4.Shadowserver Foundation
5. Team Cymru

  'Facebook takes data from my phone � but I don't have an account!'


"...Anyone who uses the Facebook phone app knows what a toll it can take both on your mobile data and free time to be plugged into the social network through your device.

But what happens if you don't even have an account, you can't remove the app, and the social network won't leave you alone?..."


Amazon banning shoppers who return items too often


"...Amazon's flexible return policy may not be as risk free as you think.

The company bans shoppers for violations, which include returning items too often, according to The Wall Street Journal. Some users aren't told what they did wrong.

Amazon boasts free and easy returns for many of its items, which has pushed many brick-and-mortar stores to offer the same policies as they struggle to compete with the e-commerce giant. But it turns out Amazon's return policies may come at a price. ...."

  Trump's mobile phone security questioned


'...It's a familiar, and disheartening, refrain to most cybersecurity pros when smartphone users reject stringent security features because they're just �too inconvenient.� But when it's repeated by the president of the United States, as allegedly was recently the case, it sets alarm bells clanging....'

Cryptocurrency web mining: In union there is profit



'...In the last months, we stumbled upon some JavaScript files apparently used to mine cryptocurrencies directly within the browser. For a long time now, cybercriminals have taken advantage of cryptocurrency mining in order to make a profit. However, they generally use malware or potentially unwanted applications they install on the victim�s machine in order to turn a dishonest penny.....'



'....Adobe has fixed several critical vulnerabilities � including a critical code execution bug in Adobe Flash Player � as part of its regularly scheduled May Security Bulletin, on Tuesday.

In all, Adobe released patches for five critical and important vulnerabilities spanning Creative Cloud, Adobe Flash Player and web conferencing software tool Adobe Connect. For all of these bugs, Adobe said that so far, no exploits have been seen in the wild....'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in April 2018
  Statistics - Sri Lanka CERT|CC

Researchers hack BMW cars, discover 14 vulnerabilities

'...Keen Security Lab researchers have discovered fourteen vulnerabilities affecting a variety of BMW car models.

The flaws could be exploited to gain local and remote access to infotainment (a.k.a head unit), the Telematics Control Unit (TCU or TCB) and UDS communication, as well as to gain control of the vehicles� CAN buses....'

FBI Stands Firm on �Going Dark� Problem While Acknowledging Inflated Data

"...The FBI won�t step back from its dire warnings about warrant-proof encryption systems despite acknowledging that officials grossly overstated the number of instances in which encryption stymied an investigation, an official said Wednesday.

FBI officials have been warning since 2014 that warrant-proof encryption systems are allowing terrorists and criminals to �go dark,� recruiting and planning operations where the bureau couldn�t track them..."
U.S. Digital Service Will Teach You How to Buy the Latest Tech

�...The U.S. Digital Service on Wednesday announced a new training program to help federal acquisition employees update their contracting know-how for the 21st century.

USDS partnered with the Office of Federal Procurement Policy to create the core-plus certification in Contracting for Digital Services, a course aimed at showing feds the ropes of agile development, user-centric design and industry strategies for buying the latest, greatest technologies......�
Waiting for cheaper renewables can cost more in the long run

."...Waiting for the price to come down before switching to a new technology sounds like a frugal decision. But when it comes to a country�s electrical grid, what saves you money now could actually cost you much more in the long run. That�s the central conclusion of a new study led by Imperial College London�s Clara Heuberger. ...."

Notice Board

Training and Awareness Programmes - May 2018


Brought to you by: