‘Around the globe, digital technologies have evolved into a powerful economic tool that has improved quality of life of citizens and transformed the way that governments, businesses, and citizens connect, engage, and access information and services. Many societies are now dependent on digital technologies which has led these technologies to be considered as a fundamental social infrastructure.
Along with their numerous benefits digital technologies also brings with them numerous cyber threats. The global number of cyber security incidents recorded in 2015 is 59.06 million1. A study estimates that the total annual cost of all data breaches by 2019 will be $2.1 trillion which is almost four times the estimated cost of breaches in 20152. In Sri Lanka, The Sri Lanka Computer Emergency Readiness Team | Coordination Centre (Sri Lanka CERT|CC) has received 3907 cyber security related incidents in 2017, which is a significant increase from 2010.
In this context, we, the government of Sri Lanka, seeks to show our commitment to keep the nation safe, secure and prosperous, by introducing Sri Lanka’s first Information and Cyber Security Strategy which will be implemented over period of five years from 2018 to 2023.Our strategy aims to create a resilient and trusted cyber security ecosystem that will enable le Sri Lanka
Our strategy is underpinned by six pillars:
1. Establishment of a governance framework to implement national information and cyber security strategy
2. Enactment and formulation of legislation, policies, and standards to create a regulatory environment to protect individuals and organizations in the cyber space
3. Development of a skilled and competent workforce to detect, defend and respond to cyber attacks
4. Collaboration with public authorities to ensure that the digital government systems implemented and operated by the them have the appropriate level of cyber security and resilience
5. Raising awareness and empowering citizens to defend themselves against cyber crimes
6. Development of public-private, local-international partnerships to create a robust cyber-security
Thrust # 1: Establishment of the Governance Framework
In 2006, the government of Sri Lanka established Sri Lanka CERT|CC as the single trusted source of advice on the latest threats and vulnerabilities affecting computer systems and networks, charged with the responsibility of providing technical support in responding to and recovering from Cyberattacks. Sri Lanka CERT was established under the Information and Communication Technology Agency (ICTA) of Sri Lanka, and comes under the purview of the Ministry of Telecommunication and Digital Infrastructure.
As the complexity of the cyber security ecosystem increases, the government of Sri Lanka recognizes the necessity of introducing a national information and cyber security strategy to cope with emerging threats. It is a high-level top-down approach to information and cyber security that establishes a range of national objectives and priorities that should be achieved in a specific timeframe.
In line with the strategy, a National Information and Cyber Security Agency will be established. The Agency will be responsible for overseeing the implementation of the cyber security strategy, setting national polices, facilitating the protection of critical national infrastructure, educating citizens, building a pioneering technology competent workforce, and promoting industry development
“Our strategy is to establish a powerful agency which oversees the overall implementation of the information and cyber security strategy of Sri Lanka, and to establish specialized subordinate agencies for effectively battling emerging cyber threats”
1.1. Establishment of the National Information and Cyber Security Agency of Sri Lanka (NICSA)
NICSA will be established as the apex institution for all cyber security related affairs in Sri Lanka. The Agency mandate shall be to oversee the implementation of the national information and cyber security strategy.
1.1.1. Agency shall be governed by a high-level committee which comprises of the representatives of Ministries involved in the Defence, Justice, Finance, ICT and Telecommunication, Media, and Public Administration. The Head of the Agency shall represent the National Security Council of Sri Lanka.The agency shall,
1.1.1. Function as the command and control body to promote this strategy and play a leading role in implementing cyber security initiatives set forth in this strategy.
1.1.2. Provide technical support for law enforcement authorities in conducting digital forensic investigations.
1.1.3. Build the capacity of sectoral CERTs and facilitate Sri Lanka CERT|CC to coordinate with sectoral CERTs for sharing incident information, best practices and other security related information.
1.1.4. Provide technical support to government bodies such as Ministries, authorities, boards, corporations etc.
1.1.5. Disseminate emerging cyber threat warnings to all Sri Lankans.
1.1.6. Act as a certification body issuing licenses for firms conducting information security related services.
1.2. Institutions Under the NICSA
1.2.1. We will continue to operate Sri Lanka CERT|CC as the National CERT to protect users in the public and private sector organizations and the general public by providing up-to-date information on potential threats and vulnerabilities and by undertaking computer emergency response handling services.
1.2.2. We will set up a 24 X 7 Cyber Security Call Center with a focus on assisting citizens, government organizations, and private firms to respond to cyber security incidents.
1.2.3. We will set up a National Cyber Alert System with the involvement of Internet Service Providers (ISPs) and Telcos to deliver targeted, timely, and actionable information to Sri Lankans and to educate citizens on how to secure their computer systems.
1.2.4. We will establish a Digital Forensic Lab to conduct digital forensic investigations and examinations in the areas of computer forensics, mobile forensics, audio forensics, video forensics and so forth.
1.2.5. We will establish the National Cyber Security Operating Centre (NCSOC) for monitoring threats to digital government applications, critical information infrastructure, and critical systems of private firms.
1.2.6. We will establish the National Certification Authority (NCA) by addressing the limitations of the existing certificate authorities.
1.2.7. We will establish a Research Unit for developing, coordinating and stimulating continuous research activities in the fields of Strategic Policy Research, Information Security Research, Cyber Security and Technology related research.
1.2.8. We will appoint Chief Security officer positon and Information Security officers for public service (Refer Thrust Area 3).
1.3. Monitoring and Evaluation (M&E) Framework
A comprehensive results based M&E framework will be developed to assess and measure the performance of the outcomes and outputs as a result of the implementation of the strategy.
To be continued.....
Invitation to Public Comments on Cyber Security Strategy. Please add your thoughts here:
Dr. Kanishka Karunasena,
Research and Policy Development Specialist, Sri Lanka CERT